[Openstack-operators] Help on Iptables in Openstack

Jesse Pretorius jesse.pretorius at gmail.com
Tue Apr 1 07:14:41 UTC 2014

On 1 April 2014 08:04, shiva m <anjaneya2 at gmail.com> wrote:

> Thank you for response. I tried adding security-groups from dashboard, but
> it doesnt help. I was trying to spoof a VM instance with  spoof source MAC
> and spoof  source IP, but the  packet is  not reaching br-int. If I  give
> proper source MAC  and proper source  IP, the packet reaches br-int and
> things work normal. I observed  Openstack stops spoof packets which are
> not originating from VM instance before reaching br-int (at tap interface).

In this case applying security groups won't help at all. Both MAC and IP
Spoofing protection is enabled on the hypervisor level by libvirt as part
of the instance instantiation. More details here:

> I need help to send a spoof packet from VM. Is there any way to disable
> iptable rules.

There is, but it's global for that compute host - the templates that apply
the network filters to protect against spoofing need to be removed.

> Also adding security group rules using command line and using dash-board
> are they same?

Yes - almost. I don't know if Horizon's interface to security groups is
still going through the nova api in Icehouse. If it is, the application of
the rules is only ingress whereas through the neutron CLI you're able to
define ingress and egress rules. On the CLU you're also able to be more
granular in the application of your rules/groups.

>From a use-case standpoint it may be interesting to understand why you need
to allow spoofing - if you don't mind, can you describe the purpose? We may
be able to help you find an alternative method.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20140401/427e11ef/attachment.html>

More information about the OpenStack-operators mailing list