[Openstack-operators] Help on Iptables in Openstack

shiva m anjaneya2 at gmail.com
Mon Apr 14 15:47:50 UTC 2014


I have figured  some  way to  allow  ip  spoofing  by using Q_USE_SECGROUP
= false and changing nova-base.xml  file.  But I am  still struggling to
send spoof packets  to my router  VM. I  see my packet  is getting blocked
at qbr bridge  between OVS and  VM. Could you please help me, how do I
prevent these  ebtable  rules at  qbr bridge to get  applied to my packets
or how do i stop  these  ebtables applied  at qbr (bridge).


On Tue, Apr 1, 2014 at 3:42 PM, shiva m <anjaneya2 at gmail.com> wrote:

> Hi,
> Thank you for  response.  I am running routing application on one  of my
> VM,  I have 3  VMs and my routing application is running on VM2. If I ping
> VM1 to VM3, I want my application to capture the packet and do some
> analysis like  what kind of packet?is it secure?  and just forward it  to
> VM3 without any modifications. I started with simple test case to implement
> a router application but I stuck with anti-spoofing  mechanism of
> openstack. I understand libvirt apply anti-spoofing security and I am
> trying 'virsh nwfilter' comands to change filter rules. You have mentioned
> that it is  possible to disable iptable  rules globally for compute host,
> can you please help me how can I disable iptables globally? and what
> services needs to be re-started?. Can anyone  please outline me  the  steps
> required to allow spoofing?
> Looking forward for your reply.
> Thanks,
> Shiva
> On Tue, Apr 1, 2014 at 12:44 PM, Jesse Pretorius <
> jesse.pretorius at gmail.com> wrote:
>> On 1 April 2014 08:04, shiva m <anjaneya2 at gmail.com> wrote:
>>> Thank you for response. I tried adding security-groups from dashboard,
>>> but it doesnt help. I was trying to spoof a VM instance with  spoof source
>>> MAC and spoof  source IP, but the  packet is  not reaching br-int. If I
>>> give  proper source MAC  and proper source  IP, the packet reaches br-int
>>> and  things work normal. I observed  Openstack stops spoof packets which
>>> are  not originating from VM instance before reaching br-int (at tap
>>> interface).
>> In this case applying security groups won't help at all. Both MAC and IP
>> Spoofing protection is enabled on the hypervisor level by libvirt as part
>> of the instance instantiation. More details here:
>> http://libvirt.org/firewall.html
>>> I need help to send a spoof packet from VM. Is there any way to disable
>>> iptable rules.
>> There is, but it's global for that compute host - the templates that
>> apply the network filters to protect against spoofing need to be removed.
>>>  Also adding security group rules using command line and using
>>> dash-board are they same?
>> Yes - almost. I don't know if Horizon's interface to security groups is
>> still going through the nova api in Icehouse. If it is, the application of
>> the rules is only ingress whereas through the neutron CLI you're able to
>> define ingress and egress rules. On the CLU you're also able to be more
>> granular in the application of your rules/groups.
>> From a use-case standpoint it may be interesting to understand why you
>> need to allow spoofing - if you don't mind, can you describe the purpose?
>> We may be able to help you find an alternative method.
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20140414/80c5013b/attachment.html>

More information about the OpenStack-operators mailing list