[Openstack-operators] Small openstack

Kris G. Lindgren klindgren at godaddy.com
Sat Jan 10 01:10:29 UTC 2015


>From past experience you can not have both nova and neutron security
groups enabled at the same time.

If you use nova security groups - then I believe they have the appropriate
stuff in place to prevent the arp spoofing and other associated stuff.
However - if you want the ability to apply egress filtering and something
else (its been a while) then you need to use neutron security groups.  If
you use neutron security groups - you must disable the nova security

I am trying to remember the exact issue, but I remember what effectively
happened is you could cause a condition in which no security groups were
being enforced. I think this was because of the order of rules being
applied in iptables itself - if a service was restarted (nova-compute or
the neutron-openvswitch-agent) it would insert its own rules at the top of
the chain ahead of the other service - which actually had the filtering
rules.   Which would result in the no filtering actually taking place.

If someone has this working and I am wrong on this - please let me know
what your working configuration is.

Kris Lindgren
Senior Linux Systems Engineer
GoDaddy, LLC.

On 1/9/15, 5:26 PM, "George Shuklin" <george.shuklin at gmail.com> wrote:

>On 01/09/2015 09:25 PM, Kris G. Lindgren wrote:
>> Also, If you are running this configuration you should be aware of the
>> following bug:
>> https://bugs.launchpad.net/neutron/+bug/1274034
>> And the corresponding fix: https://review.openstack.org/#/c/141130/
>> Basically - Neutron security group rules do nothing to protect against
>> spoofing/poisoning from vm's.  So its possible under a shared network
>> configuration for a vm to arp for another vm's ip address and
>> knock that vm offline.  The above commit - which is still a WIP adds
>> ebtable rules to allow neutron to filter protocols other than IP (eg
>Thank you!
>I just done playing with private networks (as external networks) and
>start to tuning internet network. And I saw something strange when I was
>doing a pentest from one of the instance. I'm going to check each thing
>from list in the bug description.
>But I thought that security groups, antispoofing and other things are
>OpenStack-operators mailing list
>OpenStack-operators at lists.openstack.org

More information about the OpenStack-operators mailing list