[Openstack-operators] Security group rules not working on instances kilo

Kris G. Lindgren klindgren at godaddy.com
Fri Apr 22 00:25:38 UTC 2016


Make sure that the bridges are being created (1 bridge per vm) they should be named close to the vm tap device name.  Then make sure that you have bridge nf-call-* files enabled:

http://wiki.libvirt.org/page/Net.bridge.bridge-nf-call_and_sysctl.conf

Under hybrid mode what happens is a linux bridge (not an ovs bridge (brctl)) is created per vm.  The vm's tap device is plugged into this bridge.  A veth is created that spans from the vm's linux bridge to br-int and is plugged at both ends.  This is done because older versions of OVS did not have support (or efficient support) for doing firewalling.  The problem is that in the kernel, packets traversing the Openvswitch code paths are unable to be hooked into by netfilter.  So the linux bridge is created solely to allow the VM traffic to pass through a netfilter hookable location, so security groups work.

You need at a minimum to make sure /proc/sys/net/bridge/bridge-nf-call-iptables is set to 1.  If its not then when you look at the iptables rules that are created – you will see that none of the security group chains are seeing traffic.
___________________________________________________________________
Kris Lindgren
Senior Linux Systems Engineer
GoDaddy

From: raju <raju.roks at gmail.com<mailto:raju.roks at gmail.com>>
Date: Thursday, April 21, 2016 at 5:26 PM
To: "openstack-operators at lists.openstack.org<mailto:openstack-operators at lists.openstack.org>" <openstack-operators at lists.openstack.org<mailto:openstack-operators at lists.openstack.org>>
Subject: [Openstack-operators] Security group rules not working on instances kilo

Hi,

I am running into a issue where security group rules are not applying to instances when I create a new security group with default rules it should reject all incoming traffic but it is allowing everything without blocking

here is my config for nova :

security_group_api = neutron
firewall_driver = nova.virt.firewall.NoopFirewallDriver

and in ml2.con.ini

firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

iptables service is running on all the nodes, please suggest me if  I miss anything.


Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20160422/30f5b6c4/attachment.html>


More information about the OpenStack-operators mailing list