[Openstack] Security Group of Quantum ovs plugin (Folsom) is not working

Chandler Li lichandler116 at gmail.com
Mon Jun 17 02:38:23 UTC 2013 

Hi,
I checked the compute node's iptables rules and found out the
nova-compute-inst-xxx have no traffic flow.
The traffic flow stopped at nova-filter-top chain rule, so security group
is not working.
Any idea how to resolve this problem?

Thanks,
Chandler

[root at compute1 ~]# iptables -L -v -n
Chain INPUT (policy ACCEPT 714 packets, 335K bytes)
 pkts bytes target     prot opt in     out     source
destination
  369  117K nova-compute-INPUT  all  --  *      *       0.0.0.0/0
 0.0.0.0/0
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0
0.0.0.0/0           udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0
0.0.0.0/0           tcp dpt:53
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0
0.0.0.0/0           udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0
0.0.0.0/0           tcp dpt:67
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:5900

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 nova-filter-top  all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 nova-compute-FORWARD  all  --  *      *       0.0.0.0/0
   0.0.0.0/0
    0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0
192.168.122.0/24    state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr0 *       192.168.122.0/24
0.0.0.0/0
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0
0.0.0.0/0
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0
0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0
0.0.0.0/0           reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 779 packets, 378K bytes)
 pkts bytes target     prot opt in     out     source
destination
  437  233K nova-filter-top  all  --  *      *       0.0.0.0/0
0.0.0.0/0
  396  216K nova-compute-OUTPUT  all  --  *      *       0.0.0.0/0
   0.0.0.0/0

Chain nova-compute-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source
destination

Chain nova-compute-INPUT (1 references)
 pkts bytes target     prot opt in     out     source
destination

Chain nova-compute-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source
destination

Chain nova-compute-inst-767 (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0           state INVALID
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 nova-compute-provider  all  --  *      *       0.0.0.0/0
     0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       30.0.0.2
0.0.0.0/0           udp spt:67 dpt:68
    0     0 ACCEPT     all  --  *      *       30.0.0.0/24
0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 nova-compute-sg-fallback  all  --  *      *       0.0.0.0/0
       0.0.0.0/0

Chain nova-compute-local (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 nova-compute-inst-767  all  --  *      *       0.0.0.0/0
     30.0.0.5

Chain nova-compute-provider (1 references)
 pkts bytes target     prot opt in     out     source
destination

Chain nova-compute-sg-fallback (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain nova-filter-top (2 references)
 pkts bytes target     prot opt in     out     source
destination
  396  216K nova-compute-local  all  --  *      *       0.0.0.0/0
 0.0.0.0/0



2013/6/14 Chandler Li <lichandler116 at gmail.com>

> Hello,
>
> I'm trying to use security group of Quantum ovs plugin(Folsom) in CentOS
> 6.3 (2012.2.3-1.el6 at epel).
>
> Everything looks good, except security group,
>
> and there are no error message in /var/log/nova/compute.log file.
>
> After I created VM, I can see the bridges and interfaces have been created
> normally.
>
>      [root at compute1 ~]# brctl show
>      bridge name     bridge id               STP enabled     interfaces
>      br-int          0000.3eca2e714b4d       no              qvo756ead5d-32
>      br-tun          0000.824651aab541       no
>      qbr756ead5d-32          0000.ca57ea41484c       no
>  qvb756ead5d-32
>                                                              vnet0
>
> The chain rules in filter table of iptables can reflect security group
> rules correctly too.
>
>      Chain nova-compute-inst-749 (1 references)
>      num  target     prot opt source               destination
>      1    DROP       all  --  0.0.0.0/0            0.0.0.0/0
> state INVALID
>      2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> state RELATED,ESTABLISHED
>      3    nova-compute-provider  all  --  0.0.0.0/0            0.0.0.0/0
>      4    ACCEPT     udp  --  10.0.0.2             0.0.0.0/0
> udp spt:67 dpt:68
>      5    ACCEPT     all  --  10.0.0.0/24          0.0.0.0/0
>      6    nova-compute-sg-fallback  all  --  0.0.0.0/0
> 0.0.0.0/0
>
> Obviously, the packets do not follow these rules correctly.
>
> Please advise me how to resolve this problem.
>
> Thanks a lot,
> Chandler
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130617/09c09d2a/attachment.html>

More information about the Openstack mailing list