Open Stack

Hi all,

I'm struggling with security groups on Havana with Neutron and OVS 
plugin (GRE tunnels). No problem to create/delete security group rules 
but even though iptables configuration is updated, traffic to my 
instances is never filtered [0].

I'm running DevStack on 2 nodes (1 controller + 1 compute):
- OS: Ubuntu 12.04.3 (LTS) with the Havana cloud archive repository.
- Open vSwitch package version: 1.10.2-0ubuntu2~cloud0
- libvirt package version: 1.1.1-0ubuntu8~cloud2
- localrc, nova.conf, neutron.conf and ovs_neutron_plugin.ini files 
pasted at [1] (I didn't modify any of these files after the DevStack run)

According to [2], [3] and [4], iptables is not compatible with TAP 
devices connectd directly to Open vSwitch ports, this is why there used 
to be the additional veth + bridge interfaces [5]. But in my setup, this 
is not the case anymore as shown in [6] ('ovs-vsctl show' + 
'iptables-save' ouptut). I've also pasted the libvirt XML configuration 
[7] that shows that the instance is directly connected to the Open vSwitch.

Are the security groups supposed to work when the instance is directly 
connected to OVS? If yes, what am I doing wrong?

Regards,

[0] http://paste.openstack.org/show/50490/
[1] http://paste.openstack.org/show/50448/
[2] http://www.spinics.net/linux/fedora/libvirt-users/msg05384.html
[3] http://openvswitch.org/pipermail/discuss/2013-October/011461.html
[4] 
http://docs.openstack.org/havana/config-reference/content/under_the_hood_openvswitch.html
[5] 
http://docs.openstack.org/havana/config-reference/content/figures/7/a/a/common/figures/under-the-hood-scenario-2-ovs-compute.png
[6] http://paste.openstack.org/show/50486/
[7] http://paste.openstack.org/show/50487/
-- 
Simon Pasquier
Software Engineer
Bull, Architect of an Open World
Phone: + 33 4 76 29 71 49
http://www.bull.com