openstack team mailing list archive

Thread
Date
Re: Security Group of Quantum ovs plugin (Folsom) is not working

To: openstack@xxxxxxxxxxxxxxxxxxx
From: Chandler Li <lichandler116@xxxxxxxxx>
Date: Mon, 17 Jun 2013 10:38:23 +0800
Hi,
I checked the compute node's iptables rules and found out the
nova-compute-inst-xxx have no traffic flow.
The traffic flow stopped at nova-filter-top chain rule, so security group
is not working.
Any idea how to resolve this problem?

Thanks,
Chandler

[root@compute1 ~]# iptables -L -v -n
Chain INPUT (policy ACCEPT 714 packets, 335K bytes)
 pkts bytes target     prot opt in     out     source
destination
  369  117K nova-compute-INPUT  all  --  *      *       0.0.0.0/0
 0.0.0.0/0
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0
0.0.0.0/0           udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0
0.0.0.0/0           tcp dpt:53
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0
0.0.0.0/0           udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0
0.0.0.0/0           tcp dpt:67
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:5900

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 nova-filter-top  all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 nova-compute-FORWARD  all  --  *      *       0.0.0.0/0
   0.0.0.0/0
    0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0
192.168.122.0/24    state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr0 *       192.168.122.0/24
0.0.0.0/0
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0
0.0.0.0/0
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0
0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0
0.0.0.0/0           reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 779 packets, 378K bytes)
 pkts bytes target     prot opt in     out     source
destination
  437  233K nova-filter-top  all  --  *      *       0.0.0.0/0
0.0.0.0/0
  396  216K nova-compute-OUTPUT  all  --  *      *       0.0.0.0/0
   0.0.0.0/0

Chain nova-compute-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source
destination

Chain nova-compute-INPUT (1 references)
 pkts bytes target     prot opt in     out     source
destination

Chain nova-compute-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source
destination

Chain nova-compute-inst-767 (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0           state INVALID
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 nova-compute-provider  all  --  *      *       0.0.0.0/0
     0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       30.0.0.2
0.0.0.0/0           udp spt:67 dpt:68
    0     0 ACCEPT     all  --  *      *       30.0.0.0/24
0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 nova-compute-sg-fallback  all  --  *      *       0.0.0.0/0
       0.0.0.0/0

Chain nova-compute-local (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 nova-compute-inst-767  all  --  *      *       0.0.0.0/0
     30.0.0.5

Chain nova-compute-provider (1 references)
 pkts bytes target     prot opt in     out     source
destination

Chain nova-compute-sg-fallback (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain nova-filter-top (2 references)
 pkts bytes target     prot opt in     out     source
destination
  396  216K nova-compute-local  all  --  *      *       0.0.0.0/0
 0.0.0.0/0



2013/6/14 Chandler Li <lichandler116@xxxxxxxxx>

> Hello,
>
> I'm trying to use security group of Quantum ovs plugin(Folsom) in CentOS
> 6.3 (2012.2.3-1.el6@epel).
>
> Everything looks good, except security group,
>
> and there are no error message in /var/log/nova/compute.log file.
>
> After I created VM, I can see the bridges and interfaces have been created
> normally.
>
>      [root@compute1 ~]# brctl show
>      bridge name     bridge id               STP enabled     interfaces
>      br-int          0000.3eca2e714b4d       no              qvo756ead5d-32
>      br-tun          0000.824651aab541       no
>      qbr756ead5d-32          0000.ca57ea41484c       no
>  qvb756ead5d-32
>                                                              vnet0
>
> The chain rules in filter table of iptables can reflect security group
> rules correctly too.
>
>      Chain nova-compute-inst-749 (1 references)
>      num  target     prot opt source               destination
>      1    DROP       all  --  0.0.0.0/0            0.0.0.0/0
> state INVALID
>      2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> state RELATED,ESTABLISHED
>      3    nova-compute-provider  all  --  0.0.0.0/0            0.0.0.0/0
>      4    ACCEPT     udp  --  10.0.0.2             0.0.0.0/0
> udp spt:67 dpt:68
>      5    ACCEPT     all  --  10.0.0.0/24          0.0.0.0/0
>      6    nova-compute-sg-fallback  all  --  0.0.0.0/0
> 0.0.0.0/0
>
> Obviously, the packets do not follow these rules correctly.
>
> Please advise me how to resolve this problem.
>
> Thanks a lot,
> Chandler
>
Follow ups

Re: Security Group of Quantum ovs plugin (Folsom) is not working
From: Aaron Rosen, 2013-06-17