openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #24448
Re: Security Group of Quantum ovs plugin (Folsom) is not working
Do you have:
firewall_driver=nova.virt.firewall.IptablesFirewallDriver
in your nova.conf? In folsom, quantum leveraged nova security groups
implementation directly so you need that. (looks like you have that set
though by your output).
Aaron
On Sun, Jun 16, 2013 at 7:38 PM, Chandler Li <lichandler116@xxxxxxxxx>wrote:
> Hi,
> I checked the compute node's iptables rules and found out the
> nova-compute-inst-xxx have no traffic flow.
> The traffic flow stopped at nova-filter-top chain rule, so security group
> is not working.
> Any idea how to resolve this problem?
>
> Thanks,
> Chandler
>
> [root@compute1 ~]# iptables -L -v -n
> Chain INPUT (policy ACCEPT 714 packets, 335K bytes)
> pkts bytes target prot opt in out source
> destination
> 369 117K nova-compute-INPUT all -- * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0
> 0.0.0.0/0 udp dpt:53
> 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:53
> 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0
> 0.0.0.0/0 udp dpt:67
> 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:67
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:5900
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 nova-filter-top all -- * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 nova-compute-FORWARD all -- * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 ACCEPT all -- * virbr0 0.0.0.0/0
> 192.168.122.0/24 state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24
> 0.0.0.0/0
> 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0
> 0.0.0.0/0
> 0 0 REJECT all -- * virbr0 0.0.0.0/0
> 0.0.0.0/0 reject-with icmp-port-unreachable
> 0 0 REJECT all -- virbr0 * 0.0.0.0/0
> 0.0.0.0/0 reject-with icmp-port-unreachable
>
> Chain OUTPUT (policy ACCEPT 779 packets, 378K bytes)
> pkts bytes target prot opt in out source
> destination
> 437 233K nova-filter-top all -- * * 0.0.0.0/0
> 0.0.0.0/0
> 396 216K nova-compute-OUTPUT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain nova-compute-FORWARD (1 references)
> pkts bytes target prot opt in out source
> destination
>
> Chain nova-compute-INPUT (1 references)
> pkts bytes target prot opt in out source
> destination
>
> Chain nova-compute-OUTPUT (1 references)
> pkts bytes target prot opt in out source
> destination
>
> Chain nova-compute-inst-767 (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0 state INVALID
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 nova-compute-provider all -- * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 ACCEPT udp -- * * 30.0.0.2
> 0.0.0.0/0 udp spt:67 dpt:68
> 0 0 ACCEPT all -- * * 30.0.0.0/24
> 0.0.0.0/0
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:22
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 nova-compute-sg-fallback all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain nova-compute-local (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 nova-compute-inst-767 all -- * * 0.0.0.0/0
> 30.0.0.5
>
> Chain nova-compute-provider (1 references)
> pkts bytes target prot opt in out source
> destination
>
> Chain nova-compute-sg-fallback (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain nova-filter-top (2 references)
> pkts bytes target prot opt in out source
> destination
> 396 216K nova-compute-local all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
>
>
> 2013/6/14 Chandler Li <lichandler116@xxxxxxxxx>
>
>> Hello,
>>
>> I'm trying to use security group of Quantum ovs plugin(Folsom) in CentOS
>> 6.3 (2012.2.3-1.el6@epel).
>>
>> Everything looks good, except security group,
>>
>> and there are no error message in /var/log/nova/compute.log file.
>>
>> After I created VM, I can see the bridges and interfaces have been
>> created normally.
>>
>> [root@compute1 ~]# brctl show
>> bridge name bridge id STP enabled interfaces
>> br-int 0000.3eca2e714b4d no
>> qvo756ead5d-32
>> br-tun 0000.824651aab541 no
>> qbr756ead5d-32 0000.ca57ea41484c no
>> qvb756ead5d-32
>> vnet0
>>
>> The chain rules in filter table of iptables can reflect security group
>> rules correctly too.
>>
>> Chain nova-compute-inst-749 (1 references)
>> num target prot opt source destination
>> 1 DROP all -- 0.0.0.0/0 0.0.0.0/0
>> state INVALID
>> 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>> state RELATED,ESTABLISHED
>> 3 nova-compute-provider all -- 0.0.0.0/0 0.0.0.0/0
>> 4 ACCEPT udp -- 10.0.0.2 0.0.0.0/0
>> udp spt:67 dpt:68
>> 5 ACCEPT all -- 10.0.0.0/24 0.0.0.0/0
>> 6 nova-compute-sg-fallback all -- 0.0.0.0/0
>> 0.0.0.0/0
>>
>> Obviously, the packets do not follow these rules correctly.
>>
>> Please advise me how to resolve this problem.
>>
>> Thanks a lot,
>> Chandler
>>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
Follow ups
References
