← Back to team overview

openstack team mailing list archive

Re: Security Group of Quantum ovs plugin (Folsom) is not working

 

Do you have:

 firewall_driver=nova.virt.firewall.IptablesFirewallDriver

in your nova.conf? In folsom, quantum leveraged nova security groups
implementation directly so you need that.  (looks like you have that set
though by your output).

Aaron



On Sun, Jun 16, 2013 at 7:38 PM, Chandler Li <lichandler116@xxxxxxxxx>wrote:

> Hi,
> I checked the compute node's iptables rules and found out the
> nova-compute-inst-xxx have no traffic flow.
> The traffic flow stopped at nova-filter-top chain rule, so security group
> is not working.
> Any idea how to resolve this problem?
>
> Thanks,
> Chandler
>
> [root@compute1 ~]# iptables -L -v -n
> Chain INPUT (policy ACCEPT 714 packets, 335K bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>   369  117K nova-compute-INPUT  all  --  *      *       0.0.0.0/0
>    0.0.0.0/0
>     0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0
> 0.0.0.0/0           udp dpt:53
>     0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0
> 0.0.0.0/0           tcp dpt:53
>     0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0
> 0.0.0.0/0           udp dpt:67
>     0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0
> 0.0.0.0/0           tcp dpt:67
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           tcp dpt:5900
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 nova-filter-top  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>     0     0 nova-compute-FORWARD  all  --  *      *       0.0.0.0/0
>      0.0.0.0/0
>     0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0
> 192.168.122.0/24    state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  virbr0 *       192.168.122.0/24
> 0.0.0.0/0
>     0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0
> 0.0.0.0/0
>     0     0 REJECT     all  --  *      virbr0  0.0.0.0/0
> 0.0.0.0/0           reject-with icmp-port-unreachable
>     0     0 REJECT     all  --  virbr0 *       0.0.0.0/0
> 0.0.0.0/0           reject-with icmp-port-unreachable
>
> Chain OUTPUT (policy ACCEPT 779 packets, 378K bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>   437  233K nova-filter-top  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>   396  216K nova-compute-OUTPUT  all  --  *      *       0.0.0.0/0
>      0.0.0.0/0
>
> Chain nova-compute-FORWARD (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain nova-compute-INPUT (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain nova-compute-OUTPUT (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain nova-compute-inst-767 (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 DROP       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state INVALID
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state RELATED,ESTABLISHED
>     0     0 nova-compute-provider  all  --  *      *       0.0.0.0/0
>        0.0.0.0/0
>     0     0 ACCEPT     udp  --  *      *       30.0.0.2
> 0.0.0.0/0           udp spt:67 dpt:68
>     0     0 ACCEPT     all  --  *      *       30.0.0.0/24
> 0.0.0.0/0
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           tcp dpt:22
>     0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0
>     0     0 nova-compute-sg-fallback  all  --  *      *       0.0.0.0/0
>          0.0.0.0/0
>
> Chain nova-compute-local (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 nova-compute-inst-767  all  --  *      *       0.0.0.0/0
>        30.0.0.5
>
> Chain nova-compute-provider (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain nova-compute-sg-fallback (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 DROP       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
> Chain nova-filter-top (2 references)
>  pkts bytes target     prot opt in     out     source
> destination
>   396  216K nova-compute-local  all  --  *      *       0.0.0.0/0
>    0.0.0.0/0
>
>
>
> 2013/6/14 Chandler Li <lichandler116@xxxxxxxxx>
>
>> Hello,
>>
>> I'm trying to use security group of Quantum ovs plugin(Folsom) in CentOS
>> 6.3 (2012.2.3-1.el6@epel).
>>
>> Everything looks good, except security group,
>>
>> and there are no error message in /var/log/nova/compute.log file.
>>
>> After I created VM, I can see the bridges and interfaces have been
>> created normally.
>>
>>      [root@compute1 ~]# brctl show
>>      bridge name     bridge id               STP enabled     interfaces
>>      br-int          0000.3eca2e714b4d       no
>>  qvo756ead5d-32
>>      br-tun          0000.824651aab541       no
>>      qbr756ead5d-32          0000.ca57ea41484c       no
>>  qvb756ead5d-32
>>                                                              vnet0
>>
>> The chain rules in filter table of iptables can reflect security group
>> rules correctly too.
>>
>>      Chain nova-compute-inst-749 (1 references)
>>      num  target     prot opt source               destination
>>      1    DROP       all  --  0.0.0.0/0            0.0.0.0/0
>> state INVALID
>>      2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
>> state RELATED,ESTABLISHED
>>      3    nova-compute-provider  all  --  0.0.0.0/0            0.0.0.0/0
>>      4    ACCEPT     udp  --  10.0.0.2             0.0.0.0/0
>> udp spt:67 dpt:68
>>      5    ACCEPT     all  --  10.0.0.0/24          0.0.0.0/0
>>      6    nova-compute-sg-fallback  all  --  0.0.0.0/0
>> 0.0.0.0/0
>>
>> Obviously, the packets do not follow these rules correctly.
>>
>> Please advise me how to resolve this problem.
>>
>> Thanks a lot,
>> Chandler
>>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>

Follow ups

References