yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #02456
[Bug 1182629] Re: security group rule listing doesn't show details
That's intended if it's blank that means it's a wild carded. By default
all egress traffic is allowed and ingress traffic is allowed only from
ports that are part of the same security group.
** Changed in: quantum
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to quantum.
https://bugs.launchpad.net/bugs/1182629
Title:
security group rule listing doesn't show details
Status in OpenStack Quantum (virtual network service):
Invalid
Bug description:
I have a new quantum environment, with default security groups - and they have blank protocol, ip prefix etc:
quantum security-group-rule-list
+--------------------------------------+----------------+-----------+----------+------------------+-------------
| id | security_group | direction | protocol | remote_ip_prefix | remote_group
+--------------------------------------+----------------+-----------+----------+------------------+-------------
| 028aec88-15db-4aef-aa6d-0882468b393a | default | egress | | |
| 316c8156-a804-4181-8a06-0d470eaf2612 | default | ingress | | | default
| 33049251-7a67-4efd-88bd-06bf05d05896 | default | ingress | | | default
| 55250bab-777f-4519-a330-760fdaa2b9b9 | default | egress | | |
| 586ffa9b-fe17-4a16-8e9b-61cdc2097a01 | default | egress | | |
| 58d618c0-19a4-4b20-ba64-f8a393db8def | default | ingress | | | default
| 5b11d13c-7e5a-424c-8364-b199dc07ef3b | default | egress | | |
| b3ad9ac9-56b2-4786-acca-359ff292d5cd | default | ingress | | | default
+--------------------------------------+----------------+-----------+----------+------------------+-------------
But when I check with iptables, one can see they are filtering ports
(e.g. bootps/bootpc):
:quantum-filter-top - [0:0]
:quantum-openvswi-FORWARD - [0:0]
:quantum-openvswi-INPUT - [0:0]
:quantum-openvswi-OUTPUT - [0:0]
:quantum-openvswi-iaa210549-d - [0:0]
:quantum-openvswi-local - [0:0]
:quantum-openvswi-oaa210549-d - [0:0]
:quantum-openvswi-sg-chain - [0:0]
:quantum-openvswi-sg-fallback - [0:0]
-A INPUT -j quantum-openvswi-INPUT
-A FORWARD -j quantum-filter-top
-A FORWARD -j quantum-openvswi-FORWARD
-A OUTPUT -j quantum-filter-top
-A OUTPUT -j quantum-openvswi-OUTPUT
-A quantum-filter-top -j quantum-openvswi-local
-A quantum-openvswi-FORWARD -m physdev --physdev-out tapaa210549-df --physdev-is-bridged -j quantum-openvswi-sg-chain
-A quantum-openvswi-FORWARD -m physdev --physdev-in tapaa210549-df --physdev-is-bridged -j quantum-openvswi-sg-chain
-A quantum-openvswi-INPUT -m physdev --physdev-in tapaa210549-df --physdev-is-bridged -j quantum-openvswi-oaa210549-d
-A quantum-openvswi-iaa210549-d -m state --state INVALID -j DROP
-A quantum-openvswi-iaa210549-d -m state --state RELATED,ESTABLISHED -j RETURN
-A quantum-openvswi-iaa210549-d -s 192.0.2.32/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
-A quantum-openvswi-iaa210549-d -j quantum-openvswi-sg-fallback
-A quantum-openvswi-oaa210549-d -m mac ! --mac-source FA:16:3E:7F:4F:76 -j DROP
-A quantum-openvswi-oaa210549-d -p udp -m udp --sport 68 --dport 67 -j RETURN
-A quantum-openvswi-oaa210549-d ! -s 192.0.2.33/32 -j DROP
-A quantum-openvswi-oaa210549-d -p udp -m udp --sport 67 --dport 68 -j DROP
-A quantum-openvswi-oaa210549-d -m state --state INVALID -j DROP
-A quantum-openvswi-oaa210549-d -m state --state RELATED,ESTABLISHED -j RETURN
-A quantum-openvswi-oaa210549-d -j RETURN
-A quantum-openvswi-oaa210549-d -j quantum-openvswi-sg-fallback
-A quantum-openvswi-sg-chain -m physdev --physdev-out tapaa210549-df --physdev-is-bridged -j quantum-openvswi-iaa210549-d
-A quantum-openvswi-sg-chain -m physdev --physdev-in tapaa210549-df --physdev-is-bridged -j quantum-openvswi-oaa210549-d
-A quantum-openvswi-sg-chain -j ACCEPT
-A quantum-openvswi-sg-fallback -j DROP
COMMIT
To manage notifications about this bug go to:
https://bugs.launchpad.net/quantum/+bug/1182629/+subscriptions
