<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hello,<br>
<br>
I have a problem with Neutron security groups and I hoped you could
provide some ideas.<br>
<br>
I have two different cloud installation based on OpenStack Havana,
they both use Neutron setup with multiple tenants and routers.<br>
<br>
First cloud is based on Ubuntu and has both Neutron and Nova
security groups enabled (a mistake in configuraiton, I did not add "<span
style="color: rgb(0, 0, 0); font-family: Consolas, 'Bitstream Vera
Sans Mono', 'Courier New', Courier, monospace; font-size: 13px;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: 17.333332061767578px;
orphans: auto; text-align: left; text-indent: 0px; text-transform:
none; white-space: pre; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255); display: inline !important; float: none;">firewall_driver=nova.virt.firewall.NoopFirewallDriver</span>"
to nova.conf. On its compute nodes it has neutron-openvswitch-*
iptables chains and nova-instance* chains.<br>
Rules from all of these chains seem to get hits and security groups
work properly. This cloud uses GRE tunnels.<br>
<br>
Second cloud is based on CentOS 6.5 with RDO. It has the same
Neutron setup and nova security groups disabled and "<span
style="color: rgb(0, 0, 0); font-family: Consolas, 'Bitstream Vera
Sans Mono', 'Courier New', Courier, monospace; font-size: 13px;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: 17.333332061767578px;
orphans: auto; text-align: left; text-indent: 0px; text-transform:
none; white-space: pre; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255); display: inline !important; float: none;">security_group_api=neutron</span>".
It does not have iptables chains nova-instance* but neutron chains
are properly applied. None of these chains get any hits at all and
all traffic to instances is allowed. This cloud used VXLANs but I
switched to GRE which did not help.<br>
<br>
On both clouds there are no additional iptables rules besides the
ones generated by OpenStack - I flushed all the rules and chains and
forced sync by adding a security group rule.<br>
<br>
Do you have any idea why security groups don't work, i.e. the chains
don't get traffic? It seems to me that the rules in chains
neutron-openvswi-FORWARD and neutron-openvswi-INPUT don't get any
hits at all on my second cloud installation.<br>
<pre class="moz-signature" cols="72">--
Best Regards,
Daniel</pre>
</body>
</html>