Re: [Rdo-list] Question about Neutron Security Groups

Hello, I have a problem with Neutron security groups and I hoped you could provide some ideas. I have two different cloud installation based on OpenStack Havana, they both use Neutron setup with multiple tenants and routers. First cloud is based on Ubuntu and has both Neutron and Nova security groups enabled (a mistake in configuraiton, I did not add "firewall_driver=nova.virt.firewall.NoopFirewallDriver" to nova.conf. On its compute nodes it has neutron-openvswitch-* iptables chains and nova-instance* chains. Rules from all of these chains seem to get hits and security groups work properly. This cloud uses GRE tunnels. Second cloud is based on CentOS 6.5 with RDO. It has the same Neutron setup and nova security groups disabled and "security_group_api=neutron". It does not have iptables chains nova-instance* but neutron chains are properly applied. None of these chains get any hits at all and all traffic to instances is allowed. This cloud used VXLANs but I switched to GRE which did not help. On both clouds there are no additional iptables rules besides the ones generated by OpenStack - I flushed all the rules and chains and forced sync by adding a security group rule. Do you have any idea why security groups don't work, i.e. the chains don't get traffic? It seems to me that the rules in chains neutron-openvswi-FORWARD and neutron-openvswi-INPUT don't get any hits at all on my second cloud installation. -- Best Regards, Daniel _______________________________________________ Rdo-list mailing list Rdo-list(a)redhat.com https://www.redhat.com/mailman/listinfo/rdo-list