Answering my own question: I found out why rules were not working. There were no "firewall bridges" on compute nodes to which the rules would apply.

The reason for it was that compute nodes in nova.conf used the new:
libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtGenericVIFDriver

instead of the old and deprecated:
libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver

The latter one was used by my old cloud and therefore everything was working.

The fixed for me right now is to use the deprecated driver which forces creation of "firewall bridges". However, as I understand, the GenericVIFDriver should create the bridge if an appropriate meta information exists. This information should exists if security groups are used but it is not happening.
Is there any extra configuration required to make GenericVIFDriver create bridges? I am sure it is possible as the other drivers are removed in Icehouse.

Best Regards,
Daniel

On 3/5/2014 9:59 AM, Daniel Speichert wrote:

Hello,

I have a problem with Neutron security groups and I hoped you could provide some ideas.

I have two different cloud installation based on OpenStack Havana, they both use Neutron setup with multiple tenants and routers.

First cloud is based on Ubuntu and has both Neutron and Nova security groups enabled (a mistake in configuraiton, I did not add "firewall_driver=nova.virt.firewall.NoopFirewallDriver" to nova.conf. On its compute nodes it has neutron-openvswitch-* iptables chains and nova-instance* chains.
Rules from all of these chains seem to get hits and security groups work properly. This cloud uses GRE tunnels.

Second cloud is based on CentOS 6.5 with RDO. It has the same Neutron setup and nova security groups disabled and "security_group_api=neutron". It does not have iptables chains nova-instance* but neutron chains are properly applied. None of these chains get any hits at all and all traffic to instances is allowed. This cloud used VXLANs but I switched to GRE which did not help.

On both clouds there are no additional iptables rules besides the ones generated by OpenStack - I flushed all the rules and chains and forced sync by adding a security group rule.

Do you have any idea why security groups don't work, i.e. the chains don't get traffic? It seems to me that the rules in chains neutron-openvswi-FORWARD and neutron-openvswi-INPUT don't get any hits at all on my second cloud installation.
-- 
Best Regards,
Daniel
_______________________________________________
Rdo-list mailing list
Rdo-list@redhat.com
https://www.redhat.com/mailman/listinfo/rdo-list