Hello,
I have a problem with Neutron security groups and I hoped you could
provide some ideas.
I have two different cloud installation based on OpenStack Havana,
they both use Neutron setup with multiple tenants and routers.
First cloud is based on Ubuntu and has both Neutron and Nova
security groups enabled (a mistake in configuraiton, I did not add "firewall_driver=nova.virt.firewall.NoopFirewallDriver"
to nova.conf. On its compute nodes it has neutron-openvswitch-*
iptables chains and nova-instance* chains.
Rules from all of these chains seem to get hits and security groups
work properly. This cloud uses GRE tunnels.
Second cloud is based on CentOS 6.5 with RDO. It has the same
Neutron setup and nova security groups disabled and "security_group_api=neutron".
It does not have iptables chains nova-instance* but neutron chains
are properly applied. None of these chains get any hits at all and
all traffic to instances is allowed. This cloud used VXLANs but I
switched to GRE which did not help.
On both clouds there are no additional iptables rules besides the
ones generated by OpenStack - I flushed all the rules and chains and
forced sync by adding a security group rule.
Do you have any idea why security groups don't work, i.e. the chains
don't get traffic? It seems to me that the rules in chains
neutron-openvswi-FORWARD and neutron-openvswi-INPUT don't get any
hits at all on my second cloud installation.
--
Best Regards,
Daniel