[Rdo-list] Question about Neutron Security Groups

[Daniel Speichert]

Hello,

I have a problem with Neutron security groups and I hoped you could 
provide some ideas.

I have two different cloud installation based on OpenStack Havana, they 
both use Neutron setup with multiple tenants and routers.

First cloud is based on Ubuntu and has both Neutron and Nova security 
groups enabled (a mistake in configuraiton, I did not add 
"firewall_driver=nova.virt.firewall.NoopFirewallDriver" to nova.conf. On 
its compute nodes it has neutron-openvswitch-* iptables chains and 
nova-instance* chains.
Rules from all of these chains seem to get hits and security groups work 
properly. This cloud uses GRE tunnels.

Second cloud is based on CentOS 6.5 with RDO. It has the same Neutron 
setup and nova security groups disabled and 
"security_group_api=neutron". It does not have iptables chains 
nova-instance* but neutron chains are properly applied. None of these 
chains get any hits at all and all traffic to instances is allowed. This 
cloud used VXLANs but I switched to GRE which did not help.

On both clouds there are no additional iptables rules besides the ones 
generated by OpenStack - I flushed all the rules and chains and forced 
sync by adding a security group rule.

Do you have any idea why security groups don't work, i.e. the chains 
don't get traffic? It seems to me that the rules in chains 
neutron-openvswi-FORWARD and neutron-openvswi-INPUT don't get any hits 
at all on my second cloud installation.

-- 
Best Regards,
Daniel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/rdo-list/attachments/20140305/e80eed8b/attachment.htm>