I think this is a combination of two things...
1. When a VM initiates outbound communications, the egress rules allow associated return traffic. So if you allow outbound echo request, the return echo reply will also be allowed. 2. The router interface will respond to ping. - Jack From: Narasimhan, Vivekanandan Sent: Tuesday, May 20, 2014 8:07 AM To: OpenStack Development Mailing List (not for usage questions) Subject: [openstack-dev] [Neutron][Security Groups] Pings to router ip from VM with default security groups Hi , We have been trying to understand behavior of security group rules in icehouse stable. The default security group contains 4 rules, two ingress and two egress. The two ingress rules are one for IPv4 and other for IPv6. We see both the ingress rules use cyclic security groups, wherein the rule contains remote_security_group_id the same as the security_group_id itself. Vm1 <---> R1 <--> Vm2 Vm1 20.0.0.2 R1 interface 1 - 20.0.0.1 R1 interface 2 - 30.0.0.1 Vm2 30.0.0.2 We saw that with default security groups, Vm1 can ping its DHCP Server IP because of provider_rule in security group rules. Vm1 is also able to ping Vm2 via router R1, as Vm1 port and Vm2 port share the same security group. However, we noticed that a Vm1 is also able to ping the router interfaces (R1 interface 1 ip - 20.0.0.1) and also ping router interface (R1 interface 2 IP - 30.0.0.1) successfully. Router interfaces donot have security groups associated with them, so the router interface IPs won' t get added to the IPTables of the CN where the Vm1 resides. We are not able to figure how the ping from the Vm1 to the router interfaces work when no explicit rules are added to allow them. Could you please throw some light on this? -- Thanks, Vivek
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
