Make sure that the bridges are being created (1 bridge per vm) they should be named close to the vm tap device name. Then make sure that you have bridge nf-call-* files enabled:
http://wiki.libvirt.org/page/Net.bridge.bridge-nf-call_and_sysctl.conf Under hybrid mode what happens is a linux bridge (not an ovs bridge (brctl)) is created per vm. The vm's tap device is plugged into this bridge. A veth is created that spans from the vm's linux bridge to br-int and is plugged at both ends. This is done because older versions of OVS did not have support (or efficient support) for doing firewalling. The problem is that in the kernel, packets traversing the Openvswitch code paths are unable to be hooked into by netfilter. So the linux bridge is created solely to allow the VM traffic to pass through a netfilter hookable location, so security groups work. You need at a minimum to make sure /proc/sys/net/bridge/bridge-nf-call-iptables is set to 1. If its not then when you look at the iptables rules that are created – you will see that none of the security group chains are seeing traffic. ___________________________________________________________________ Kris Lindgren Senior Linux Systems Engineer GoDaddy From: raju <[email protected]<mailto:[email protected]>> Date: Thursday, April 21, 2016 at 5:26 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: [Openstack-operators] Security group rules not working on instances kilo Hi, I am running into a issue where security group rules are not applying to instances when I create a new security group with default rules it should reject all incoming traffic but it is allowing everything without blocking here is my config for nova : security_group_api = neutron firewall_driver = nova.virt.firewall.NoopFirewallDriver and in ml2.con.ini firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver iptables service is running on all the nodes, please suggest me if I miss anything. Thanks.
_______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
