Hi! I'm facing the same problem, Security Groups are there, at the OVS ports (iptables rules) but, no effect.
Ubuntu 12.04.3 + Havana from Cloud Archive - Topology "Per-Tenant Router with Private Networks". Reference: https://github.com/mseknibilel/OpenStack-Grizzly-Install-Guide/blob/OVS_MultiNode/OpenStack_Grizzly_Install_Guide.rst Best, Thiago On 5 November 2013 11:57, Simon Pasquier <[email protected]> wrote: > Hi all, > > I'm struggling with security groups on Havana with Neutron and OVS plugin > (GRE tunnels). No problem to create/delete security group rules but even > though iptables configuration is updated, traffic to my instances is never > filtered [0]. > > I'm running DevStack on 2 nodes (1 controller + 1 compute): > - OS: Ubuntu 12.04.3 (LTS) with the Havana cloud archive repository. > - Open vSwitch package version: 1.10.2-0ubuntu2~cloud0 > - libvirt package version: 1.1.1-0ubuntu8~cloud2 > - localrc, nova.conf, neutron.conf and ovs_neutron_plugin.ini files pasted > at [1] (I didn't modify any of these files after the DevStack run) > > According to [2], [3] and [4], iptables is not compatible with TAP devices > connectd directly to Open vSwitch ports, this is why there used to be the > additional veth + bridge interfaces [5]. But in my setup, this is not the > case anymore as shown in [6] ('ovs-vsctl show' + 'iptables-save' ouptut). > I've also pasted the libvirt XML configuration [7] that shows that the > instance is directly connected to the Open vSwitch. > > Are the security groups supposed to work when the instance is directly > connected to OVS? If yes, what am I doing wrong? > > Regards, > > [0] http://paste.openstack.org/show/50490/ > [1] http://paste.openstack.org/show/50448/ > [2] http://www.spinics.net/linux/fedora/libvirt-users/msg05384.html > [3] http://openvswitch.org/pipermail/discuss/2013-October/011461.html > [4] http://docs.openstack.org/havana/config-reference/ > content/under_the_hood_openvswitch.html > [5] http://docs.openstack.org/havana/config-reference/ > content/figures/7/a/a/common/figures/under-the-hood- > scenario-2-ovs-compute.png > [6] http://paste.openstack.org/show/50486/ > [7] http://paste.openstack.org/show/50487/ > -- > Simon Pasquier > Software Engineer > Bull, Architect of an Open World > Phone: + 33 4 76 29 71 49 > http://www.bull.com > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/ > openstack > Post to : [email protected] > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/ > openstack >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
