Hi, I've managed to set up every other component, but neutron security groups dont want to work. I have connectivity between all machines but nothing ever hits iptables rules.
I see that on compute nodes I get correct firewall rules:
:neutron-openvswi-ic2c7ef23-2 - [0:0]
:neutron-openvswi-oc2c7ef23-2 - [0:0]
:neutron-openvswi-sc2c7ef23-2 - [0:0]
-A neutron-openvswi-FORWARD -m physdev --physdev-out tapc2c7ef23-2d
--physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tapc2c7ef23-2d
--physdev-is-bridged -j neutron-openvswi-sg-chain
-A neutron-openvswi-INPUT -m physdev --physdev-in tapc2c7ef23-2d
--physdev-is-bridged -j neutron-openvswi-oc2c7ef23-2
-A neutron-openvswi-ic2c7ef23-2 -m state --state INVALID -j DROP
-A neutron-openvswi-ic2c7ef23-2 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-ic2c7ef23-2 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-ic2c7ef23-2 -s 10.3.0.2/32 -p udp -m udp --sport 67 --dport
68 -j RETURN
-A neutron-openvswi-ic2c7ef23-2 -s 10.3.0.4/32 -p udp -m udp --sport 67 --dport
68 -j RETURN
-A neutron-openvswi-ic2c7ef23-2 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-oc2c7ef23-2 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-openvswi-oc2c7ef23-2 -j neutron-openvswi-sc2c7ef23-2
-A neutron-openvswi-oc2c7ef23-2 -p udp -m udp --sport 67 --dport 68 -j DROP
-A neutron-openvswi-oc2c7ef23-2 -m state --state INVALID -j DROP
-A neutron-openvswi-oc2c7ef23-2 -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-openvswi-oc2c7ef23-2 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-oc2c7ef23-2 -j neutron-openvswi-sg-fallback
-A neutron-openvswi-sc2c7ef23-2 -s 10.3.0.5/32 -m mac --mac-source
FA:16:3E:F5:ED:16 -j RETURN
-A neutron-openvswi-sc2c7ef23-2 -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tapc2c7ef23-2d
--physdev-is-bridged -j neutron-openvswi-ic2c7ef23-2
-A neutron-openvswi-sg-chain -m physdev --physdev-in tapc2c7ef23-2d
--physdev-is-bridged -j neutron-openvswi-oc2c7ef23-2
and openvswitch config also seems ok:
97e21921-f8e5-4156-8f9b-b976bc6ed278
Bridge br-int
fail_mode: secure
Port int-vm_st_mgmt
Interface int-vm_st_mgmt
....
Port "qvoc2c7ef23-2d"
tag: 4
Interface "qvoc2c7ef23-2d"
Port "qvo50e4e17b-ea"
tag: 3
Interface "qvo50e4e17b-ea"
...
and I also see it as linux bridge:
~☠ brctl show qbrc2c7ef23-2d
bridge name bridge id STP enabled interfaces
qbrc2c7ef23-2d 8000.1a3cb28c1f78 no qvbc2c7ef23-2d
tapc2c7ef23-2d
Yet no packet ever hits IPTables rules. tunneling works fine, I can make any
connection between all machines, DHCP/L3 works, I can see traffic on tap
Chain neutron-openvswi-INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 neutron-openvswi-o5c1b8fd3-0 all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in tap5c1b8fd3-04
--physdev-is-bridged
0 0 neutron-openvswi-oeece6804-f all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in tapeece6804-f4
--physdev-is-bridged
0 0 neutron-openvswi-oc2c7ef23-2 all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in tapc2c7ef23-2d
--physdev-is-bridged
0 0 neutron-openvswi-o50e4e17b-e all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in tap50e4e17b-ea
--physdev-is-bridged
0 0 neutron-openvswi-o19204ab8-4 all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in tap19204ab8-4d
--physdev-is-bridged
0 0 neutron-openvswi-o187624fb-e all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in tap187624fb-e4
--physdev-is-bridged
Chain INPUT (policy ACCEPT 86M packets, 79G bytes)
pkts bytes target prot opt in out source destination
86M 79G neutron-openvswi-INPUT all -- * * 0.0.0.0/0
0.0.0.0/0
My configuration:
kernel 3.15.7-1.el6.elrepo.x86_64
☠ rpm -qa |grep -P '(nova|neutron)'
openstack-neutron-2014.1.2-1.el6.noarch
openstack-nova-compute-2014.1.1-3.el6.noarch
python-nova-2014.1.1-3.el6.noarch
python-novaclient-2.17.0-2.el6.noarch
python-neutronclient-2.3.4-1.el6.noarch
openstack-nova-common-2014.1.1-3.el6.noarch
python-neutron-2014.1.2-1.el6.noarch
openstack-neutron-openvswitch-2014.1.2-1.el6.noarch
nova.conf:
vif_driver=nova.virt.libvirt.vif.LibvirtGenericVIFDriver # tried with legacy
OVS one, didnt help
linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver
firewall_driver=nova.virt.firewall.NoopFirewallDriver
ovs_neutron_plugin:
[securitygroup]
firewall_driver =
neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
enable_security_group = True
[OVS]
enable_tunneling=False
integration_bridge=br-int
local_ip=172.16.125.25
tunnel_bridge=br-tun
tunnel_type=vxlan
tenant_network_type=vxlan
tunnel_id_ranges=8192:16384
bridge_mappings=vm_st_mgmt:vm_st_mgmt
[AGENT]
polling_interval=2
tunnel_types=vxlan
neutron plugin.ini:
[ml2]
tenant_network_types = vxlan
mechanism_drivers =openvswitch,linuxbridge
[ml2_type_vxlan]
vni_ranges =8192:16384
[securitygroup]
# Controls if neutron security group is enabled or not.
# It should be false when you use nova security group.
# enable_security_group = True
enable_security_group = True
firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
I attached dumps from iptables/ovs/brctl
--
Mariusz Gronczewski, Administrator
Efigence S. A.
ul. Wołoska 9a, 02-583 Warszawa
T: [+48] 22 380 13 13
F: [+48] 22 380 13 14
E: [email protected]
<mailto:[email protected]>
bridge name bridge id STP enabled interfaces
qbr187624fb-e4 8000.cab01db6709a no qvb187624fb-e4
tap187624fb-e4
qbr19204ab8-4d 8000.e295ff2ec121 no qvb19204ab8-4d
tap19204ab8-4d
qbr50e4e17b-ea 8000.b2579b436f7f no qvb50e4e17b-ea
tap50e4e17b-ea
qbr5c1b8fd3-04 8000.26496bfc2956 no qvb5c1b8fd3-04
tap5c1b8fd3-04
qbrc2c7ef23-2d 8000.1a3cb28c1f78 no qvbc2c7ef23-2d
tapc2c7ef23-2d
qbreece6804-f4 8000.664f3633b9be no qvbeece6804-f4
tapeece6804-f4
virbr0 8000.525400873e92 yes virbr0-nic
vmbr0 8000.00215e9702b4 no bond230
# Generated by iptables-save v1.4.7 on Mon Aug 25 10:48:19 2014 *nat :PREROUTING ACCEPT [160170:7129167] :INPUT ACCEPT [21974:1574891] :OUTPUT ACCEPT [93096:4583138] :POSTROUTING ACCEPT [93096:4583138] :neutron-openvswi-OUTPUT - [0:0] :neutron-openvswi-POSTROUTING - [0:0] :neutron-openvswi-PREROUTING - [0:0] :neutron-openvswi-float-snat - [0:0] :neutron-openvswi-snat - [0:0] :neutron-postrouting-bottom - [0:0] -A PREROUTING -j neutron-openvswi-PREROUTING -A OUTPUT -j neutron-openvswi-OUTPUT -A POSTROUTING -j neutron-openvswi-POSTROUTING -A POSTROUTING -j neutron-postrouting-bottom -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE -A neutron-openvswi-snat -j neutron-openvswi-float-snat -A neutron-postrouting-bottom -j neutron-openvswi-snat COMMIT # Completed on Mon Aug 25 10:48:19 2014 # Generated by iptables-save v1.4.7 on Mon Aug 25 10:48:19 2014 *mangle :PREROUTING ACCEPT [86099611:79264311921] :INPUT ACCEPT [85961415:79258757645] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [73984703:127300904690] :POSTROUTING ACCEPT [73984703:127300904690] -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill COMMIT # Completed on Mon Aug 25 10:48:19 2014 # Generated by iptables-save v1.4.7 on Mon Aug 25 10:48:19 2014 *filter :INPUT ACCEPT [85960289:79255934460] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [73983662:127300587978] :neutron-filter-top - [0:0] :neutron-openvswi-FORWARD - [0:0] :neutron-openvswi-INPUT - [0:0] :neutron-openvswi-OUTPUT - [0:0] :neutron-openvswi-i187624fb-e - [0:0] :neutron-openvswi-i19204ab8-4 - [0:0] :neutron-openvswi-i50e4e17b-e - [0:0] :neutron-openvswi-i5c1b8fd3-0 - [0:0] :neutron-openvswi-ic2c7ef23-2 - [0:0] :neutron-openvswi-ieece6804-f - [0:0] :neutron-openvswi-local - [0:0] :neutron-openvswi-o187624fb-e - [0:0] :neutron-openvswi-o19204ab8-4 - [0:0] :neutron-openvswi-o50e4e17b-e - [0:0] :neutron-openvswi-o5c1b8fd3-0 - [0:0] :neutron-openvswi-oc2c7ef23-2 - [0:0] :neutron-openvswi-oeece6804-f - [0:0] :neutron-openvswi-s187624fb-e - [0:0] :neutron-openvswi-s19204ab8-4 - [0:0] :neutron-openvswi-s50e4e17b-e - [0:0] :neutron-openvswi-s5c1b8fd3-0 - [0:0] :neutron-openvswi-sc2c7ef23-2 - [0:0] :neutron-openvswi-seece6804-f - [0:0] :neutron-openvswi-sg-chain - [0:0] :neutron-openvswi-sg-fallback - [0:0] -A INPUT -j neutron-openvswi-INPUT -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-openvswi-FORWARD -A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-openvswi-OUTPUT -A neutron-filter-top -j neutron-openvswi-local -A neutron-openvswi-FORWARD -m physdev --physdev-out tap5c1b8fd3-04 --physdev-is-bridged -j neutron-openvswi-sg-chain -A neutron-openvswi-FORWARD -m physdev --physdev-in tap5c1b8fd3-04 --physdev-is-bridged -j neutron-openvswi-sg-chain -A neutron-openvswi-FORWARD -m physdev --physdev-out tapeece6804-f4 --physdev-is-bridged -j neutron-openvswi-sg-chain -A neutron-openvswi-FORWARD -m physdev --physdev-in tapeece6804-f4 --physdev-is-bridged -j neutron-openvswi-sg-chain -A neutron-openvswi-FORWARD -m physdev --physdev-out tapc2c7ef23-2d --physdev-is-bridged -j neutron-openvswi-sg-chain -A neutron-openvswi-FORWARD -m physdev --physdev-in tapc2c7ef23-2d --physdev-is-bridged -j neutron-openvswi-sg-chain -A neutron-openvswi-FORWARD -m physdev --physdev-out tap50e4e17b-ea --physdev-is-bridged -j neutron-openvswi-sg-chain -A neutron-openvswi-FORWARD -m physdev --physdev-in tap50e4e17b-ea --physdev-is-bridged -j neutron-openvswi-sg-chain -A neutron-openvswi-FORWARD -m physdev --physdev-out tap19204ab8-4d --physdev-is-bridged -j neutron-openvswi-sg-chain -A neutron-openvswi-FORWARD -m physdev --physdev-in tap19204ab8-4d --physdev-is-bridged -j neutron-openvswi-sg-chain -A neutron-openvswi-FORWARD -m physdev --physdev-out tap187624fb-e4 --physdev-is-bridged -j neutron-openvswi-sg-chain -A neutron-openvswi-FORWARD -m physdev --physdev-in tap187624fb-e4 --physdev-is-bridged -j neutron-openvswi-sg-chain -A neutron-openvswi-INPUT -m physdev --physdev-in tap5c1b8fd3-04 --physdev-is-bridged -j neutron-openvswi-o5c1b8fd3-0 -A neutron-openvswi-INPUT -m physdev --physdev-in tapeece6804-f4 --physdev-is-bridged -j neutron-openvswi-oeece6804-f -A neutron-openvswi-INPUT -m physdev --physdev-in tapc2c7ef23-2d --physdev-is-bridged -j neutron-openvswi-oc2c7ef23-2 -A neutron-openvswi-INPUT -m physdev --physdev-in tap50e4e17b-ea --physdev-is-bridged -j neutron-openvswi-o50e4e17b-e -A neutron-openvswi-INPUT -m physdev --physdev-in tap19204ab8-4d --physdev-is-bridged -j neutron-openvswi-o19204ab8-4 -A neutron-openvswi-INPUT -m physdev --physdev-in tap187624fb-e4 --physdev-is-bridged -j neutron-openvswi-o187624fb-e -A neutron-openvswi-i187624fb-e -m state --state INVALID -j DROP -A neutron-openvswi-i187624fb-e -m state --state RELATED,ESTABLISHED -j RETURN -A neutron-openvswi-i187624fb-e -p tcp -m tcp --dport 22 -j RETURN -A neutron-openvswi-i187624fb-e -s 10.3.1.2/32 -p udp -m udp --sport 67 --dport 68 -j RETURN -A neutron-openvswi-i187624fb-e -s 10.3.1.4/32 -p udp -m udp --sport 67 --dport 68 -j RETURN -A neutron-openvswi-i187624fb-e -j neutron-openvswi-sg-fallback -A neutron-openvswi-i19204ab8-4 -m state --state INVALID -j DROP -A neutron-openvswi-i19204ab8-4 -m state --state RELATED,ESTABLISHED -j RETURN -A neutron-openvswi-i19204ab8-4 -s 10.3.0.7/32 -j RETURN -A neutron-openvswi-i19204ab8-4 -s 10.3.1.7/32 -j RETURN -A neutron-openvswi-i19204ab8-4 -s 10.3.0.6/32 -j RETURN -A neutron-openvswi-i19204ab8-4 -s 10.3.1.10/32 -j RETURN -A neutron-openvswi-i19204ab8-4 -s 10.3.0.1/32 -j RETURN -A neutron-openvswi-i19204ab8-4 -s 10.3.1.11/32 -j RETURN -A neutron-openvswi-i19204ab8-4 -s 172.16.130.62/32 -j RETURN -A neutron-openvswi-i19204ab8-4 -s 172.16.130.56/32 -j RETURN -A neutron-openvswi-i19204ab8-4 -s 10.3.1.1/32 -j RETURN -A neutron-openvswi-i19204ab8-4 -s 10.3.0.8/32 -j RETURN -A neutron-openvswi-i19204ab8-4 -s 172.16.130.54/32 -j RETURN -A neutron-openvswi-i19204ab8-4 -s 172.16.130.64/32 -j RETURN -A neutron-openvswi-i19204ab8-4 -s 10.3.1.9/32 -j RETURN -A neutron-openvswi-i19204ab8-4 -s 172.16.130.58/32 -j RETURN -A neutron-openvswi-i19204ab8-4 -s 10.3.0.5/32 -j RETURN -A neutron-openvswi-i19204ab8-4 -s 172.16.130.55/32 -j RETURN -A neutron-openvswi-i19204ab8-4 -s 172.16.130.63/32 -j RETURN -A neutron-openvswi-i19204ab8-4 -s 172.16.130.60/32 -j RETURN -A neutron-openvswi-i19204ab8-4 -s 172.16.130.57/32 -j RETURN -A neutron-openvswi-i19204ab8-4 -s 10.3.1.8/32 -j RETURN -A neutron-openvswi-i19204ab8-4 -s 10.3.0.2/32 -p udp -m udp --sport 67 --dport 68 -j RETURN -A neutron-openvswi-i19204ab8-4 -s 10.3.0.4/32 -p udp -m udp --sport 67 --dport 68 -j RETURN -A neutron-openvswi-i19204ab8-4 -j neutron-openvswi-sg-fallback -A neutron-openvswi-i50e4e17b-e -m state --state INVALID -j DROP -A neutron-openvswi-i50e4e17b-e -m state --state RELATED,ESTABLISHED -j RETURN -A neutron-openvswi-i50e4e17b-e -s 10.3.0.7/32 -j RETURN -A neutron-openvswi-i50e4e17b-e -s 10.3.1.7/32 -j RETURN -A neutron-openvswi-i50e4e17b-e -s 10.3.0.6/32 -j RETURN -A neutron-openvswi-i50e4e17b-e -s 10.3.1.10/32 -j RETURN -A neutron-openvswi-i50e4e17b-e -s 10.3.0.9/32 -j RETURN -A neutron-openvswi-i50e4e17b-e -s 10.3.0.1/32 -j RETURN -A neutron-openvswi-i50e4e17b-e -s 10.3.1.11/32 -j RETURN -A neutron-openvswi-i50e4e17b-e -s 172.16.130.62/32 -j RETURN -A neutron-openvswi-i50e4e17b-e -s 10.3.1.1/32 -j RETURN -A neutron-openvswi-i50e4e17b-e -s 10.3.0.8/32 -j RETURN -A neutron-openvswi-i50e4e17b-e -s 172.16.130.54/32 -j RETURN -A neutron-openvswi-i50e4e17b-e -s 172.16.130.64/32 -j RETURN -A neutron-openvswi-i50e4e17b-e -s 10.3.1.9/32 -j RETURN -A neutron-openvswi-i50e4e17b-e -s 172.16.130.58/32 -j RETURN -A neutron-openvswi-i50e4e17b-e -s 10.3.0.5/32 -j RETURN -A neutron-openvswi-i50e4e17b-e -s 172.16.130.55/32 -j RETURN -A neutron-openvswi-i50e4e17b-e -s 172.16.130.63/32 -j RETURN -A neutron-openvswi-i50e4e17b-e -s 172.16.130.60/32 -j RETURN -A neutron-openvswi-i50e4e17b-e -s 172.16.130.57/32 -j RETURN -A neutron-openvswi-i50e4e17b-e -s 10.3.1.8/32 -j RETURN -A neutron-openvswi-i50e4e17b-e -s 172.16.130.11/32 -p udp -m udp --sport 67 --dport 68 -j RETURN -A neutron-openvswi-i50e4e17b-e -s 172.16.130.65/32 -p udp -m udp --sport 67 --dport 68 -j RETURN -A neutron-openvswi-i50e4e17b-e -j neutron-openvswi-sg-fallback -A neutron-openvswi-i5c1b8fd3-0 -m state --state INVALID -j DROP -A neutron-openvswi-i5c1b8fd3-0 -m state --state RELATED,ESTABLISHED -j RETURN -A neutron-openvswi-i5c1b8fd3-0 -s 10.3.0.7/32 -j RETURN -A neutron-openvswi-i5c1b8fd3-0 -s 10.3.1.7/32 -j RETURN -A neutron-openvswi-i5c1b8fd3-0 -s 10.3.0.6/32 -j RETURN -A neutron-openvswi-i5c1b8fd3-0 -s 10.3.1.10/32 -j RETURN -A neutron-openvswi-i5c1b8fd3-0 -s 10.3.0.9/32 -j RETURN -A neutron-openvswi-i5c1b8fd3-0 -s 10.3.0.1/32 -j RETURN -A neutron-openvswi-i5c1b8fd3-0 -s 10.3.1.11/32 -j RETURN -A neutron-openvswi-i5c1b8fd3-0 -s 172.16.130.62/32 -j RETURN -A neutron-openvswi-i5c1b8fd3-0 -s 172.16.130.56/32 -j RETURN -A neutron-openvswi-i5c1b8fd3-0 -s 10.3.1.1/32 -j RETURN -A neutron-openvswi-i5c1b8fd3-0 -s 172.16.130.54/32 -j RETURN -A neutron-openvswi-i5c1b8fd3-0 -s 172.16.130.64/32 -j RETURN -A neutron-openvswi-i5c1b8fd3-0 -s 10.3.1.9/32 -j RETURN -A neutron-openvswi-i5c1b8fd3-0 -s 172.16.130.58/32 -j RETURN -A neutron-openvswi-i5c1b8fd3-0 -s 10.3.0.5/32 -j RETURN -A neutron-openvswi-i5c1b8fd3-0 -s 172.16.130.55/32 -j RETURN -A neutron-openvswi-i5c1b8fd3-0 -s 172.16.130.63/32 -j RETURN -A neutron-openvswi-i5c1b8fd3-0 -s 172.16.130.60/32 -j RETURN -A neutron-openvswi-i5c1b8fd3-0 -s 172.16.130.57/32 -j RETURN -A neutron-openvswi-i5c1b8fd3-0 -s 10.3.1.8/32 -j RETURN -A neutron-openvswi-i5c1b8fd3-0 -s 10.3.0.2/32 -p udp -m udp --sport 67 --dport 68 -j RETURN -A neutron-openvswi-i5c1b8fd3-0 -s 10.3.0.4/32 -p udp -m udp --sport 67 --dport 68 -j RETURN -A neutron-openvswi-i5c1b8fd3-0 -j neutron-openvswi-sg-fallback -A neutron-openvswi-ic2c7ef23-2 -m state --state INVALID -j DROP -A neutron-openvswi-ic2c7ef23-2 -m state --state RELATED,ESTABLISHED -j RETURN -A neutron-openvswi-ic2c7ef23-2 -p tcp -m tcp --dport 22 -j RETURN -A neutron-openvswi-ic2c7ef23-2 -s 10.3.0.2/32 -p udp -m udp --sport 67 --dport 68 -j RETURN -A neutron-openvswi-ic2c7ef23-2 -s 10.3.0.4/32 -p udp -m udp --sport 67 --dport 68 -j RETURN -A neutron-openvswi-ic2c7ef23-2 -j neutron-openvswi-sg-fallback -A neutron-openvswi-ieece6804-f -m state --state INVALID -j DROP -A neutron-openvswi-ieece6804-f -m state --state RELATED,ESTABLISHED -j RETURN -A neutron-openvswi-ieece6804-f -s 10.3.0.7/32 -j RETURN -A neutron-openvswi-ieece6804-f -s 10.3.1.7/32 -j RETURN -A neutron-openvswi-ieece6804-f -s 10.3.0.6/32 -j RETURN -A neutron-openvswi-ieece6804-f -s 10.3.1.10/32 -j RETURN -A neutron-openvswi-ieece6804-f -s 10.3.0.9/32 -j RETURN -A neutron-openvswi-ieece6804-f -s 10.3.0.1/32 -j RETURN -A neutron-openvswi-ieece6804-f -s 10.3.1.11/32 -j RETURN -A neutron-openvswi-ieece6804-f -s 172.16.130.62/32 -j RETURN -A neutron-openvswi-ieece6804-f -s 172.16.130.56/32 -j RETURN -A neutron-openvswi-ieece6804-f -s 10.3.1.1/32 -j RETURN -A neutron-openvswi-ieece6804-f -s 10.3.0.8/32 -j RETURN -A neutron-openvswi-ieece6804-f -s 172.16.130.54/32 -j RETURN -A neutron-openvswi-ieece6804-f -s 172.16.130.64/32 -j RETURN -A neutron-openvswi-ieece6804-f -s 10.3.1.9/32 -j RETURN -A neutron-openvswi-ieece6804-f -s 172.16.130.58/32 -j RETURN -A neutron-openvswi-ieece6804-f -s 10.3.0.5/32 -j RETURN -A neutron-openvswi-ieece6804-f -s 172.16.130.55/32 -j RETURN -A neutron-openvswi-ieece6804-f -s 172.16.130.63/32 -j RETURN -A neutron-openvswi-ieece6804-f -s 172.16.130.57/32 -j RETURN -A neutron-openvswi-ieece6804-f -s 10.3.1.8/32 -j RETURN -A neutron-openvswi-ieece6804-f -s 172.16.130.11/32 -p udp -m udp --sport 67 --dport 68 -j RETURN -A neutron-openvswi-ieece6804-f -s 172.16.130.65/32 -p udp -m udp --sport 67 --dport 68 -j RETURN -A neutron-openvswi-ieece6804-f -j neutron-openvswi-sg-fallback -A neutron-openvswi-o187624fb-e -p udp -m udp --sport 68 --dport 67 -j RETURN -A neutron-openvswi-o187624fb-e -j neutron-openvswi-s187624fb-e -A neutron-openvswi-o187624fb-e -p udp -m udp --sport 67 --dport 68 -j DROP -A neutron-openvswi-o187624fb-e -m state --state INVALID -j DROP -A neutron-openvswi-o187624fb-e -m state --state RELATED,ESTABLISHED -j RETURN -A neutron-openvswi-o187624fb-e -p tcp -m tcp --dport 22 -j RETURN -A neutron-openvswi-o187624fb-e -j neutron-openvswi-sg-fallback -A neutron-openvswi-o19204ab8-4 -p udp -m udp --sport 68 --dport 67 -j RETURN -A neutron-openvswi-o19204ab8-4 -j neutron-openvswi-s19204ab8-4 -A neutron-openvswi-o19204ab8-4 -p udp -m udp --sport 67 --dport 68 -j DROP -A neutron-openvswi-o19204ab8-4 -m state --state INVALID -j DROP -A neutron-openvswi-o19204ab8-4 -m state --state RELATED,ESTABLISHED -j RETURN -A neutron-openvswi-o19204ab8-4 -j RETURN -A neutron-openvswi-o19204ab8-4 -j neutron-openvswi-sg-fallback -A neutron-openvswi-o50e4e17b-e -p udp -m udp --sport 68 --dport 67 -j RETURN -A neutron-openvswi-o50e4e17b-e -j neutron-openvswi-s50e4e17b-e -A neutron-openvswi-o50e4e17b-e -p udp -m udp --sport 67 --dport 68 -j DROP -A neutron-openvswi-o50e4e17b-e -m state --state INVALID -j DROP -A neutron-openvswi-o50e4e17b-e -m state --state RELATED,ESTABLISHED -j RETURN -A neutron-openvswi-o50e4e17b-e -j RETURN -A neutron-openvswi-o50e4e17b-e -j neutron-openvswi-sg-fallback -A neutron-openvswi-o5c1b8fd3-0 -p udp -m udp --sport 68 --dport 67 -j RETURN -A neutron-openvswi-o5c1b8fd3-0 -j neutron-openvswi-s5c1b8fd3-0 -A neutron-openvswi-o5c1b8fd3-0 -p udp -m udp --sport 67 --dport 68 -j DROP -A neutron-openvswi-o5c1b8fd3-0 -m state --state INVALID -j DROP -A neutron-openvswi-o5c1b8fd3-0 -m state --state RELATED,ESTABLISHED -j RETURN -A neutron-openvswi-o5c1b8fd3-0 -j RETURN -A neutron-openvswi-o5c1b8fd3-0 -j neutron-openvswi-sg-fallback -A neutron-openvswi-oc2c7ef23-2 -p udp -m udp --sport 68 --dport 67 -j RETURN -A neutron-openvswi-oc2c7ef23-2 -j neutron-openvswi-sc2c7ef23-2 -A neutron-openvswi-oc2c7ef23-2 -p udp -m udp --sport 67 --dport 68 -j DROP -A neutron-openvswi-oc2c7ef23-2 -m state --state INVALID -j DROP -A neutron-openvswi-oc2c7ef23-2 -m state --state RELATED,ESTABLISHED -j RETURN -A neutron-openvswi-oc2c7ef23-2 -p tcp -m tcp --dport 22 -j RETURN -A neutron-openvswi-oc2c7ef23-2 -j neutron-openvswi-sg-fallback -A neutron-openvswi-oeece6804-f -p udp -m udp --sport 68 --dport 67 -j RETURN -A neutron-openvswi-oeece6804-f -j neutron-openvswi-seece6804-f -A neutron-openvswi-oeece6804-f -p udp -m udp --sport 67 --dport 68 -j DROP -A neutron-openvswi-oeece6804-f -m state --state INVALID -j DROP -A neutron-openvswi-oeece6804-f -m state --state RELATED,ESTABLISHED -j RETURN -A neutron-openvswi-oeece6804-f -j RETURN -A neutron-openvswi-oeece6804-f -j neutron-openvswi-sg-fallback -A neutron-openvswi-s187624fb-e -s 10.3.1.10/32 -m mac --mac-source FA:16:3E:84:FD:A3 -j RETURN -A neutron-openvswi-s187624fb-e -j DROP -A neutron-openvswi-s19204ab8-4 -s 10.3.0.9/32 -m mac --mac-source FA:16:3E:A5:B2:EE -j RETURN -A neutron-openvswi-s19204ab8-4 -j DROP -A neutron-openvswi-s50e4e17b-e -s 172.16.130.56/32 -m mac --mac-source FA:16:3E:46:1D:D5 -j RETURN -A neutron-openvswi-s50e4e17b-e -j DROP -A neutron-openvswi-s5c1b8fd3-0 -s 10.3.0.8/32 -m mac --mac-source FA:16:3E:A6:5B:13 -j RETURN -A neutron-openvswi-s5c1b8fd3-0 -j DROP -A neutron-openvswi-sc2c7ef23-2 -s 10.3.0.5/32 -m mac --mac-source FA:16:3E:F5:ED:16 -j RETURN -A neutron-openvswi-sc2c7ef23-2 -j DROP -A neutron-openvswi-seece6804-f -s 172.16.130.60/32 -m mac --mac-source FA:16:3E:1F:73:F9 -j RETURN -A neutron-openvswi-seece6804-f -j DROP -A neutron-openvswi-sg-chain -m physdev --physdev-out tap5c1b8fd3-04 --physdev-is-bridged -j neutron-openvswi-i5c1b8fd3-0 -A neutron-openvswi-sg-chain -m physdev --physdev-in tap5c1b8fd3-04 --physdev-is-bridged -j neutron-openvswi-o5c1b8fd3-0 -A neutron-openvswi-sg-chain -m physdev --physdev-out tapeece6804-f4 --physdev-is-bridged -j neutron-openvswi-ieece6804-f -A neutron-openvswi-sg-chain -m physdev --physdev-in tapeece6804-f4 --physdev-is-bridged -j neutron-openvswi-oeece6804-f -A neutron-openvswi-sg-chain -m physdev --physdev-out tapc2c7ef23-2d --physdev-is-bridged -j neutron-openvswi-ic2c7ef23-2 -A neutron-openvswi-sg-chain -m physdev --physdev-in tapc2c7ef23-2d --physdev-is-bridged -j neutron-openvswi-oc2c7ef23-2 -A neutron-openvswi-sg-chain -m physdev --physdev-out tap50e4e17b-ea --physdev-is-bridged -j neutron-openvswi-i50e4e17b-e -A neutron-openvswi-sg-chain -m physdev --physdev-in tap50e4e17b-ea --physdev-is-bridged -j neutron-openvswi-o50e4e17b-e -A neutron-openvswi-sg-chain -m physdev --physdev-out tap19204ab8-4d --physdev-is-bridged -j neutron-openvswi-i19204ab8-4 -A neutron-openvswi-sg-chain -m physdev --physdev-in tap19204ab8-4d --physdev-is-bridged -j neutron-openvswi-o19204ab8-4 -A neutron-openvswi-sg-chain -m physdev --physdev-out tap187624fb-e4 --physdev-is-bridged -j neutron-openvswi-i187624fb-e -A neutron-openvswi-sg-chain -m physdev --physdev-in tap187624fb-e4 --physdev-is-bridged -j neutron-openvswi-o187624fb-e -A neutron-openvswi-sg-chain -j ACCEPT -A neutron-openvswi-sg-fallback -j DROP COMMIT # Completed on Mon Aug 25 10:48:19 2014
97e21921-f8e5-4156-8f9b-b976bc6ed278
Bridge br-int
fail_mode: secure
Port int-vm_st_mgmt
Interface int-vm_st_mgmt
Port "qvo187624fb-e4"
tag: 5
Interface "qvo187624fb-e4"
Port "qvo5c1b8fd3-04"
tag: 4
Interface "qvo5c1b8fd3-04"
Port "qvoeece6804-f4"
tag: 3
Interface "qvoeece6804-f4"
Port "qvo19204ab8-4d"
tag: 4
Interface "qvo19204ab8-4d"
Port "qvoc2c7ef23-2d"
tag: 4
Interface "qvoc2c7ef23-2d"
Port "qvo50e4e17b-ea"
tag: 3
Interface "qvo50e4e17b-ea"
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
Port br-int
Interface br-int
type: internal
Bridge vm_st_mgmt
Port vm_st_mgmt
Interface vm_st_mgmt
type: internal
Port phy-vm_st_mgmt
Interface phy-vm_st_mgmt
Port "bond235"
Interface "bond235"
Bridge br-tun
Port br-tun
Interface br-tun
type: internal
Port "vxlan-ac107d0a"
Interface "vxlan-ac107d0a"
type: vxlan
options: {in_key=flow, local_ip="172.16.125.25", out_key=flow,
remote_ip="172.16.125.10"}
Port "vxlan-ac107e16"
Interface "vxlan-ac107e16"
type: vxlan
options: {in_key=flow, local_ip="172.16.125.25", out_key=flow,
remote_ip="172.16.126.22"}
Port "vxlan-ac107d16"
Interface "vxlan-ac107d16"
type: vxlan
options: {in_key=flow, local_ip="172.16.125.25", out_key=flow,
remote_ip="172.16.125.22"}
Port "vxlan-ac107e15"
Interface "vxlan-ac107e15"
type: vxlan
options: {in_key=flow, local_ip="172.16.125.25", out_key=flow,
remote_ip="172.16.126.21"}
Port "vxlan-ac107d17"
Interface "vxlan-ac107d17"
type: vxlan
options: {in_key=flow, local_ip="172.16.125.25", out_key=flow,
remote_ip="172.16.125.23"}
Port "vxlan-ac107e05"
Interface "vxlan-ac107e05"
type: vxlan
options: {in_key=flow, local_ip="172.16.125.25", out_key=flow,
remote_ip="172.16.126.5"}
Port "vxlan-ac107d15"
Interface "vxlan-ac107d15"
type: vxlan
options: {in_key=flow, local_ip="172.16.125.25", out_key=flow,
remote_ip="172.16.125.21"}
Port "vxlan-ac107d0b"
Interface "vxlan-ac107d0b"
type: vxlan
options: {in_key=flow, local_ip="172.16.125.25", out_key=flow,
remote_ip="172.16.125.11"}
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
Port "vxlan-ac107d0c"
Interface "vxlan-ac107d0c"
type: vxlan
options: {in_key=flow, local_ip="172.16.125.25", out_key=flow,
remote_ip="172.16.125.12"}
Port "vxlan-ac107d18"
Interface "vxlan-ac107d18"
type: vxlan
options: {in_key=flow, local_ip="172.16.125.25", out_key=flow,
remote_ip="172.16.125.24"}
ovs_version: "1.11.0"
signature.asc
Description: PGP signature
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
