When VM security group is not chosen, the packets are still blocked by default
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Invalid
|
Undecided
|
Gandharva |
Bug Description
1.1 Under test tenement,create network:
1.2 Create router:R1,R1 inner interface relate to subnet1 and set outer network for R1
1.2 Create VM1-1,choose subnet1,security group choose default and firewall is closed
1.3 Edit security group of VM1-1,remove default security group from VM-1,now VM1-1 security group is none
1.4 VM1-1 ping subnet1 gw:192.168.1.1 fail
Capture in tap.xxx of linux bridge which is connect to VM1-1 ,we can see icmp request packets which is go to 192.168.1.1 from VM1-1
Capture in qvb.xxx,we can't see any packets.
Changed in neutron: | |
assignee: | nobody → Gandharva (gandharva-s) |
description: | updated |
summary: |
- When VM security group is empty,the packets is still block by security - group + When VM security group is not choose,the packets is still block by + security group |
description: | updated |
When you remove a security group from a port, the chains remain but appear to limit traffic to DHCP requests/responses and established connections only. All other ingress/egress traffic through the port is dropped by the neutron- *-sg-fallback chain. Same goes for ports that are created without a security group that are later applied to instances.
You might be interested in the ML2 port security feature in Kilo, which allows you to disable filtering and anti-spoofing on the port altogether.
I don't know much about it, but there are some details here: specs.openstack .org/openstack/ neutron- specs/specs/ kilo/ml2- ovs-portsecurit y.html
http://
and here: blog.otherwiseg uy.com/ trying- out-the- ml2-port- security- extension/
http://