neutron

When VM security group is not chosen, the packets are still blocked by default

Bug #1449344 reported by haoliang on 2015-04-28

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	Invalid	Undecided	Gandharva

Bug Description

1.1 Under test tenement,create network:net1,subnet:subnet1,network address:192.168.1.0/24 and other keep default
1.2 Create router:R1,R1 inner interface relate to subnet1 and set outer network for R1
1.2 Create VM1-1,choose subnet1,security group choose default and firewall is closed
1.3 Edit security group of VM1-1,remove default security group from VM-1,now VM1-1 security group is none
1.4 VM1-1 ping subnet1 gw:192.168.1.1 fail

Capture in tap.xxx of linux bridge which is connect to VM1-1 ,we can see icmp request packets which is go to 192.168.1.1 from VM1-1
Capture in qvb.xxx,we can't see any packets.Therefore,the packets is deny by security group.But VM1-1 security group is not choose

See original description

Gandharva (gandharva-s) on 2015-04-28

Changed in neutron:
assignee:	nobody → Gandharva (gandharva-s)

haoliang (steven-lianghao) on 2015-04-29

description:	updated
summary:	- When VM security group is empty,the packets is still block by security - group + When VM security group is not choose,the packets is still block by + security group
description:	updated

Revision history for this message

James Denton (james-denton) wrote on 2015-05-01: Re: When VM security group is not choose,the packets is still block by security group

When you remove a security group from a port, the chains remain but appear to limit traffic to DHCP requests/responses and established connections only. All other ingress/egress traffic through the port is dropped by the neutron-*-sg-fallback chain. Same goes for ports that are created without a security group that are later applied to instances.

You might be interested in the ML2 port security feature in Kilo, which allows you to disable filtering and anti-spoofing on the port altogether.

I don't know much about it, but there are some details here:
http://specs.openstack.org/openstack/neutron-specs/specs/kilo/ml2-ovs-portsecurity.html

and here:
http://blog.otherwiseguy.com/trying-out-the-ml2-port-security-extension/

Revision history for this message

Eugene Nikanorov (enikanorov) wrote on 2015-05-04:

It's by design behavior, marking bus as Invalid

summary:	- When VM security group is not choose,the packets is still block by - security group + When VM security group is not choosen, the packets are still blocked by + default
summary:	- When VM security group is not choosen, the packets are still blocked by + When VM security group is not chosen, the packets are still blocked by default
Changed in neutron:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.