Issue with security groups and floating ips on the same host

Bug #1048624 reported by Bartosz Kupidura on 2012-09-10
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Vish Ishaya

Bug Description

If we have many VMs on single compute-node, security groups with floating-ip as CIDR does not work properly.

* fixed_ip =
* floating_ip =

* fixed_ip =
* floating_ip =

Sec group:
$ nova secgroup-add-rule default tcp 22 22
$ nova secgroup-add-rule default tcp 22 22

Traffic from VM1 to VM2 float IP is dropped.

Security group chain is created in FORWARD iptables chain, and source nat (fixed_ip->float_ip) is created in postrouting -

If VMs are on different compute-nodes everythings works perfect.

Vish Ishaya (vishvananda) wrote :

Traffic from vm to vm should be going across the fixed ips always, so I'm not surprised this doesn't work. Any ideas on how we could construct the table differently to make this work? Do we need to add an output rule in addition to a FORWARD rule?

Changed in nova:
status: New → Triaged
importance: Undecided → High
importance: High → Medium
milestone: none → folsom-rc1
Vish Ishaya (vishvananda) wrote :

I'm going to try to verify this one

Changed in nova:
assignee: nobody → Vish Ishaya (vishvananda)
Changed in nova:
status: Triaged → In Progress

So this is actually very difficult to fix. It definitely won't be done for folsom and may not be done at all. I'm going to put this in the Folsom release notes as a known issue with the following workaround:

The recommendation is to use fixed ip cidrs or source groups. Source groups should work with floating ips as long as you specify a dmz_cidr=x.x.x.x/x for each of your floating ranges in your conf file. This will make sure that vm -> vm traffic is not snatted and the source groups should work

Changed in nova:
status: In Progress → Won't Fix
Changed in nova:
milestone: folsom-rc1 → none
summary: - Sec group CIDR problem with many VM on single physical node
+ Issue with security groups and floating ips on the same host
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers