Issue with security groups and floating ips on the same host
Bug #1048624 reported by
Bartosz Kupidura
This bug affects 3 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Compute (nova) |
Won't Fix
|
Medium
|
Vish Ishaya | ||
Bug Description
If we have many VMs on single compute-node, security groups with floating-ip as CIDR does not work properly.
VM1:
* fixed_ip = 10.10.10.1
* floating_ip = 192.168.10.1
VM2:
* fixed_ip = 10.10.10.2
* floating_ip = 192.168.10.2
Sec group:
$ nova secgroup-add-rule default tcp 22 22 192.168.10.1
$ nova secgroup-add-rule default tcp 22 22 192.168.10.2
Traffic from VM1 to VM2 float IP is dropped.
Security group chain is created in FORWARD iptables chain, and source nat (fixed_
If VMs are on different compute-nodes everythings works perfect.
Revision history for this message
| Vish Ishaya (vishvananda) wrote | #1 |
| Changed in nova: | |
| status: | New → Triaged |
| importance: | Undecided → High |
| importance: | High → Medium |
| milestone: | none → folsom-rc1 |
Revision history for this message
| Vish Ishaya (vishvananda) wrote | #2 |
| Changed in nova: | |
| assignee: | nobody → Vish Ishaya (vishvananda) |
| Changed in nova: | |
| status: | Triaged → In Progress |
Revision history for this message
| Vish Ishaya (vishvananda) wrote Re: Sec group CIDR problem with many VM on single physical node | #4 |
| Changed in nova: | |
| status: | In Progress → Won't Fix |
| Changed in nova: | |
| milestone: | folsom-rc1 → none |
| summary: |
- Sec group CIDR problem with many VM on single physical node + Issue with security groups and floating ips on the same host |
To post a comment you must log in.
Traffic from vm to vm should be going across the fixed ips always, so I'm not surprised this doesn't work. Any ideas on how we could construct the table differently to make this work? Do we need to add an output rule in addition to a FORWARD rule?