[openstack-dev] [neutron] Missing openvswitch filter rules

Sat, 13 Jun 2015 07:44:44 -0700 

I'm using OVSHybridIptablesFirewallDriver in ovs_neutron_plugin.ini

[securitygroup]
firewall_driver =
neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
enable_security_group = True

But I can not see any related rules added in iptables after restart
neutron-openvswitch-agent.

Anyone have seen same issue before ? This is in Juno release.
any idea which configuration could be wrong/missed ?


# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
neutron-openvswi-INPUT all -- anywhere anywhere
FWR all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-openvswi-FORWARD all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-openvswi-OUTPUT all -- anywhere anywhere

Chain FWR (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere multiport dports 52311
ACCEPT udp -- anywhere anywhere multiport dports 52311
ACCEPT udp -- anywhere anywhere multiport dports 55400:55415
ACCEPT udp -- anywhere anywhere multiport sports 55400:55415
REJECT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN reject-with
icmp-port-unreachable
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable

Chain neutron-filter-top (2 references)
target prot opt source destination
neutron-openvswi-local all -- anywhere anywhere

Chain neutron-openvswi-FORWARD (1 references)
target prot opt source destination

Chain neutron-openvswi-INPUT (1 references)
target prot opt source destination

Chain neutron-openvswi-OUTPUT (1 references)
target prot opt source destination

Chain neutron-openvswi-local (1 references)
target prot opt source destination

Chain neutron-openvswi-sg-chain (0 references)
target prot opt source destination

Chain neutron-openvswi-sg-fallback (0 references)
target prot opt source destination
DROP all -- anywhere anywhere

Thanks
Jeff Feng



__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to