George, >From past experience you can not have both nova and neutron security groups enabled at the same time.
If you use nova security groups - then I believe they have the appropriate stuff in place to prevent the arp spoofing and other associated stuff. However - if you want the ability to apply egress filtering and something else (its been a while) then you need to use neutron security groups. If you use neutron security groups - you must disable the nova security groups. I am trying to remember the exact issue, but I remember what effectively happened is you could cause a condition in which no security groups were being enforced. I think this was because of the order of rules being applied in iptables itself - if a service was restarted (nova-compute or the neutron-openvswitch-agent) it would insert its own rules at the top of the chain ahead of the other service - which actually had the filtering rules. Which would result in the no filtering actually taking place. If someone has this working and I am wrong on this - please let me know what your working configuration is. ____________________________________________ Kris Lindgren Senior Linux Systems Engineer GoDaddy, LLC. On 1/9/15, 5:26 PM, "George Shuklin" <george.shuk...@gmail.com> wrote: >On 01/09/2015 09:25 PM, Kris G. Lindgren wrote: >> Also, If you are running this configuration you should be aware of the >> following bug: >> >> https://bugs.launchpad.net/neutron/+bug/1274034 >> >> And the corresponding fix: https://review.openstack.org/#/c/141130/ >> >> Basically - Neutron security group rules do nothing to protect against >>arp >> spoofing/poisoning from vm's. So its possible under a shared network >> configuration for a vm to arp for another vm's ip address and >>temporarily >> knock that vm offline. The above commit - which is still a WIP adds >> ebtable rules to allow neutron to filter protocols other than IP (eg >>arp). >Thank you! > >I just done playing with private networks (as external networks) and >start to tuning internet network. And I saw something strange when I was >doing a pentest from one of the instance. I'm going to check each thing >from list in the bug description. > >But I thought that security groups, antispoofing and other things are >nova-driven? > > >_______________________________________________ >OpenStack-operators mailing list >OpenStack-operators@lists.openstack.org >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators _______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators