Thanks Kris, issue resolved after adding below lines to sysctl.conf net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-arptables = 1 net.bridge.bridge-nf-call-ip6tables = 1
appreciate your help, thanks a lot again. On Thu, Apr 21, 2016 at 8:25 PM, Kris G. Lindgren <klindg...@godaddy.com> wrote: > Make sure that the bridges are being created (1 bridge per vm) they should > be named close to the vm tap device name. Then make sure that you have > bridge nf-call-* files enabled: > > http://wiki.libvirt.org/page/Net.bridge.bridge-nf-call_and_sysctl.conf > > Under hybrid mode what happens is a linux bridge (not an ovs bridge > (brctl)) is created per vm. The vm's tap device is plugged into this > bridge. A veth is created that spans from the vm's linux bridge to br-int > and is plugged at both ends. This is done because older versions of OVS > did not have support (or efficient support) for doing firewalling. The > problem is that in the kernel, packets traversing the Openvswitch code > paths are unable to be hooked into by netfilter. So the linux bridge is > created solely to allow the VM traffic to pass through a netfilter > hookable location, so security groups work. > > You need at a minimum to make sure > /proc/sys/net/bridge/bridge-nf-call-iptables is set to 1. If its not then > when you look at the iptables rules that are created – you will see that > none of the security group chains are seeing traffic. > ___________________________________________________________________ > Kris Lindgren > Senior Linux Systems Engineer > GoDaddy > > From: raju <raju.r...@gmail.com> > Date: Thursday, April 21, 2016 at 5:26 PM > To: "openstack-operators@lists.openstack.org" < > openstack-operators@lists.openstack.org> > Subject: [Openstack-operators] Security group rules not working on > instances kilo > > Hi, > > I am running into a issue where security group rules are not applying to > instances when I create a new security group with default rules it should > reject all incoming traffic but it is allowing everything without blocking > > here is my config for nova : > > security_group_api = neutron > firewall_driver = nova.virt.firewall.NoopFirewallDriver > > and in ml2.con.ini > > firewall_driver = > neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver > > iptables service is running on all the nodes, please suggest me if I miss > anything. > > > Thanks. >
_______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
