Hi, I checked the compute node's iptables rules and found out the nova-compute-inst-xxx have no traffic flow. The traffic flow stopped at nova-filter-top chain rule, so security group is not working. Any idea how to resolve this problem?
Thanks, Chandler [root@compute1 ~]# iptables -L -v -n Chain INPUT (policy ACCEPT 714 packets, 335K bytes) pkts bytes target prot opt in out source destination 369 117K nova-compute-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5900 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 nova-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 nova-compute-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT 779 packets, 378K bytes) pkts bytes target prot opt in out source destination 437 233K nova-filter-top all -- * * 0.0.0.0/0 0.0.0.0/0 396 216K nova-compute-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain nova-compute-FORWARD (1 references) pkts bytes target prot opt in out source destination Chain nova-compute-INPUT (1 references) pkts bytes target prot opt in out source destination Chain nova-compute-OUTPUT (1 references) pkts bytes target prot opt in out source destination Chain nova-compute-inst-767 (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 nova-compute-provider all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * * 30.0.0.2 0.0.0.0/0 udp spt:67 dpt:68 0 0 ACCEPT all -- * * 30.0.0.0/24 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 nova-compute-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0 Chain nova-compute-local (1 references) pkts bytes target prot opt in out source destination 0 0 nova-compute-inst-767 all -- * * 0.0.0.0/0 30.0.0.5 Chain nova-compute-provider (1 references) pkts bytes target prot opt in out source destination Chain nova-compute-sg-fallback (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain nova-filter-top (2 references) pkts bytes target prot opt in out source destination 396 216K nova-compute-local all -- * * 0.0.0.0/0 0.0.0.0/0 2013/6/14 Chandler Li <lichandler...@gmail.com> > Hello, > > I'm trying to use security group of Quantum ovs plugin(Folsom) in CentOS > 6.3 (2012.2.3-1.el6@epel). > > Everything looks good, except security group, > > and there are no error message in /var/log/nova/compute.log file. > > After I created VM, I can see the bridges and interfaces have been created > normally. > > [root@compute1 ~]# brctl show > bridge name bridge id STP enabled interfaces > br-int 0000.3eca2e714b4d no qvo756ead5d-32 > br-tun 0000.824651aab541 no > qbr756ead5d-32 0000.ca57ea41484c no > qvb756ead5d-32 > vnet0 > > The chain rules in filter table of iptables can reflect security group > rules correctly too. > > Chain nova-compute-inst-749 (1 references) > num target prot opt source destination > 1 DROP all -- 0.0.0.0/0 0.0.0.0/0 > state INVALID > 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > state RELATED,ESTABLISHED > 3 nova-compute-provider all -- 0.0.0.0/0 0.0.0.0/0 > 4 ACCEPT udp -- 10.0.0.2 0.0.0.0/0 > udp spt:67 dpt:68 > 5 ACCEPT all -- 10.0.0.0/24 0.0.0.0/0 > 6 nova-compute-sg-fallback all -- 0.0.0.0/0 > 0.0.0.0/0 > > Obviously, the packets do not follow these rules correctly. > > Please advise me how to resolve this problem. > > Thanks a lot, > Chandler >
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp