I'm using OVSHybridIptablesFirewallDriver in ovs_neutron_plugin.ini [securitygroup] firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver enable_security_group = True
But I can not see any related rules added in iptables after restart neutron-openvswitch-agent. Anyone have seen same issue before ? This is in Juno release. any idea which configuration could be wrong/missed ? # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination neutron-openvswi-INPUT all -- anywhere anywhere FWR all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination neutron-filter-top all -- anywhere anywhere neutron-openvswi-FORWARD all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination neutron-filter-top all -- anywhere anywhere neutron-openvswi-OUTPUT all -- anywhere anywhere Chain FWR (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere multiport dports 52311 ACCEPT udp -- anywhere anywhere multiport dports 52311 ACCEPT udp -- anywhere anywhere multiport dports 55400:55415 ACCEPT udp -- anywhere anywhere multiport sports 55400:55415 REJECT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable Chain neutron-filter-top (2 references) target prot opt source destination neutron-openvswi-local all -- anywhere anywhere Chain neutron-openvswi-FORWARD (1 references) target prot opt source destination Chain neutron-openvswi-INPUT (1 references) target prot opt source destination Chain neutron-openvswi-OUTPUT (1 references) target prot opt source destination Chain neutron-openvswi-local (1 references) target prot opt source destination Chain neutron-openvswi-sg-chain (0 references) target prot opt source destination Chain neutron-openvswi-sg-fallback (0 references) target prot opt source destination DROP all -- anywhere anywhere Thanks Jeff Feng
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
