Stackers!
I'm trying to configure my Security Groups and, I'm seeing that the rules
are being applied at the Compute Node OVS ports (iptables / ip6tables) BUT,
it does have no effect (or just being ignored?).
I'm using Ubuntu 12.04.3 + Havana from Cloud Archive.
For example:
I have 1 Instance with 1 Floating IP attached to it, open port is: 80.
Look:
---
root@hypervisor-1:~# iptables -L neutron-openvswi-i9cf07c24-7 -nv
Chain neutron-openvswi-i9cf07c24-7 (1 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 RETURN tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
0 0 RETURN udp -- * * 192.168.50.3
0.0.0.0/0 udp spt:67 dpt:68
0 0 neutron-openvswi-sg-fallback all -- * *
0.0.0.0/0
0.0.0.0/0
---
The problem is that the respective Instance still answers SSH to the
Internet. I mean, ALL ports are OPEN!! Regardless of what I typed at its
Security Groups.
I created one "Security Group", called "web", only with TCP port 80 on it,
nothing more, nothing less. This Instance doesn't belong to the "default"
Security Group", only "web".
Recently I've changed the *libvirt_vif_driver* from *
nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver* to *
nova.virt.libvirt.vif.LibvirtOpenVswitchDriver*, maybe it is the cause?!
Any tips!?
Thanks!
Thiago
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
