you need to config firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver, unfortunately a default devstack install now config it as firewall_driver="nova.virt.firewall.NoopFirewallDriver when using Neutron. so this may be a devstack bug.
** Changed in: nova Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1248859 Title: Security groups don't work with LibvirtGenericVIFDriver driver Status in OpenStack Compute (Nova): Invalid Bug description: Security groups on master branch using Neutron and OVS plugin are broken. No problem to create/delete security group rules but even though iptables configuration is updated, traffic to my instances is never filtered [0]. I'm running DevStack on 2 nodes (1 controller + 1 compute): - OS: Ubuntu 12.04.3 (LTS) with the Havana cloud archive repository. - Open vSwitch package version: 1.10.2-0ubuntu2~cloud0 - libvirt package version: 1.1.1-0ubuntu8~cloud2 - localrc, nova.conf, neutron.conf and ovs_neutron_plugin.ini files pasted at [1] (I didn't modify any of these files after the DevStack run) According to [2], [3] and [4], iptables is not compatible with TAP devices connected directly to Open vSwitch ports, this is why there used to be the additional veth + bridge interfaces [5]. But in my setup, this is not the case anymore as shown in [6] ('ovs-vsctl show' + 'iptables-save' ouptut). I've also pasted the libvirt XML configuration [7] that shows that the instance is directly connected to the Open vSwitch. [0] http://paste.openstack.org/show/50490/ [1] http://paste.openstack.org/show/50448/ [2] http://www.spinics.net/linux/fedora/libvirt-users/msg05384.html [3] http://openvswitch.org/pipermail/discuss/2013-October/011461.html [4] http://docs.openstack.org/havana/configreference/content/under_the_hood_openvswitch.html [5] http://docs.openstack.org/havana/config-reference/content/figures/7/a/a/common/figures/under-the-hood-scenario-2-ovs-compute.png [6] http://paste.openstack.org/show/50486/ [7] http://paste.openstack.org/show/50487/ To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1248859/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp