Neutron has commands for updating security groups:
1 2 3 4 5 6 7 8 9 | #security-group-create Create a security group. #security-group-delete Delete a given security group. #security-group-list List security groups that belong to a given tenant. #security-group-rule-create Create a security group rule. #security-group-rule-delete Delete a given security group rule. #security-group-rule-list List security group rules that belong to a given tenant. #security-group-rule-show Show information of a given security group rule. #security-group-show Show information of a given security group. #security-group-update Update a given security group. |
To update the default security-group in neutron you would create or delete a rule from the default security group.
1 2 | # neutron security-group-rule-create # neutron security-group-rule-delete |
However, after creation new security group you will got 2 strange rule in content ….
1 2 3 4 5 6 7 | [root@pipa draft]# neutron security-group-rule-list +---------------+-----------------+-----------+-----------+---------------+------------------+ | id | security_group | direction | ethertype | port/protocol | remote | +---------------+-----------------+-----------+-----------+---------------+------------------+ | 64fca11e-8e64-4912-bbbf-473f56ffd251 | ext_if_sg_001 | egress | IPv6 | any | any | | 6ed054c0-006c-42b5-94bf-220fcc4f958c | ext_if_sg_001 | egress | IPv4 | any | any | ... |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | Created a new security_group: +----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ | description | | | id | cdf9f705-cd32-4e0e-a5fd-cba528b77b16 | | name | ext_if_sg_001 | | security_group_rules | {"remote_group_id": null, "direction": "egress", "protocol": null, "description": "", "ethertype": "IPv4", "remote_ip_prefix": null, | | | "port_range_max": null, "security_group_id": "cdf9f705-cd32-4e0e-a5fd-cba528b77b16", "port_range_min": null, "tenant_id": | | | "ae4bdf335c9f4586bbfff73da9cda512", "id": "6ed054c0-006c-42b5-94bf-220fcc4f958c"} | | | {"remote_group_id": null, "direction": "egress", "protocol": null, "description": "", "ethertype": "IPv6", "remote_ip_prefix": null, | | | "port_range_max": null, "security_group_id": "cdf9f705-cd32-4e0e-a5fd-cba528b77b16", "port_range_min": null, "tenant_id": | | | "ae4bdf335c9f4586bbfff73da9cda512", "id": "64fca11e-8e64-4912-bbbf-473f56ffd251"} | | tenant_id | ae4bdf335c9f4586bbfff73da9cda512 | +----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ |
This bug is hardcoded in python scripts (as usually LOL)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | ... securitygroups_db.py ... for ethertype in ext_sg.sg_supported_ethertypes: if default_sg: # Allow intercommunication ingress_rule = sg_obj.SecurityGroupRule( context, id=uuidutils.generate_uuid(), project_id=tenant_id, security_group_id=sg.id, direction='ingress', ethertype=ethertype, remote_group_id=sg.id) ingress_rule.create() sg.rules.append(ingress_rule) egress_rule = sg_obj.SecurityGroupRule( context, id=uuidutils.generate_uuid(), project_id=tenant_id, security_group_id=sg.id, direction='egress', ethertype=ethertype) egress_rule.create() sg.rules.append(egress_rule) ... |
So, namely due to it, after creation of security group from scratch you will be see 2 strange rule and they WILL NOT BE in resulting rules of iptables of new VM!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | -A neutron-filter-top -j neutron-linuxbri-local -A neutron-linuxbri-FORWARD -j neutron-linuxbri-scope -A neutron-linuxbri-FORWARD -m physdev --physdev-out tap60484e21-c6 --physdev-is-bridged -j neutron-linuxbri-sg-chain -A neutron-linuxbri-FORWARD -m physdev --physdev-in tap60484e21-c6 --physdev-is-bridged -j neutron-linuxbri-sg-chain -A neutron-linuxbri-INPUT -m physdev --physdev-in tap60484e21-c6 --physdev-is-bridged -j neutron-linuxbri-o60484e21-c -A neutron-linuxbri-i60484e21-c -m state --state RELATED,ESTABLISHED -j RETURN -A neutron-linuxbri-i60484e21-c -m state --state INVALID -j DROP -A neutron-linuxbri-i60484e21-c -j neutron-linuxbri-sg-fallback -A neutron-linuxbri-o60484e21-c -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j RETURN -A neutron-linuxbri-o60484e21-c -j neutron-linuxbri-s60484e21-c -A neutron-linuxbri-o60484e21-c -p udp -m udp --sport 68 --dport 67 -j RETURN -A neutron-linuxbri-o60484e21-c -p udp -m udp --sport 67 -m udp --dport 68 -j DROP -A neutron-linuxbri-o60484e21-c -m state --state RELATED,ESTABLISHED -j RETURN -A neutron-linuxbri-o60484e21-c -j RETURN -A neutron-linuxbri-o60484e21-c -m state --state INVALID -j DROP -A neutron-linuxbri-o60484e21-c -j neutron-linuxbri-sg-fallback -A neutron-linuxbri-s60484e21-c -s 122.11.34.18/32 -m mac --mac-source FA:16:3E:2A:94:5C -j RETURN -A neutron-linuxbri-s60484e21-c -j DROP -A neutron-linuxbri-sg-chain -m physdev --physdev-out tap60484e21-c6 --physdev-is-bridged -j neutron-linuxbri-i60484e21-c -A neutron-linuxbri-sg-chain -m physdev --physdev-in tap60484e21-c6 --physdev-is-bridged -j neutron-linuxbri-o60484e21-c -A neutron-linuxbri-sg-chain -j ACCEPT -A neutron-linuxbri-sg-fallback -j DROP |
In present implementation of neutron is only one way – remove it and to make normal active rules