UPWORK/ODESK guru: Tips and Tricks for clients

skype: upwork.link , email: info@upwork.link

OpenStack Neutron: How to change the default security rules in neutron during creation of group?

without comments

Neutron has commands for updating security groups:

1
2
3
4
5
6
7
8
9
  #security-group-create             Create a security group.
  #security-group-delete             Delete a given security group.
  #security-group-list               List security groups that belong to a given tenant.
  #security-group-rule-create        Create a security group rule.
  #security-group-rule-delete        Delete a given security group rule.
  #security-group-rule-list          List security group rules that belong to a given tenant.
  #security-group-rule-show          Show information of a given security group rule.
  #security-group-show               Show information of a given security group.
  #security-group-update             Update a given security group.

To update the default security-group in neutron you would create or delete a rule from the default security group.

1
2
# neutron security-group-rule-create
# neutron security-group-rule-delete

However, after creation new security group you will got 2 strange rule in content ….

1
2
3
4
5
6
7
[root@pipa draft]# neutron security-group-rule-list
+---------------+-----------------+-----------+-----------+---------------+------------------+
| id            | security_group  | direction | ethertype | port/protocol | remote           |
+---------------+-----------------+-----------+-----------+---------------+------------------+
| 64fca11e-8e64-4912-bbbf-473f56ffd251 | ext_if_sg_001   | egress    | IPv6      | any           | any              |
| 6ed054c0-006c-42b5-94bf-220fcc4f958c | ext_if_sg_001   | egress    | IPv4      | any           | any              |
...
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Created a new security_group:
+----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------+
| Field                | Value                                                                                                                                         |
+----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------+
| description          |                                                                                                                                               |
| id                   | cdf9f705-cd32-4e0e-a5fd-cba528b77b16                                                                                                          |
| name                 | ext_if_sg_001                                                                                                                                 |
| security_group_rules | {"remote_group_id": null, "direction": "egress", "protocol": null, "description": "", "ethertype": "IPv4", "remote_ip_prefix": null,          |
|                      | "port_range_max": null, "security_group_id": "cdf9f705-cd32-4e0e-a5fd-cba528b77b16", "port_range_min": null, "tenant_id":                     |
|                      | "ae4bdf335c9f4586bbfff73da9cda512", "id": "6ed054c0-006c-42b5-94bf-220fcc4f958c"}                                                             |
|                      | {"remote_group_id": null, "direction": "egress", "protocol": null, "description": "", "ethertype": "IPv6", "remote_ip_prefix": null,          |
|                      | "port_range_max": null, "security_group_id": "cdf9f705-cd32-4e0e-a5fd-cba528b77b16", "port_range_min": null, "tenant_id":                     |
|                      | "ae4bdf335c9f4586bbfff73da9cda512", "id": "64fca11e-8e64-4912-bbbf-473f56ffd251"}                                                             |
| tenant_id            | ae4bdf335c9f4586bbfff73da9cda512                                                                                                              |
+----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------+

This bug is hardcoded in python scripts (as usually LOL)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
...
securitygroups_db.py
...

            for ethertype in ext_sg.sg_supported_ethertypes:
                if default_sg:
                    # Allow intercommunication
                    ingress_rule = sg_obj.SecurityGroupRule(
                        context, id=uuidutils.generate_uuid(),
                        project_id=tenant_id, security_group_id=sg.id,
                        direction='ingress', ethertype=ethertype,
                        remote_group_id=sg.id)
                    ingress_rule.create()
                    sg.rules.append(ingress_rule)

                egress_rule = sg_obj.SecurityGroupRule(
                    context, id=uuidutils.generate_uuid(),
                    project_id=tenant_id, security_group_id=sg.id,
                    direction='egress', ethertype=ethertype)
                egress_rule.create()
sg.rules.append(egress_rule)
...

So, namely due to it, after creation of security group from scratch you will be see 2 strange rule and they WILL NOT BE in resulting rules of iptables of new VM!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
-A neutron-filter-top -j neutron-linuxbri-local
-A neutron-linuxbri-FORWARD -j neutron-linuxbri-scope
-A neutron-linuxbri-FORWARD -m physdev --physdev-out tap60484e21-c6 --physdev-is-bridged -j neutron-linuxbri-sg-chain
-A neutron-linuxbri-FORWARD -m physdev --physdev-in tap60484e21-c6 --physdev-is-bridged -j neutron-linuxbri-sg-chain
-A neutron-linuxbri-INPUT -m physdev --physdev-in tap60484e21-c6 --physdev-is-bridged -j neutron-linuxbri-o60484e21-c
-A neutron-linuxbri-i60484e21-c -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-linuxbri-i60484e21-c -m state --state INVALID -j DROP
-A neutron-linuxbri-i60484e21-c -j neutron-linuxbri-sg-fallback
-A neutron-linuxbri-o60484e21-c -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-linuxbri-o60484e21-c -j neutron-linuxbri-s60484e21-c
-A neutron-linuxbri-o60484e21-c -p udp -m udp --sport 68 --dport 67 -j RETURN
-A neutron-linuxbri-o60484e21-c -p udp -m udp --sport 67 -m udp --dport 68 -j DROP
-A neutron-linuxbri-o60484e21-c -m state --state RELATED,ESTABLISHED -j RETURN
-A neutron-linuxbri-o60484e21-c -j RETURN
-A neutron-linuxbri-o60484e21-c -m state --state INVALID -j DROP
-A neutron-linuxbri-o60484e21-c -j neutron-linuxbri-sg-fallback
-A neutron-linuxbri-s60484e21-c -s 122.11.34.18/32 -m mac --mac-source FA:16:3E:2A:94:5C -j RETURN
-A neutron-linuxbri-s60484e21-c -j DROP
-A neutron-linuxbri-sg-chain -m physdev --physdev-out tap60484e21-c6 --physdev-is-bridged -j neutron-linuxbri-i60484e21-c
-A neutron-linuxbri-sg-chain -m physdev --physdev-in tap60484e21-c6 --physdev-is-bridged -j neutron-linuxbri-o60484e21-c
-A neutron-linuxbri-sg-chain -j ACCEPT
-A neutron-linuxbri-sg-fallback -j DROP

In present implementation of neutron is only one way – remove it and to make normal active rules

Written by spectre

February 1st, 2018 at 3:40 pm

Posted in Openstack

Leave a Reply

*