how security group is implemented

Asked by Shi Jin on 2011-05-05

Hi there,

I thought this is a straightforward thing to find out but it turned not.
I created a security group to allow ssh and http and run an instance with it.
On its physical host, I see the following proper iptables rules

Chain nova-compute-inst-20 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- 192.168.253.1 anywhere udp spt:bootps dpt:bootpc
ACCEPT all -- 192.168.253.0/24 anywhere
ACCEPT tcp -- 192.168.2.0/24 anywhere tcp dpt:ssh
ACCEPT tcp -- 192.168.2.0/24 anywhere tcp dpt:http
nova-compute-sg-fallback all -- anywhere anywhere

The libvirt XML shows
interface type='bridge'>
      <mac address='02:16:3e:05:67:78'/>
      <source bridge='br2'/>
      <target dev='vnet2'/>
      <filterref filter='nova-instance-instance-00000014-02163e056778'>
        <parameter name='DHCPSERVER' value='192.168.253.1'/>
        <parameter name='IP' value='192.168.253.3'/>
      </filterref>
      <alias name='net0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>

So I went to look at its nwfilter
[root@node5 ~]# virsh nwfilter-dumpxml nova-instance-instance-00000014-02163e056778
<filter name='nova-instance-instance-00000014-02163e056778' chain='root'>
  <uuid>261d6e67-4be9-c400-4908-ea648cda5ef5</uuid>
  <filterref filter='nova-base'/>
</filter>

It references the nova-base nwfilter, which is
[root@node5 nwfilter]# virsh nwfilter-dumpxml nova-base
<filter name='nova-base' chain='root'>
  <uuid>35ec003d-48aa-f747-8fc5-83cb453ea43a</uuid>
  <filterref filter='no-mac-spoofing'/>
  <filterref filter='no-ip-spoofing'/>
  <filterref filter='no-arp-spoofing'/>
  <filterref filter='allow-dhcp-server'/>
</filter>

But where are my custom rules allowing port 22 and 80? I haven't seen them any where but it apparently worked.
Is it run directly by iptables, without using the libvirt nwfilter?
I would assume it is a natural way to directly use nwfilter for security groups, right?

Thanks.
Shi

Question information

Language:
English Edit question
Status:
Answered
For:
OpenStack Compute (nova) Edit question
Assignee:
No assignee Edit question
Last query:
2011-05-05
Last reply:
2011-05-06
Vish Ishaya (vishvananda) said : #1

There are two different drivers for security group rules (set by the --firewall_driver flag).
The default driver uses iptables directly.
The nwfilter driver does the configuration through nwfilter.

The nwfilter driver was created first, but we switched to the other by default because it has a couple of issues:
1) it often blocks for a long time inside of libvirt, especially once a large number of rules have been defined
2) due to a change in support for physdev device match, there are certain networking setups where the rules are bypassed

(There may have been other issues as well that I'm not remembering)

Vish

On May 5, 2011, at 3:05 PM, Shi Jin wrote:

> New question #156184 on OpenStack Compute (nova):
> https://answers.launchpad.net/nova/+question/156184
>
> Hi there,
>
> I thought this is a straightforward thing to find out but it turned not.
> I created a security group to allow ssh and http and run an instance with it.
> On its physical host, I see the following proper iptables rules
>
> Chain nova-compute-inst-20 (1 references)
> target prot opt source destination
> DROP all -- anywhere anywhere state INVALID
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> ACCEPT udp -- 192.168.253.1 anywhere udp spt:bootps dpt:bootpc
> ACCEPT all -- 192.168.253.0/24 anywhere
> ACCEPT tcp -- 192.168.2.0/24 anywhere tcp dpt:ssh
> ACCEPT tcp -- 192.168.2.0/24 anywhere tcp dpt:http
> nova-compute-sg-fallback all -- anywhere anywhere
>
> The libvirt XML shows
> interface type='bridge'>
> <mac address='02:16:3e:05:67:78'/>
> <source bridge='br2'/>
> <target dev='vnet2'/>
> <filterref filter='nova-instance-instance-00000014-02163e056778'>
> <parameter name='DHCPSERVER' value='192.168.253.1'/>
> <parameter name='IP' value='192.168.253.3'/>
> </filterref>
> <alias name='net0'/>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
> </interface>
>
> So I went to look at its nwfilter
> [root@node5 ~]# virsh nwfilter-dumpxml nova-instance-instance-00000014-02163e056778
> <filter name='nova-instance-instance-00000014-02163e056778' chain='root'>
> <uuid>261d6e67-4be9-c400-4908-ea648cda5ef5</uuid>
> <filterref filter='nova-base'/>
> </filter>
>
> It references the nova-base nwfilter, which is
> [root@node5 nwfilter]# virsh nwfilter-dumpxml nova-base
> <filter name='nova-base' chain='root'>
> <uuid>35ec003d-48aa-f747-8fc5-83cb453ea43a</uuid>
> <filterref filter='no-mac-spoofing'/>
> <filterref filter='no-ip-spoofing'/>
> <filterref filter='no-arp-spoofing'/>
> <filterref filter='allow-dhcp-server'/>
> </filter>
>
> But where are my custom rules allowing port 22 and 80? I haven't seen them any where but it apparently worked.
> Is it run directly by iptables, without using the libvirt nwfilter?
> I would assume it is a natural way to directly use nwfilter for security groups, right?
>
> Thanks.
> Shi
>
> --
> You received this question notification because you are a member of Nova
> Core, which is an answer contact for OpenStack Compute (nova).

Soren Hansen (soren) said : #2

Even if you're using the iptables driver, nwfilter is still used for a
few basic things like mac/ip/arp spoofing protection, though. Other
than that, Vish is absolutely correct.

Can you help with this problem?

Provide an answer of your own, or ask Shi Jin for more information if necessary.

To post a message you must log in.