How securitygroup works from one ls to another in OVN
I delployed ovn with openstack .The vms are associated with default security groups.
situation 1:
If connect ls1(network1) to ls2(network2) by router1, everything gose fine.
situation 2:
If set ls1 as external network to router1, ls2 connect router1 as an internal network. When ls1(network1 ,which is external network) connect ls2(network2,which is internal network), traffic failes. If I add the ls1 to security group, everything gose fine.
I do not konw the difference between situation 1 and situation 2. Can you give me some explain?
Question information
- Language:
- English Edit question
- Status:
- Solved
- Assignee:
- No assignee Edit question
- Solved by:
- Numan Siddique
- Solved:
- Last query:
- Last reply:
Revision history for this message
|
#1 |
Hi Taoyunxiang,
Can you please highlight the differences with some examples? ie. on both scenarios, which commands are you using, how are you testing connectivity, etc.
As the port security is handled per port, if the ports belong to the same security group, it should not affect whether the logical switch has a localnet port or not I believe and then it's clearly a bug,
Thanks,
Daniel
Revision history for this message
|
#2 |
If you have ML2OVS setup handy, is it possible to try out the same test and provide the results ?
I think, the security group has remote group id set.
As Daniel mentioned, can you please also share the output of "openstack security group show .." to see the rules.
Thanks
Numan
Revision history for this message
|
#4 |
i will show commands I used.
situation 1:
#nova list
vm1 | ACTIVE | - | Running | net2=192.168.3.9, 10.142.18.25
Then I get a physical machine server1 , which is 10.142.18.11
192.168.3.9 to 10.142.18.11 can pass ,but reverse can not pass
situation 2:
#nova list
vm1 | ACTIVE | - | Running | net1=192.168.5.5
vm2 | ACTIVE | - | Running | net2=192.168.6.6
192.168.5.5 to 192.168.6.6 can pass, reverse can also pass
Revision history for this message
|
#6 |
For situation 1,the ovn-trace result as follows,
[root@ovn1 ~]# ovn-trace vlan786 'inport == "provnet-
# icmp,reg14=
ingress(
-------
0. ls_in_port_sec_l2 (ovn-northd.
next;
3. ls_in_pre_acl (ovn-northd.
next;
11. ls_in_arp_rsp (ovn-northd.
next;
16. ls_in_l2_lkup (ovn-northd.
outport = "7a4778";
output;
egress(
-------
1. ls_out_pre_acl (ovn-northd.
next;
9. ls_out_port_sec_l2 (ovn-northd.
output;
/* output to "7a4778", type "patch" */
ingress(
-------
0. lr_in_admission (ovn-northd.
next;
3. lr_in_unsnat (ovn-northd.
ct_snat;
ct_snat /* assuming no un-snat entry, so no change */
-------
4. lr_in_dnat (ovn-northd.
ct_
ct_dnat(
-------
7. lr_in_ip_routing (ovn-northd.
ip.ttl--;
reg0 = ip4.dst;
reg1 = 192.168.3.1;
eth.src = fa:16:3e:07:f0:dd;
outport = "lrp-2b02ae";
flags.loopback = 1;
next;
8. lr_in_arp_resolve (ovn-northd.
eth.dst = fa:16:3e:4f:96:f3;
next;
10. lr_in_arp_request (ovn-northd.
output;
egress(
-------
3. lr_out_delivery (ovn-northd.
output;
/* output to "lrp-2b02ae", type "patch" */
ingress(
-------
0. ls_in_port_sec_l2 (ovn-northd.
next;
3. ls_in_pre_acl (ovn-northd.
next;
16. ls_in_l2_lkup (ovn-northd.
outport = "fb1925";
output;
egress(
-------
1. ls_out_pre_acl (ovn-northd.
reg0[0] = 1;
next;
2. ls_out_pre_stateful (ovn-northd.
ct_next;
ct_next(
-------
4. ls_out_acl (ovn-northd.
ct_
Revision history for this message
|
#7 |
For situaiton1 ,
when I create a new securitygroup wich pass 10.142.18.0/24 , and associate it to vm, traffic goes.
I do not know the difference between situation 1 and situation 2 for securitygroup.
Revision history for this message
|
#8 |
[root@controller1 ~]# openstack security group show e6023b9b-
+------
| Field | Value |
+------
| created_at | 2019-04-
| description | Default security group |
| id | e6023b9b-
| name | default |
| project_id | e9346688171a407
| revision_number | 4 |
| rules | created_
| | created_
| | created_
| | created_
| updated_at | 2019-04-
+------
Revision history for this message
|
#9 |
I think situation 1 is working as expected. Any traffic originating from the VM will be allowed. But any traffic destined to the VM will be dropped if there is no security group rule to allow it.
I think for sutation 2, it is working because both your VMs - vm1 (192.168.5.5) and vm2 (192.168.6.6) have same security group.
If you see the below
***
| | created_
*****
notice remote_group_id is set. Which means it will allow traffic from any port which belongs to the security group - 'e6023b9b-
In scenario 1, your physical machine with ip - 10.142.18.11 obviously is not part of the security group 'e6023b9b-
To confirm what I said is correct or not, I would suggest you to change the the security group for the vm2 port to a different one. May be you cab create your own new security group and associate to the vm2 port.
Please test it out and let me know how it goes.
Thanks
Numan
Revision history for this message
|
#10 |
Hi, Numan,
Thanks for your reply, I have got it.
And I finished the test as you said , when I change security group of vm2 to another one, it can not connect to vm1.
Thanks,
Yun
Revision history for this message
|
#11 |
Thanks Numan Siddique, that solved my question.