Analysis of firewall rules in Openstack

Analysis of firewall rules in Openstack

Last week, I spent a few days studying the Openstack Security Group firewall rules and summarized the results of last week.

1. Introduce my environment.

Operating System: RHEL6.4 + Openstack official Kernel

Openstack version: Havana

Network Mode: ML2 + Linuxbridge

Tenant Network: VLAN

Ii. Iptables Flow Direction

 INPUT neutron-linuxbri-INPUT neutron-linuxbri-o45d1d6e0-d neutron-linuxbri-s45d1d6e0-d neutron-linuxbri-sg-fallback OUTPUT neutron-filter-top neutron-linuxbri-local neutron-linuxbri-OUTPUT FORWORD neutron-filter-top neutron-linuxbri-local neutron-linuxbri-FORWARD neutron-linuxbri-sg-chain=>A A=>neutron-linuxbri-i45d1d6e0-d=>B A=>neutron-linuxbri-o45d1d6e0-d neutron-linuxbri-s45d1d6e0-d=>B B=>neutron-linuxbri-sg-fallback

 

This flow is too messy. I will organize it into an image in another day.

 

Here, only the flow of Layer 2 data packets is analyzed.

Iii. Summary

1. What actually works is:

neutron-linuxbri-i45d1d6e0-dneutron-linuxbri-o45d1d6e0-dneutron-linuxbri-s45d1d6e0-d

2, neutron-linuxbri-i45d1d6e0-d this is to enter the virtual machine flow control, according to the default security group of Openstack, the network of different tenants under the same network is not accessible.

3, neutron-linuxbri-s45d1d6e0-d this is to do the ip and mac binding function.

4, neutron-linuxbri-o45d1d6e0-d this is done out of virtual machine flow control, according to the default Openstack security group, all through.

5. The naming rules for these binchains are as follows: the first 16 of the L2Agent names used are-data flow [I/o/s]-the first 11 bits of the UUID port.