Bypassing or disabling security group (iptables) in openstack)

Currently, openstack uses the Security Group Method by default, and uses the system's iptables to filter traffic into the VM. This is intended for security, but it often brings some troubles to debugging and development.

Therefore, disabling it temporarily can eliminate network interruptions caused by incorrect iptables rules.

In version H, you can disable security group by modifying the firewall configuration in neutron plugin. ini.

However, in version I, similar operations only prevent the traffic from passing through the security bridge.

Therefore, when security group is enabled normally, we need to find a way to let the traffic bypass it.

Through in-depth understanding of the network implementation in openstack, we know that the traffic from the VM is filtered on the neutron-openvswi-o9LETTERID chain, and the rules inside the VM on the neutron-openvswi-i9LETTERID chain.

Therefore, we only need to add rules that are allowed to pass on the chain.

First, view the rules on the security rule chain of the VM.

Iptables-nvl neutron-openvswi-o9LETTERID

Generally, it is similar to the following

Chain neutron-openvswi-o4430511a-6 (2 references)
Pkts bytes target prot opt in out source destination
6 1968 return UDP -- ** 0.0.0.0/0 0.0.0.0/0 udpspt: 68dpt: 67
1437 121 K neutron-openvswi-s4430511a-6 all -- ** 0.0.0.0/0 0.0.0.0/0
0 0 drop UDP -- ** 0.0.0.0/0 0.0.0.0/0 udpspt: 67dpt: 68
0 0 drop all -- ** 0.0.0.0/0 0.0.0.0/0 State invalid
278 23352 return all -- ** 0.0.0.0/0 0.0.0.0/0 state related, established
1159 97356 return all -- ** 0.0.0.0/0 0.0.0.0/0
0 0 neutron-openvswi-SG-fallback all -- ** 0.0.0.0/0 0.0.0.0/0

It can be seen that by default, only the traffic allowed through the source port is 67 and the destination port 68 DHCP request traffic, in addition to the neutron-openvswi-s4430511a-6 chain, will check the source address and source MAC, if it is the same as the allocated one, it is allowed to pass.

For example, if we allow all ping packets (regardless of the source address and source MAC) to be sent from the VM, we need to add

Iptables-I neutron-openvswi-o9LETTERID-P ICMP-J return

More simply and rudely, allow all the traffic from the VM, without any inspection, you need to add

Iptables-I neutron-openvswi-o9LETTERID-J return

Note that the Rules added in this way are not maintained by neutron. Therefore, the rules will be cleared after a period of time and need to be added again.