For the OpenStack security group, take the form of a question-and-answer record as follows
1. Is it loaded on a compute node or a network node?
is loaded in the compute node.
2. Is it implemented using the iptable rule?
The M version of neutron implements a Openvswitch-based firewall for streaming tables
Previously common is implemented with iptables, typically creating neutron-openvswi-xxx chains
3. Iptables implemented firewall method, the added rules are accept, the rest of the packages are drop?
Yes, the rules that are added generally return in front of the last default drop rule. The security group uses the Iptables implementation principle as follows
Where two points need to be explained
(1). Ipset
0 0 RETURN All – any anywhere anywhere match-set nipv4de0fc679-6a26-43d6-a3f6-src, the rule means to use Ipset to specify the SRC collection, in which the Srci P messages can all be passed.
Ipset list can be viewed to all ipset collections by command
[Email protected] var]# Ipset list
name:nipv4de0fc679-6a26-43d6-a3f6-
Type:hash:net
Revision:3
Header:family inet hashsize 1024x768 Maxelem 65536
Size in memory:16816
References:1
Members:
192.168.188.19
name:nipv6de0fc679-6a26-43d6-a3f6-
Type:hash:net
Revision:3
header:family inet6 hashsize 1024x768 Maxelem 65536
Size in memory:17552
References:1
Members:
(2). Security-group Remote
If you select a security group as the visiting source address, any cloud host instances in that security group are allowed to use the rule to access any other cloud host.
For example, Host-1 binds security group default, Host-2 binds security group SECG1, then adds a rule in default and designates remote as SECG1, then this rule applies to Src-ip is a host-2 message.
4. What is the neutron-openvswitch-agent implementation of the firewall code structure?
(1) First set the class name of the Firewall_driver in/etc/neutron/plugins/ml2/openvswitch_agent.ini (to specify the path of the load Class) and turn on the security group switch.
#firewall_driver = <None>
#firewall_driver = Neutron.agent.linux.iptables_firewall. Ovshybridiptablesfirewalldriver
Firewall_driver = Neutron.agent.linux.openvswitch_firewall. Ovsfirewalldriver
Enable_security_group = True
(2) All firewall are based on the parent class Firewalldriver, each firewall need to implement several interfaces of the parent class;
Prepare_port_filter:port is called once at creation time to initialize security group information
Apply_port_filter
Update_port_filter:port Security group Update is called
Remove_port_filter:port is called when the security group is deleted
filter_defer_apply_on
Filter_defer_apply_off
Ports
Defer_apply
Update_security_group_members
Update_security_group_rules
security_group_updated
These interfaces are called by securitygroups_rpc.py.
Method of implementing Security group Neutron Openvswitch Agent