Earlier  
Posted Nick Remark
#openstack-nova - 2019-07-26
14:16:16 aspiers since I know full well that neutron manages the network namespaces and the rules within them
14:18:12 slaweq aspiers: if both IP protocol and range are None than it's not inserted into iptables rule to match, so all will be matched
14:18:42 aspiers slaweq: isn't the default is to reject?
14:19:05 aspiers if there's no corresponding iptables rule, I don't see what could match
14:19:08 slaweq aspiers: with rules You are defining what should be accepted
14:19:15 aspiers exactly that's what I mean
14:19:21 slaweq everything else, what will not match rules will be rejected
14:19:37 aspiers right but before you said "all will be matched"
14:19:44 slaweq so e.g. if You have rule with only "--direction ingress" than everything with ingress direction will be accepted
14:20:07 slaweq as such rule will be inserted into iptables (or openflow rules, depends on fw driver)
14:20:22 aspiers are you still talking about when you have a rule with proto/range None?
14:20:31 slaweq if You will do e.g. rule "--direction ingress --protocol tcp" than such rule will be in iptables and will be accepted
14:20:40 aspiers yes I know that, but I'm asking about proto/range None
14:21:02 aspiers because above you said if it's proto/range None then it's not inserted into iptables, in which case I don't see how any iptables rule can match
14:21:11 aspiers therefore it should use the default which is REJECT
14:21:17 aspiers (or maybe DROP I dunno)
14:21:35 slaweq aspiers: yes, if You not specify protocol, it's None
14:21:44 aspiers I don't even know why devstack created rules with proto/range None
14:21:48 aspiers that makes no sense to me
14:21:59 aspiers unless None means "match ANY proto/range"
14:22:05 aspiers but that doesn't align with what you said above
14:22:17 aspiers because it can't match if there is no iptables rule for it
14:22:40 slaweq technically it's not None but null :)
14:22:45 openstackgerrit Merged openstack/os-traits master: CPU: add a trait for AVX512-VNNI support https://review.opendev.org/672888
14:22:58 aspiers openstack CLI says "None"
14:23:13 aspiers but I guess you mean null in the db
14:23:20 aspiers None in Python
14:23:28 aspiers maybe a SQLAlchemy translation?
14:23:59 slaweq aspiers: ok, so lets say I'm creating rule like http://paste.openstack.org/show/754898/
14:24:15 slaweq this will be visible in iptables like:
14:24:42 aspiers ohhhh I see the confusion now
14:24:54 aspiers <slaweq> aspiers: if both IP protocol and range are None than it's not inserted into iptables rule to match, so all will be matched
14:25:04 aspiers I thought you were saying that _no_rule_ would be inserted into iptables
14:25:12 aspiers but you meant just the protocol/range elements of the rule
14:25:37 aspiers so there will be a rule, but it won't care what protocol/range, so it will match anything
14:26:14 slaweq this will be visible in iptables like: -A neutron-openvswi-i425cf5a4-1 -j RETURN
14:27:03 aspiers right
14:27:11 aspiers so it will accept
14:27:19 slaweq aspiers: but if You will e.g. specify "--protocol tcp" in this rule in neutron, rule in iptables will be like:
14:27:53 slaweq -A neutron-openvswi-i425cf5a4-1 -p tcp -j RETURN
14:28:01 slaweq so it will accept "only" tcp traffic
14:28:22 slaweq if You will add some port or port range in neutron, it will be added to match conditions in iptables
14:28:30 slaweq is it more clear now?
14:28:33 aspiers yeah I get what you were saying now. that all makes sense in theory, but it doesn't match the behaviour I'm seeing
14:29:56 aspiers slaweq: look at this sec group: http://paste.openstack.org/show/754899/
14:30:09 aspiers I can't ping my cirros VM in that group until I add another rule for icmp
14:30:29 slaweq from "outside"?
14:30:31 slaweq it's normal
14:30:38 aspiers from the qrouter netns
14:30:48 aspiers the private address
14:30:51 slaweq You have only rules to allow all egress traffic from instance
14:31:00 aspiers huh?
14:31:06 aspiers there are two ingress rules
14:31:10 slaweq and 2 rules which accepts traffic from other instances which are using same security group
14:31:30 slaweq router port is not using same SG so from router it will not be allowed
14:31:39 aspiers ohhhh OK
14:31:46 slaweq if You will have second vm which will use same SG than it will work for You
14:32:00 aspiers so effectively you are explaining what "remote security group" means?
14:32:05 sean-k-mooney aspiers: i generally have better look in the dhcp namespaces
14:32:08 slaweq yes :)
14:32:19 aspiers slaweq: is that documented anywhere?
14:32:46 sean-k-mooney aspiers: why would the router ever be in the the same securtiy group
14:32:55 sean-k-mooney the security group is typically on the port
14:33:16 sean-k-mooney not the network unlike qos
14:33:17 slaweq aspiers: tbh I'm not sure, let me look
14:34:07 aspiers also interesting to note that security groups are documented in nova not neutron https://docs.openstack.org/nova/latest/admin/security-groups.html
14:34:27 aspiers well, in both
14:34:28 sean-k-mooney aspiers: thats because fo nova networks
14:34:40 sean-k-mooney which we have now deleted?
14:34:52 aspiers sean-k-mooney: yeah I remember the history from 2012 :)
14:35:41 sean-k-mooney aspiers: well stpehn is activly deleteing the remainder of the code this cycle
14:35:47 aspiers finally \o/
14:35:54 sean-k-mooney i think he has done cellsv1
14:36:07 sean-k-mooney and some of the xen only console stuff
14:36:16 sean-k-mooney nova networks is next on his list
14:36:46 sean-k-mooney after he finishes the cpu pinning via placement stuff
14:39:39 slaweq aspiers: from what I'm now looking into Neutron documentation, I think this remote_group_id isn't really explained there
14:39:42 slaweq :(
14:39:55 aspiers slaweq: thanks for checking!
14:40:00 aspiers that sounds like a doc bug
14:40:09 slaweq aspiers: yes, indeed
14:40:16 slaweq aspiers: but I hope it's clear for You now :)
14:40:21 aspiers I think so
14:40:45 aspiers is it also possible to have an egress rule with remote secgroup set?
14:41:07 aspiers so that the rule only matches outgoing traffic to another (or maybe the same) secgroup?
14:41:18 slaweq aspiers: yes
14:41:26 aspiers cool
14:41:41 slaweq technically it creates ipset with IP addresses which belongs to other ports with same SG
14:41:54 slaweq and use this ipset in match conditions for rule
14:42:10 aspiers makes sense
14:42:13 slaweq but if You want to do so, please remember to remove default rule which allows all egress traffic
14:42:29 slaweq otherwise it will match first and still all will work fine
14:42:51 slaweq s/work fine/be allowed
14:42:52 slaweq :)
14:42:59 aspiers got it
14:43:12 aspiers OK think I understand much better now, thanks a lot!
14:48:58 slaweq aspiers: yw :)
14:56:40 sean-k-mooney aspiers: you can use cidr notation with egreess rules
14:56:55 sean-k-mooney you do not need to use remote sec groups at all
15:09:43 melwitt dansmith: hey, appreciate the review on the last context manager patch. I'm investigating into the our test setup code to be able to reply about some things. thanks again for looking

Earlier   Later