Chapter 11: Security Group Implementation in Contrail

Refer the openstack Security Group before read this chapter.

Contrail doesnot use the IPTABLES for Security Group. Neutron API can be used for Creating/Managing the secuirty groups, rules.

In contrail, Security Group operations are implemented in Contrail Vrouter agent.

Secuirty Group can be seen in the contrail vrouter agent introspect

http://xxxxxx:8085/agent.xml#Snh_SgListReq

When the new traffic is initiated by the VM/to the VM. (Vrouter gets the flow to be added from contrail vrouter agent)

Contrail Vrouter agent performs the below actions,

  • Adds the flows to the Vrouter based on the traffic.
  • Flows action will be FORWARD/DROP/NAT
  • Based on the Secuirty Group Rules, the action will be decided.

In the below example,

I have created Security Group with only TCP allowed and associated it with the VM. Logged in to the VM and triggerd the ping to google. I expect the traffic to be blocked. This can be verified in flow output as below,

cloud@devstack1:~/devstack$ sudo flow --match "proto icmp"
Flow table(size 589824, entries 4608)

Entries: Created 4887 Added 4883 Deleted 9744 Changed 9760 Processed 4887 Used Overflow entries 0
(Created Flows/CPU: 2196 2691)(oflows 0)

Action:F=Forward, D=Drop N=NAT(S=SNAT, D=DNAT, Ps=SPAT, Pd=DPAT, L=Link Local Port)
 Other:K(nh)=Key_Nexthop, S(nh)=RPF_Nexthop
 Flags:E=Evicted, Ec=Evict Candidate, N=New Flow, M=Modified Dm=Delete Marked
TCP(r=reverse):S=SYN, F=FIN, R=RST, C=HalfClose, E=Established, D=Dead

Listing flows matching (Protocol ICMP)

    Index                Source:Port/Destination:Port                      Proto(V)
-----------------------------------------------------------------------------------
      264<=>1668         192.168.2.3:18177                                   1 (2)
                         216.58.198.206:0    
(Gen: 3, K(nh):17, Action:D(SG), Flags:, QOS:-1, S(nh):17,  Stats:2/196, 
 SPort 62246, TTL 0, Sinfo 5.0.0.0)

     1668<=>264          216.58.198.206:18177                                1 (1)
                         172.24.4.11:0    
(Gen: 2, K(nh):9, Action:D(Unknown), Flags:, QOS:-1, S(nh):9,  Stats:0/0, 
 SPort 49617, TTL 0, Sinfo 0.0.0.0)

cloud@devstack1:~/devstack$

In the flow, Action:D(SG) - DROPPED , Reason Security Group.

results matching ""

    No results matching ""