Jump to: navigation, search

Neutron/ML2PortSecurityExtensionDriver

Neutron ML2 Extension Driver

ML2 Extension Driver manages extended attributes on the neutron core resources implemented by the ML2 plugin: network, subnet and port.

Port Security Extension Driver

Neutron’s security group always applies anti-spoof rules on the VMs. This allows traffic to originate and terminate at the VM as expected, but prevents traffic to pass through the VM. This is required in cases where the VM routes traffic through it. By creating a port security extension flag, it is possible to enable/disable packet filtering.

Port Security Extension setup

The /etc/neutron/plugins/ml2/ml2_conf.ini file needs to be modified to load the port security extension driver

extension_drivers = port_security

By default a network is created with the port_security_enabled=True. This behavior ensures the network to be secure by default.

localadmin@GG26devstack:~/devstack$ neutron net-show net1
+---------------------------+--------------------------------------+
| Field                     | Value                                |
+---------------------------+--------------------------------------+
| admin_state_up            | True                                 |
| id                        | 725ebfa1-c3c3-43fa-b8c2-cac99f1f88fb |
| mtu                       | 0                                    |
| name                      | net1                                 |
| port_security_enabled     | True                                 |
| provider:network_type     | vxlan                                |
| provider:physical_network |                                      |
| provider:segmentation_id  | 1001                                 |
| router:external           | False                                |
| shared                    | False                                |
| status                    | ACTIVE                               |
| subnets                   | 1d58d120-4990-41d8-b1f2-2354df54328a |
| tenant_id                 | ba328cf9aa72429aad0535ec4adcd882     |
| vlan_transparent          | False                                |
+---------------------------+--------------------------------------+

When a port is created it picks up the port_security_enabled flag set to the the network that it belongs to.

When a particular vm needs to have its port_security_enabled flag disabled we could do so, by updating the port to which the vm is attached to.

neutron port-update  c080dbeb-491e-46e2-ab7e-192e7627d050 --port-security-enabled=False

This VM will now be able to route traffic through it.