By default, Neutron applies antispoofing rules to all ports to ensure that unexpected or undesired traffic cannot originate from or pass through a port. This includes rules that prohibit instances from running DHCP servers or acting as routers. To address the latter, the allowed-address-pairs
extension can be used to allow additional subnets and MAC addresses through the port. However, additional functionality may be required that cannot be addressed by the allowed-address-pairs
extension.
In Kilo, the port security
extension was introduced for the ML2 plugin that allows all packet filtering to be disabled on a port. This is especially useful when deploying instances for NFV purposes. The port security
extension requires additional configuration, which will be discussed in the following sections.
To enable the port security
extension, edit the ML2 configuration file on the controller node at /etc/neutron/plugins/ml2/ml2_conf.ini
, and add the following to the [ml2]
section:
[ml2] ... extension_drivers = port_security
Restart the neutron-server
service for changes to take effect:
# service neutron-server restart
When the port security
extension is enabled after networks are already created, users may find issues interacting with the Neutron and Nova API due to the following bug:
https://bugs.launchpad.net/neutron/+bug/1461519
To work around this bug, some changes may need to be made to the database to update existing tables and entries to support the port security functionality.
Using the mysql
client, update the Neutron database using the following commands. When prompted for the root password, use openstack
, as follows:
# mysql –u root –p
Enter the following SQL statements at the MariaDB [(none)] >
prompt:
use neutron; INSERT INTO networksecuritybindings (network_id, port_security_enabled) SELECT id, True FROM networks WHERE id NOT IN (SELECT network_id FROM networksecuritybindings); INSERT INTO portsecuritybindings (port_id, port_security_enabled) SELECT id, True FROM ports WHERE id NOT IN (SELECT port_id FROM portsecuritybindings); exit;
Once these changes are made, it should no longer be necessary to run these commands in the future as long as the port security
extension remains enabled.
Port security can be disabled on all ports connected to a particular network by setting the port_security_enabled
attribute to false
during network creation:
When a port is created and attached to the network, its port_security_enabled
attribute will be set to false
automatically:
Due to limitations with the implementation of the port security extension, an instance cannot be booted with a port or network that does not have port security enabled. Instead, the port must be attached to a running instance. Once attached, only a handful of iptables rules are implemented on the respective compute node, as in the following screenshot:
The rules effectively allow all traffic to pass through a port. It is important to know that when port security is disabled on a port, the API will not allow the port to be associated with any security group. Disabling port security means that any filtering must be implemented within the guest operating system.
Port security can be disabled on an individual port by setting the port_security_enabled
attribute to false
during the creation or update of a port. To do so requires that no security groups be associated with the port; otherwise, the attempt will result in an error.
The following screenshot demonstrates port security being disabled on an individual port despite port security being enabled on the network: