Default security group rules have been deleted from a project is it possible to recreate them from the CLI ?
Issue
-
We have hit a use case whereby an internal team have deleted the rules from the default security group and applied an explicit egress set of rules to that instance (windows), but because the default rules no longer exist we believe that the instance is fully exposed to incoming traffic explicitly to the RDP port 3389.
-
As this is OSP13 and the firewall has changed to openflow and not iptables how can we see what that host has applied at the compute / neutron level to properly ascertain what is happening ?
-
Is there a way to manually create an explicit deny to security group rules ?
-
The following errors are seen in
/var/log/containers/neuron/openvswitch-agent.log
:
2020-08-14 07:20:22.531 445473 ERROR neutron.agent.common.ovs_lib [req-562b2893-f885-40b1-a981-22868338d2be - - - - -] Unable to execute ['ovs-ofctl', 'add-flows', '-O', 'OpenFlow10', 'br-int', '--bundle', '-']. Exception: Exit code: 1; Stdin: hard_timeout=0,idle_timeout=0,priority=100,table=60,cookie=14880330827299259992,in_port=315,actions=set_field:315->reg5,set_field:151->reg6,resubmit(,71)
[...]
2020-08-14 08:39:41.163 445473 ERROR neutron.agent.common.ovs_lib [req-562b2893-f885-40b1-a981-22868338d2be - - - - -] Unable to execute ['ovs-ofctl', 'del-flows', '-O', 'OpenFlow10', 'br-int', '--strict', '-']. Exception: Exit code: 1; Stdin: priority=90,cookie=14880330827299259992/-1,table=60,dl_dst=fa:16:3e:00:00:00,dl_vlan=4; Stdout: ; Stderr: ovs-ofctl: br-int is not a bridge or a socket
Environment
- Red Hat OpenStack Platform 13.0 (RHOSP)
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.