I am using Open Nebula on a number of servers, since using it I have been unable to get security groups working. The reason for this is due to the servers having routed subnets on a virtual bridge interface, the hosting provider also uses port security so I am unable to present any mac addresses except for the main interface mac address to the top of rack switch.
Out of the box the default security groups do not work with the above arrangement. The reason being is that they use -m physdev --physdev-is-bridged my setup is a routed not bridged so this rule never matches.
To solve my issue I found that the IPtables rules are created by security_groups_iptables.rb I have been modifying this file accordingly to create correct rules for my setup with success. However I would like to know if there is an offical way to be doing this? My concern is that during an upgrade my custom security_groups_iptables.rb will be overwritten. It does not feel like the correct way to be doing things and I was hoping a developer could provide reassurance that this is correct or point me in the right direction how I should be doing this?
Thank you in advance.