—or, iptables -S for Open vSwitch flows.

These instructions come from debugging OpenStack security groups set via the Open vSwitch firewall driver as configured by Fuel. They assume that your OpenStack environment has Neutron’s distributed virtual router (DVR) functionality enabled. You’re otherwise on your own.

1. Find the MAC address of the VM interface whose security groups you want to check.

    root@sdn1:~# ip link show ens3
    2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
        link/ether fa:16:3e:7c:b9:5c brd ff:ff:ff:ff:ff:ff
   

2. On the compute node—or the controller in a non-DVR environment or the network node in a non-Fuel environment—search for flows to that interface:

    root@oscom2:~# ovs-ofctl dump-flows br-int | grep "fa:16:3e:7c:b9:5c"
     cookie=0xa711cf9f52b99a45, duration=2784.787s, table=0, n_packets=1977, n_bytes=928432, idle_age=3, priority=90,dl_dst=fa:16:3e:7c:b9:5c actions=load:0x5->NXM_NX_REG5[],load:0x1->NXM_NX_REG6[],resubmit(,81)
     cookie=0xa711cf9f52b99a45, duration=13040.795s, table=1, n_packets=0, n_bytes=0, idle_age=13040, priority=4,dl_vlan=1,dl_dst=fa:16:3e:7c:b9:5c actions=strip_vlan,mod_dl_src:fa:16:3e:a7:de:73,output:5
     cookie=0xa711cf9f52b99a45, duration=2784.786s, table=71, n_packets=13, n_bytes=546, idle_age=48, priority=95,arp,reg5=0x5,in_port=5,dl_src=fa:16:3e:7c:b9:5c,arp_spa=10.14.121.9 actions=NORMAL
    [...]
   

3. You can grep(1) further for (e.g.) rules for flows to port 80:

    root@oscom2:~# ovs-ofctl dump-flows br-int | grep "fa:16:3e:7c:b9:5c" | grep "dst=80"
     cookie=0xa711cf9f52b99a45, duration=2861.990s, table=82, n_packets=0, n_bytes=0, idle_age=2861, priority=70,ct_state=+est-rel-rpl,udp,reg5=0x5,dl_dst=fa:16:3e:7c:b9:5c,tp_dst=80 actions=strip_vlan,output:5
     cookie=0xa711cf9f52b99a45, duration=2861.989s, table=82, n_packets=0, n_bytes=0, idle_age=2861, priority=70,ct_state=+est-rel-rpl,tcp,reg5=0x5,dl_dst=fa:16:3e:7c:b9:5c,tp_dst=80 actions=strip_vlan,output:5
     cookie=0xa711cf9f52b99a45, duration=2861.990s, table=82, n_packets=0, n_bytes=0, idle_age=2861, priority=70,ct_state=+new-est,udp,reg5=0x5,dl_dst=fa:16:3e:7c:b9:5c,tp_dst=80 actions=ct(commit,zone=NXM_NX_REG6[0..15]),strip_vlan,output:5  
     cookie=0xa711cf9f52b99a45, duration=2861.989s, table=82, n_packets=0, n_bytes=0, idle_age=2861, priority=70,ct_state=+new-est,tcp,reg5=0x5,dl_dst=fa:16:3e:7c:b9:5c,tp_dst=80 actions=ct(commit,zone=NXM_NX_REG6[0..15]),strip_vlan,output:5