Ask Your Question
1

How do you make the iptables work compatibly with Open Vswitch?

asked 2013-08-20 00:26:49 -0500

zhangx126 gravatar image

updated 2013-08-20 03:21:27 -0500

darragh-oreilly gravatar image

Hi, now I want to use iptables to control VMs, but it seems Open Vswitch do not work well with iptables.

It seems the feature of "openstack security group" has solved this problem, how do you make it work?

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
3

answered 2013-08-20 03:15:04 -0500

darragh-oreilly gravatar image

You need to use the LibvirtHybridOVSBridgeDriver VIF driver. Then each VIF gets connected to br-int via its own Linux bridge, and the iptables rules are applied on the Linux bridge devices. The connections will look like:

tap12345678-12 --> qbr12345678-12 --> qvb12345678-12 --(veth)--> qvo12345678-12 --> br-int

So here the VM is connected to tap12345678-12, which is plugged into Linux bridge qbr12345678-12, which is connected to br-int with a veth pair.

To use this driver and Quantum security groups, you need these lines in nova.conf:

security_group_api = quantum
libvirt_vif_driver = nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver
firewall_driver = nova.virt.firewall.NoopFirewallDriver

And these lines in ovs_quantum_plugin.ini:

[SECURITYGROUP]
firewall_driver = quantum.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
edit flag offensive delete link more

Comments

Could Linux Bridge work together with OVS ? When installing Open Vswitch, the Linux bridge mode should be removed, or there will be a "openvswitch: exports duplicate symbol br_should_route_hook (owned by bridge)" error.

zhangx126 gravatar imagezhangx126 ( 2013-08-20 03:30:09 -0500 )edit

Yes, OVS and Linux bridge can work together. What OS+version are you on?

darragh-oreilly gravatar imagedarragh-oreilly ( 2013-08-20 03:36:36 -0500 )edit

I use Suse11.2 and open vswitch1.4.

zhangx126 gravatar imagezhangx126 ( 2013-08-20 03:42:43 -0500 )edit

Sorry, I don't know Suse. You might have to built OVS from source, or maybe just the kernel module. Don't use the bridge compatibility module.

darragh-oreilly gravatar imagedarragh-oreilly ( 2013-08-20 03:49:26 -0500 )edit

Thanks very much, it works when i do not use the brcompatd module

zhangx126 gravatar imagezhangx126 ( 2013-08-20 05:00:39 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

Stats

Asked: 2013-08-20 00:26:49 -0500

Seen: 2,976 times

Last updated: Aug 20 '13