Ask Your Question
0

Security groups with OVS instead of iptables?

asked 2013-08-31 14:54:20 -0500

lorin gravatar image

The only security group implementations in neutron seem to be iptables-based. Is it technically possible to implement security groups using openvswitch flow rules, instead of iptables rules?

It seems like this would cut down on the complexity associated with the current OVSHybridIptablesFirewallDriver implementation, where we need to create an extra linux bridge and veth pair to work around the iptables-openvswitch issues.

edit retag flag offensive close merge delete
add a comment

2 answers

Sort by ยป oldest newest most voted
1

answered 2013-09-03 10:00:20 -0500

mestery gravatar image

This would technically be possible, yes. Nachi and I have talked about this in the past. Reducing complexity would be a nice side benefit. Perhaps this is something to discuss at the Icehouse Summit. If there is enough interest we can setup a design summit session to discuss this.

edit flag offensive delete link more

Comments

What are the other benefits?

darragh-oreilly gravatar imagedarragh-oreilly ( 2013-09-03 11:43:51 -0500 )edit
add a comment
1

answered 2013-09-03 11:41:53 -0500

darragh-oreilly gravatar image

If the aim is to reduce complexity by reducing the number of bridges, then I guess you are suggesting to implement security group rules as flows on br-int? I'm not sure if this would really reduce overall complexity. I think it just make the code that manages br-int and the flows on it very complex instead.

Is the hyrid driver really that complex? - it just creates a Linux bridge between the VIF and br-int. And I think the bulk of the complex code for the iptables rules is being reused by other plugins, like the Linux bridge plugin.

edit flag offensive delete link more

Comments

I think the hybrid driver presents more complexity to the operator, who sees additional devices present on the system. (Also, brcompat issue). If the op never had to interact with secgroup ovs flow rules, I think it would reduce admin complexity. If the op had to troubleshoot them, then maybe worse.

lorin gravatar imagelorin ( 2013-09-03 11:57:28 -0500 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2013-08-31 14:54:20 -0500

Seen: 867 times

Last updated: Sep 03 '13

Related questions

OpenvSwitch vs Ryu plugin

neutron-openvswitch port - how to disable source IP address checking?

error processing package neutron-plugin-openvswitch-agent

Why are packets not being forwarded from physical port to bridge?

No gre port in Bridge br-tun

Router external interface DOWN

Does the neutron support IP packet fragmentation ?

GRE inside Openstack Instances

Multiple external subnets

icehouse dhcp tap-port issue