Ask Your Question
0

Security groups with OVS instead of iptables?

asked 2013-08-31 14:54:20 -0500

lorin gravatar image

The only security group implementations in neutron seem to be iptables-based. Is it technically possible to implement security groups using openvswitch flow rules, instead of iptables rules?

It seems like this would cut down on the complexity associated with the current OVSHybridIptablesFirewallDriver implementation, where we need to create an extra linux bridge and veth pair to work around the iptables-openvswitch issues.

edit retag flag offensive close merge delete
add a comment

2 answers

Sort by ยป oldest newest most voted
1

answered 2013-09-03 10:00:20 -0500

mestery gravatar image

This would technically be possible, yes. Nachi and I have talked about this in the past. Reducing complexity would be a nice side benefit. Perhaps this is something to discuss at the Icehouse Summit. If there is enough interest we can setup a design summit session to discuss this.

edit flag offensive delete link more

Comments

What are the other benefits?

darragh-oreilly gravatar imagedarragh-oreilly ( 2013-09-03 11:43:51 -0500 )edit
add a comment
1

answered 2013-09-03 11:41:53 -0500

darragh-oreilly gravatar image

If the aim is to reduce complexity by reducing the number of bridges, then I guess you are suggesting to implement security group rules as flows on br-int? I'm not sure if this would really reduce overall complexity. I think it just make the code that manages br-int and the flows on it very complex instead.

Is the hyrid driver really that complex? - it just creates a Linux bridge between the VIF and br-int. And I think the bulk of the complex code for the iptables rules is being reused by other plugins, like the Linux bridge plugin.

edit flag offensive delete link more

Comments

I think the hybrid driver presents more complexity to the operator, who sees additional devices present on the system. (Also, brcompat issue). If the op never had to interact with secgroup ovs flow rules, I think it would reduce admin complexity. If the op had to troubleshoot them, then maybe worse.

lorin gravatar imagelorin ( 2013-09-03 11:57:28 -0500 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2013-08-31 14:54:20 -0500

Seen: 902 times

Last updated: Sep 03 '13

Related questions

DHCP request does not reach tapXXX (qdhcp-XXX) network interface

How to write rules in neutron (openvswitch) bridges?

Improving neutron openvswitch performance

vNIC ordering inside VM

Lbaas in Kilo error

how to quota for specific subnet!

see number of free floating ips?

Available FloatingIP's in pool

can't get IP when I working with GRE

VM network interface reordering