Ask Your Question
0

Security groups with OVS instead of iptables?

asked 2013-08-31 14:54:20 -0500

lorin gravatar image

The only security group implementations in neutron seem to be iptables-based. Is it technically possible to implement security groups using openvswitch flow rules, instead of iptables rules?

It seems like this would cut down on the complexity associated with the current OVSHybridIptablesFirewallDriver implementation, where we need to create an extra linux bridge and veth pair to work around the iptables-openvswitch issues.

edit retag flag offensive close merge delete
add a comment

2 answers

Sort by ยป oldest newest most voted
1

answered 2013-09-03 10:00:20 -0500

mestery gravatar image

This would technically be possible, yes. Nachi and I have talked about this in the past. Reducing complexity would be a nice side benefit. Perhaps this is something to discuss at the Icehouse Summit. If there is enough interest we can setup a design summit session to discuss this.

edit flag offensive delete link more

Comments

What are the other benefits?

darragh-oreilly gravatar imagedarragh-oreilly ( 2013-09-03 11:43:51 -0500 )edit
add a comment
1

answered 2013-09-03 11:41:53 -0500

darragh-oreilly gravatar image

If the aim is to reduce complexity by reducing the number of bridges, then I guess you are suggesting to implement security group rules as flows on br-int? I'm not sure if this would really reduce overall complexity. I think it just make the code that manages br-int and the flows on it very complex instead.

Is the hyrid driver really that complex? - it just creates a Linux bridge between the VIF and br-int. And I think the bulk of the complex code for the iptables rules is being reused by other plugins, like the Linux bridge plugin.

edit flag offensive delete link more

Comments

I think the hybrid driver presents more complexity to the operator, who sees additional devices present on the system. (Also, brcompat issue). If the op never had to interact with secgroup ovs flow rules, I think it would reduce admin complexity. If the op had to troubleshoot them, then maybe worse.

lorin gravatar imagelorin ( 2013-09-03 11:57:28 -0500 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2013-08-31 14:54:20 -0500

Seen: 988 times

Last updated: Sep 03 '13

Related questions

Cannot provision gre network [closed]

ovs gre tunnel problem. Dosent show up after ovs agent restart.

GRE tunnels not being created [closed]

how to conf the quantum of f3

why port tun automatically create after restarted

how to force nova to use openvswitch?

Openstack network error - RTNETLINK answers: File exists

Neutron-ovs-cleanup delete interfaces

neutron public subnet wrong IP

Create a Network Toplogy via Dashboard