Ask Your Question
0

Security groups with OVS instead of iptables?

asked 2013-08-31 14:54:20 -0600

lorin gravatar image

The only security group implementations in neutron seem to be iptables-based. Is it technically possible to implement security groups using openvswitch flow rules, instead of iptables rules?

It seems like this would cut down on the complexity associated with the current OVSHybridIptablesFirewallDriver implementation, where we need to create an extra linux bridge and veth pair to work around the iptables-openvswitch issues.

edit retag flag offensive close merge delete
add a comment

2 answers

Sort by ยป oldest newest most voted
1

answered 2013-09-03 10:00:20 -0600

mestery gravatar image

This would technically be possible, yes. Nachi and I have talked about this in the past. Reducing complexity would be a nice side benefit. Perhaps this is something to discuss at the Icehouse Summit. If there is enough interest we can setup a design summit session to discuss this.

edit flag offensive delete link more

Comments

What are the other benefits?

darragh-oreilly gravatar imagedarragh-oreilly ( 2013-09-03 11:43:51 -0600 )edit
add a comment
1

answered 2013-09-03 11:41:53 -0600

darragh-oreilly gravatar image

If the aim is to reduce complexity by reducing the number of bridges, then I guess you are suggesting to implement security group rules as flows on br-int? I'm not sure if this would really reduce overall complexity. I think it just make the code that manages br-int and the flows on it very complex instead.

Is the hyrid driver really that complex? - it just creates a Linux bridge between the VIF and br-int. And I think the bulk of the complex code for the iptables rules is being reused by other plugins, like the Linux bridge plugin.

edit flag offensive delete link more

Comments

I think the hybrid driver presents more complexity to the operator, who sees additional devices present on the system. (Also, brcompat issue). If the op never had to interact with secgroup ovs flow rules, I think it would reduce admin complexity. If the op had to troubleshoot them, then maybe worse.

lorin gravatar imagelorin ( 2013-09-03 11:57:28 -0600 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2013-08-31 14:54:20 -0600

Seen: 855 times

Last updated: Sep 03 '13

Related questions

openvswitch, missing phy-br-eth1 and int-br-eth1

Error received from ovsdb monitor

Router namespace issue;cannot connect to Openstack instances

Neutron/openvswitch not working, how to debug

simple network configuration

Can not ping outside world when using NAT-VM / VPN

Network not working as expected

Openstack fails to spawn instance!

MACVLAN not working on qg interface of qrouter

Auto Assign Floating IP