Ask Your Question
1

Switch firewall_driver control from Neutron to Nova

asked 2014-09-18 04:39:35 -0500

trung-t-trinh gravatar image

updated 2014-09-21 21:58:23 -0500

Hello everyone,

Introduction: We are a group of members working on realization of the PXE net-boot feature that allows user to launch VM from network.

Question: Will OpenStack Nova and Neutron allow to switch firewall_driver control from Neutron to Nova? If no, please explain the disadvantage? If yes, please state some potential drawback?

Scenario: When installing OpenStack (IceHouse release) by using DevStack, by default, firewall_driver control is done completely by Neutron's plugin OVSHybridIptablesFirewallDriver. As the OVSHybridIptablesFirewallDriver generates iptables firewall rules that unfortunately drop our PXE net-boot requests (including DHCP and TFTP requests). Could someone help answer why Neutron firewall rules drop this kind of traffic? Consequently, we ought to change Nova config file and Neutron config file so that Neutron firewall_driver is disabled and Nova firewall_driver is used. In fact, if only Nova IpTablesFirewallDriver is used, then the PXE net-boot requests are passed through. Our change is as follows:

  1. Change Neutron configuration to disable the generation of firewall rules: in file /etc/neutron/plugins/ml2/ml2_conf.ini, comment out or remove the line : firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

  2. Change Nova configuration to enable the generation of firewall rules: in file /etc/nova/nova.conf, change the line: "firewall_driver = nova.virt.firewall.NoopFirewallDriver" to "firewall_driver = nova.virt.firewall.IptablesFirewallDriver"

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
1

answered 2014-09-19 18:00:13 -0500

smaffulli gravatar image

If I understand your question correctly, you should discuss this on the OpenStack Development mailing list with other Neutron and Nova developers. I don't think that this site is appropriate for this sort of conversations.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-09-18 04:39:35 -0500

Seen: 438 times

Last updated: Sep 21 '14