Switch firewall_driver control from Neutron to Nova

Hello everyone,

Introduction: We are a group of members working on realization of the PXE net-boot feature that allows user to launch VM from network.

Question: Will OpenStack Nova and Neutron allow to switch firewall_driver control from Neutron to Nova? If no, please explain the disadvantage? If yes, please state some potential drawback?

Scenario: When installing OpenStack (IceHouse release) by using DevStack, by default, firewall_driver control is done completely by Neutron's plugin OVSHybridIptablesFirewallDriver. As the OVSHybridIptablesFirewallDriver generates iptables firewall rules that unfortunately drop our PXE net-boot requests (including DHCP and TFTP requests). Could someone help answer why Neutron firewall rules drop this kind of traffic? Consequently, we ought to change Nova config file and Neutron config file so that Neutron firewall_driver is disabled and Nova firewall_driver is used. In fact, if only Nova IpTablesFirewallDriver is used, then the PXE net-boot requests are passed through. Our change is as follows:

  1. Change Neutron configuration to disable the generation of firewall rules: in file /etc/neutron/plugins/ml2/ml2_conf.ini, comment out or remove the line : firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

  2. Change Nova configuration to enable the generation of firewall rules: in file /etc/nova/nova.conf, change the line: "firewall_driver = nova.virt.firewall.NoopFirewallDriver" to "firewall_driver = nova.virt.firewall.IptablesFirewallDriver"

1 answer

answered 2014-09-19 18:00:13 -0600

smaffulli gravatar image

If I understand your question correctly, you should discuss this on the OpenStack Development mailing list with other Neutron and Nova developers. I don't think that this site is appropriate for this sort of conversations.

