SR-IOV and policy enforcement with a firewall

asked 2014-10-23 06:58:58 -0500

Sam Whitlock gravatar image

updated 2014-10-23 07:00:12 -0500

I like the new SR-IOV stuff for Neutron / Nova in Juno, but in this wiki page, it says that the NoopFirewallDriver must be used. This makes sense because the iptables-based mechanisms won't work in the SR-IOV context.

How can I have a firewalled environment while using SR-IOV?

My setup is flexible, but I can have a "network node" (another server) running the OVS agent in between several SR-IOV-based compute nodes (not running OVS and the iptables firewall), acting as a software switch (i.e. without a physical switch in between; a direct cable). However, the OVS agent only applies rules for ports that are on the same box.

Essentially, I want to basically have a firewall by moving the integration bridge off the compute nodes and putting it one hop away in on a directly-connected server running Open vSwitch. Is this possible, and if so, how can I do it (at least at a high level)?

edit retag flag offensive close merge delete


maybe put instances that need to be firewalled from each other on different subnets, and use FWaaS between subnets,

darragh-oreilly gravatar imagedarragh-oreilly ( 2014-12-18 11:56:30 -0500 )edit