Is the neutron port-security extension available for ML2 linux-bridge?

asked 2015-07-27 13:03:42 -0500

CharlesBoyo gravatar image


I have an OpenStack Juno environment and I am trying to integrate my Nova instances with other physical machines on the same network. Neutron networking is based on ML2 linux-bridge plugin with VLAN segmentation.

The security-groups feature is installing anti-spoof rules for non-instance traffic and DHCP server traffic. This is getting in the way of using virtual instances as routers and DHCP servers.

The port-security extension is supposed to make it possible to disable the automatic iptables rules but attempts to use the port_security_enabled attribute while creating ports end with an error: Unrecognized attribute(s) 'port_security_enabled' (HTTP 400) (Request-ID: req-eb10a181-4109-40ca-ad54-2d3f2a82285a)

The port-security extension was implemented for ML2 with OVS in Kilo but I cannot seem to find any similar implementation for linux-bridge.

Please can you point me in the direction of similar functionality for ML2 with the linux-bridge mechanism driver? Or it is forbidden for any reason?

edit retag flag offensive close merge delete


the ovs and lb agents use pretty much the same security group code. Do you have extension_drivers = port_security in the ml2 conf file? Does the port_security_enabled attribute appear in net-show or port-show?

darragh-oreilly gravatar imagedarragh-oreilly ( 2015-07-29 13:36:23 -0500 )edit