Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

SR-IOV and policy enforcement with a firewall

I like the new SR-IOV stuff for Neutron / Nova in Juno, but in this wiki page, it says that the NoopFirewallDriver must be used. This makes sense because the iptables-based mechanisms won't work in the SR-IOV context.

_How can I have a firewalled environment while using SR-IOV?_

My setup is flexible, but I can have a "network node" (another server) running the OVS agent in between several SR-IOV-based compute nodes (not running OVS and the iptables firewall), acting as a software switch (i.e. without a physical switch in between; a direct cable). _However_, the OVS agent only applies rules for ports that are on the same box.

Essentially, I want to basically have a firewall by moving the integration bridge off the compute nodes and putting it one hop away in on a directly-connected server running Open vSwitch. _Is this possible?_

SR-IOV and policy enforcement with a firewall

I like the new SR-IOV stuff for Neutron / Nova in Juno, but in this wiki page, it says that the NoopFirewallDriver must be used. This makes sense because the iptables-based mechanisms won't work in the SR-IOV context.

_How can I have a firewalled environment while using SR-IOV?_

My setup is flexible, but I can have a "network node" (another server) running the OVS agent in between several SR-IOV-based compute nodes (not running OVS and the iptables firewall), acting as a software switch (i.e. without a physical switch in between; a direct cable). _However_, However, the OVS agent only applies rules for ports that are on the same box.

Essentially, I want to basically have a firewall by moving the integration bridge off the compute nodes and putting it one hop away in on a directly-connected server running Open vSwitch. _Is Is this possible?_possible?

SR-IOV and policy enforcement with a firewall

I like the new SR-IOV stuff for Neutron / Nova in Juno, but in this wiki page, it says that the NoopFirewallDriver must be used. This makes sense because the iptables-based mechanisms won't work in the SR-IOV context.

How can I have a firewalled environment while using SR-IOV?

My setup is flexible, but I can have a "network node" (another server) running the OVS agent in between several SR-IOV-based compute nodes (not running OVS and the iptables firewall), acting as a software switch (i.e. without a physical switch in between; a direct cable). However, the OVS agent only applies rules for ports that are on the same box.

Essentially, I want to basically have a firewall by moving the integration bridge off the compute nodes and putting it one hop away in on a directly-connected server running Open vSwitch. Is this possible?possible, and if so, how can I do it (at least at a high level)?