Hi, > From Roman Sokolkov: > We use XCP + quantum + tenant vlans . One XCP box and one Ubuntu 12.04 > box(controller). Nova-compute host it is domU on XCP. Boxes connected with > patch-cord and we able to use VLANs inside. > There are problems with security groups. They not work at all. > We use firewall_driver=nova.virt.xenapi.firewall.Dom0IptablesFirewallDriver. > And I see expected iptables rules on Dom0, but without any profit. As I > understand iptables couldn't work with L2 openvswitch traffic?
Not sure that was tested with VLANs, and I don't think there has (yet) been any work to create and OpenVSwitch based firewall driver. Have you seen specific problems with packets getting around the firewall rules when using openvswitch? I know there were plans for making an OpenVSwitch firewall driver, but there are some big performance issues around rule explosion. I don't think there is anything penciled in for Folsom right now. I will get in touch with the networking experts and get back to you. Thanks, John _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
