Re: [openstack-dev] [Neutron] Security groups with OVS instead of iptables?

Tue, 03 Sep 2013 16:20:21 -0700 

It is possible to enforce security groups on OVS provided you have Openflow
Controller instead of neutron agent managing the OVS switches.


On Tue, Sep 3, 2013 at 10:29 AM, Scott Devoid <dev...@anl.gov> wrote:

> +1 for an answer to this.
>
> The reference documentation suggests running Neutron OVS with a total of 6
> software switches between the VM and public NAT addresses. [1]
> What are the performances differences folks see with this configuration
> vs. the 2 software switch configuration for linux bridge?
>
> [1]
> http://docs.openstack.org/grizzly/openstack-network/admin/content/under_the_hood_openvswitch.html#d6e1178
>
>
> On Tue, Sep 3, 2013 at 8:34 AM, Lorin Hochstein 
> <lo...@nimbisservices.com>wrote:
>
>> (Also asked at
>> https://ask.openstack.org/en/question/4718/security-groups-with-ovs-instead-of-iptables/
>> )
>>
>> The only security group implementations in neutron seem to be
>> iptables-based. Is it technically possible to implement security groups
>> using openvswitch flow rules, instead of iptables rules?
>>
>> It seems like this would cut down on the complexity associated with the
>> current OVSHybridIptablesFirewallDriver implementation, where we need to
>> create an extra linux bridge and veth pair to work around the
>> iptables-openvswitch issues. (This also breaks if the user happens to
>> install the openvswitch brcompat module).
>>
>> Lorin
>> --
>> Lorin Hochstein
>> Lead Architect - Cloud Services
>> Nimbis Services, Inc.
>> www.nimbisservices.com
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev@lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Ravi

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to