I think there is a blueprint for that. Anyway, see idea for current releases below:
>Feel free to tell me this is a bad idea and scold me for even asking, but >please >help me figure out how to do it anyway. This is for a specific tenant in a >specific lab that was built specifically for that one tenant to do some >experimental work that requires VMs to route and other VMs to act as >DHCP/PXEBoot servers. Therefore all the compute-nodes in that lab can be safely configured to use a firewall_driver in ovs_neutron_plugin.ini that points to a customised firewall class. If using Open vSwitch, this can be a subclass of neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver with the spoofing methods conditionally overridden to be no-ops. > >I need to wrap a conditional around this line >https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py#L201 >and this line >https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py#L241 >for specific VM instances. > >The criteria could be something like pattern matching on the instance name, or >based on a specific flavor image type. I don't much care what the criteria is >as >long as it's something the tenant can control. What I'm hoping someone can Neutron does not know about flavors or images. But it has ports which have a name attribute that can be set to an arbitrary string, e.g. 'anti_spoof_off'. The name does not need to be unique within the tenant. Then your overridden methods could check for that string. So when the tenant has to create a router or dhcp instance, they would first create the neutron ports with this name, and then pass these port-ids to Nova. >provide me with is an example line of code or two with which I can examine some >property of the image that has been created from within the specific file >referenced above in order to wrap if statements around those two lines of code >so that I can prevent them from adding those specific iptables rules in the >specific cases where my tenant needs to either route or respond to DHCP. > >Thanks > >-- >Paul Carver _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
