The nova libvirt driver provides support for ebtables-based port filtering (using libvirt's nwfilter) to prevent things like MAC, IP and/or ARP spoofing. I've been looking into deprecating this as part of the move to deprecate all things nova-network'y, but it appears that, in some scenarios, it is possible to use this feature with neutron. To do so, the following must be true:
- neutron's own port filtering must be disabled (as reported in the port binding) - security groups must be disabled - the 'firewall_driver' configuration option must be set to 'libvirt.firewall.IptablesFirewallDriver' - you must be using linux bridge in some capacity, either as your main networking backend or through the use of hybrid interfaces It took me a long time to identify that this feature even existed, due to a lack of documentation on the matter and the fact that the code is very intertwined with nova-network code. Given this lack of documentation, the explicit action required to disable both security groups and neutron's own port filtering, and nova's long standing recommendation that one set 'firewall_driver' to the 'NoopFirewallDriver' when using neutron, I'm unsure if anyone is actually using this. Could anyone that /is/ using this please make yourself known. If no one is, this feature is providing a good deal of complexity for little ROI, and I can deprecate and remove it. Cheers, Stephen _______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
