Hi Valetin, Aslo we had issues with iptables (kernel 3.5.4) and OpenvSwtich 1.7, which versions are you using?
Cheers Ruben On Thu, Oct 11, 2012 at 4:09 PM, Jaime Melis <[email protected]> wrote: > Hi Valentin, > > would you be willing to share your modified drivers of openvswitch + iptables? > > For OpenNebula 3.8 we are going to release a firewall implementation > using openflow in the openvswitch driver, but we'd like to also > evaluate the other iptables option. > > Thanks a lot! > > cheers, > Jaime > > On Wed, Oct 10, 2012 at 6:36 PM, Valentin Bud <[email protected]> > wrote: >> >> >> On Wed, Oct 10, 2012 at 7:25 PM, Ruben S. Montero <[email protected]> >> wrote: >>> >>> > Let's assume a standard configuration with 2 networks: public and >>> > internal. >>> > - Is possibile to configure multiple filtering types on the same cloud >>> > and on the same virtual instance? >>> > (ebtable for public, vlan/openvswitch for the internal) >>> >>> >>> Virtual Network drivers are defined per host and not per network (in >>> fact some of the technologies do not play together quite well, e.g. >>> iptables and ovswitch, when used in the same host) >>> >>> You can however define different clusters with different network >>> technology for the hosts, and then associated viertual networks to >>> each cluster (public network to cluster public) Note that VMs will not >>> be able to use both networks at the same time. >> >> >> Or you can use ovswitch and set the iptables rules using pre/clean/post >> scripts. I use this approach to load firewall rules based on the role the VM >> has in the network. It works. I unload the rules when the VM stops. The role >> is setup be subdomain in some cases and by a CONTEXT variables in others. >> Each role translates to a chain in iptables. >> >> To keep the chains number to a minimum I insert a rule in the INPUT chain to >> direct traffic to VM IP to the `ROLE` chain. >> >> The iptables are written in a file `role`.iptables and pre script add them. >> If you want to use this approach don't forget to properly set up sudo rules. >> clean script deletes them at VM shutdown. >> >> I also use the above approach to sep up ebtables rules. >> >>> >>> >>> In your specific case, I think you can simply not set the VLAN >>> attribute in the public network template this will bypass the vlan >>> processing in 802.1Q and ovswith drivers >>> >>> > >>> > I'm asking this because I would like to avoid a public vlan for each >>> > customers on the public side (this will need a router reconfiguration >>> > every time, to add the proper gateway on the same broadcast domain of >>> > customer in each vlan) >>> > >>> > - Is possibile, for a customer, to create a sort of PVLAN where a part >>> > of its internal network will be isolated from other virtual machines >>> > (same customer and same vlan). For example, let's assume that >>> > customer1 has 5 VPS: vps1, vps2...vps5. >>> > VPS1 should communicate only with VPS4 in a sort of custom vlan. I >>> > have a VLAN, on private side, for each customers and I would like to >>> > give customers the capability to create some communication groups. >>> >>> I'd recommend to take a look to the virtual appliance router, simply >>> add a virtual with a NIC in both networks >>> >>> http://opennebula.org/documentation:rel3.8:router >>> >>> >>> > >>> > - Accounting: on which frequency accounting data are saved on DB? This >>> > is much important for us, as we will use this to invoice customers. >>> > Will be possibile to touch the real number of seconds that an instance >>> > was ON and the real number of seconds that an instance was paused but >>> > with data still present on the node (no cpu/ram utilization but only >>> > disk utilization) >>> > _______________________________________________ >>> > Users mailing list >>> > [email protected] >>> > http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >>> >>> >>> >>> -- >>> Ruben S. Montero, PhD >>> Project co-Lead and Chief Architect >>> OpenNebula - The Open Source Solution for Data Center Virtualization >>> www.OpenNebula.org | [email protected] | @OpenNebula >>> _______________________________________________ >>> Users mailing list >>> [email protected] >>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >> >> >> >> _______________________________________________ >> Users mailing list >> [email protected] >> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >> > > > > -- > Jaime Melis > Project Engineer > OpenNebula - The Open Source Toolkit for Cloud Computing > www.OpenNebula.org | [email protected] -- Ruben S. Montero, PhD Project co-Lead and Chief Architect OpenNebula - The Open Source Solution for Data Center Virtualization www.OpenNebula.org | [email protected] | @OpenNebula _______________________________________________ Users mailing list [email protected] http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
