[ovs-discuss] Playing with libvirt, iptables and Open vSwitch

Jesse Gross jesse at nicira.com
Thu Dec 12 17:43:27 UTC 2013


On Thu, Dec 12, 2013 at 2:24 AM, Yoann Juet <yoann.juet at univ-nantes.fr> wrote:
> Hi all,
>
> We're using since a long time libvirt with KVM guest machines and linux
> bridges. Firewall rules based on iptables and defined on the host server
> control inbound/outbound traffic to/from each VM. In order to improve remote
> administration facility and get extra services, it makes sense for us to
> replace linux bridges with Open vSwitch. However, the side effect is the
> solution's inability to filter (with netfilter/iptables) VM traffic since
> it's impossible to set-up iptables rules with ovs bridges. OpenStack/Quantum
> circumvents this problem (no talking about performance) by setting an extra
> linux bridge and veth pair between the guest TAP and ovs.
>
> Is there {a simple|an alternative} solution to achieve it without installing
> the OpenStack/Quantum layer ?

It's possible to configure the same thing manually by connecting
multiple bridges. You might also be able to write your iptables rules
using OpenFlow directly, which would be the most efficient.



More information about the discuss mailing list