[ovs-discuss] openvswitch on openstack
mestery at mestery.com
Fri Oct 31 15:38:45 UTC 2014
On Fri, Oct 31, 2014 at 10:23 AM, Gurucharan Shetty <shettyg at nicira.com> wrote:
> On Fri, Oct 31, 2014 at 8:19 AM, Kyle Mestery <mestery at mestery.com> wrote:
>> On Fri, Oct 31, 2014 at 10:09 AM, Gurucharan Shetty <shettyg at nicira.com> wrote:
>>> On Thu, Oct 30, 2014 at 11:55 PM, FengYu LeiDian
>>> <fengyuleidian0615 at gmail.com> wrote:
>>>> Hi, all
>>>> Standard openstack has a Linux bridge on top of openvswitch bridge
>>>> this Linux bridge is used to setup iptables rule to allow VM access
>>>> to the outside world, for example, allow VM port 22 access, so external
>>>> host could ssh to this VM.
>>>> Can openvswitch bridge has the same mechanism to be allowed to set rules
>>>> as the same effort as that of iptables linux bridge?
>>> Yes. The controller that you use should be capable of adding openflow
>>> rules to do it.
>> That's not entirely true. We can't fully implement security groups
>> using OVS until we get this work  in. There was work to do security
>> groups using OpenFlow during the Icehouse/Juno timeframe, but the team
>> doing the work determined they could only do 70% of what the existing
>> SGs with iptables can do, so they've scrapped it until the work I
>> referenced is upstream and then back downstream into the distros.
> I see, thanks for correcting me. So "security group" in openstack
> includes support for statefull firewall?
Yes, have a peek at this (slightly out of date) wiki here  for more
info. The work on this is on hold as far as I know.
>>  http://openvswitch.org/pipermail/dev/2014-May/040567.html
>>>> discuss mailing list
>>>> discuss at openvswitch.org
>>> discuss mailing list
>>> discuss at openvswitch.org
More information about the discuss