[ovs-discuss] openvswitch on openstack

Kyle Mestery mestery at mestery.com
Fri Oct 31 15:38:45 UTC 2014 

On Fri, Oct 31, 2014 at 10:23 AM, Gurucharan Shetty <shettyg at nicira.com> wrote:
> On Fri, Oct 31, 2014 at 8:19 AM, Kyle Mestery <mestery at mestery.com> wrote:
>> On Fri, Oct 31, 2014 at 10:09 AM, Gurucharan Shetty <shettyg at nicira.com> wrote:
>>> On Thu, Oct 30, 2014 at 11:55 PM, FengYu LeiDian
>>> <fengyuleidian0615 at gmail.com> wrote:
>>>> Hi, all
>>>>
>>>> Standard openstack has a Linux bridge on top of openvswitch bridge[1]
>>>> this Linux bridge is used to setup iptables rule to allow VM access
>>>> to the outside world, for example, allow VM port 22 access, so external
>>>> host could ssh to this VM.
>>>>
>>>> Can openvswitch bridge has the same mechanism to be allowed to set rules
>>>> as the same effort as that of iptables linux bridge?
>>> Yes. The controller that you use should be capable of adding openflow
>>> rules to do it.
>>>
>> That's not entirely true. We can't fully implement security groups
>> using OVS until we get this work [1] in. There was work to do security
>> groups using OpenFlow during the Icehouse/Juno timeframe, but the team
>> doing the work determined they could only do 70% of what the existing
>> SGs with iptables can do, so they've scrapped it until the work I
>> referenced is upstream and then back downstream into the distros.
> I see, thanks for correcting me. So "security group" in openstack
> includes support for statefull firewall?
>
Yes, have a peek at this (slightly out of date) wiki here [1] for more
info. The work on this is on hold as far as I know.

[1] https://wiki.openstack.org/wiki/Neutron/blueprint_ovs-firewall-driver

>>
>> Thanks,
>> Kyle
>>
>> [1] http://openvswitch.org/pipermail/dev/2014-May/040567.html
>>
>>>>
>>>>
>>>> Thanks
>>>>
>>>> [1]:
>>>> http://docs.openstack.org/admin-guide-cloud/content/figures/14/a/a/common/figures/under-the-hood-scenario-1-ovs-compute.png
>>>>
>>>>
>>>> _______________________________________________
>>>> discuss mailing list
>>>> discuss at openvswitch.org
>>>> http://openvswitch.org/mailman/listinfo/discuss
>>> _______________________________________________
>>> discuss mailing list
>>> discuss at openvswitch.org
>>> http://openvswitch.org/mailman/listinfo/discuss

More information about the discuss mailing list