Difference between revisions of "Meetings/Neutron blueprint ovs-firewall-driver"
< Meetings
(→Meeting Dec 16, 2013) |
(→Meeting Dec 16, 2013) |
||
| Line 23: | Line 23: | ||
* other ovs_neutron_agent issues: | * other ovs_neutron_agent issues: | ||
** lacking ovs atomicity like iptables-restore has (all connections might be dropped/allowed): one possibility is to have a dynamic multi-table hotswap | ** lacking ovs atomicity like iptables-restore has (all connections might be dropped/allowed): one possibility is to have a dynamic multi-table hotswap | ||
| − | ** neutron-rootwrap-xen-dom0 bugs: https://bugs.launchpad.net/neutron/+bug/1185872/comments/3, https://bugs.launchpad.net/neutron/+bug/1259748 | + | ** neutron-rootwrap-xen-dom0 bugs: https://bugs.launchpad.net/neutron/+bug/1185872/comments/3, https://bugs.launchpad.net/neutron/+bug/1259748 (addressed by https://review.openstack.org/#/c/62346/) |
** table, priority, cookie, actions coordination: ok for now to be hard-coded in Neutron, but will need an abstraction layer in the future possibly | ** table, priority, cookie, actions coordination: ok for now to be hard-coded in Neutron, but will need an abstraction layer in the future possibly | ||
Revision as of 15:44, 16 December 2013
Discussion for <https://blueprints.launchpad.net/neutron/+spec/ovs-firewall-driver>
Meeting Dec 16, 2013
- Purpose restatement
- Design decisions
- openvswitch statelessness and security groups frontend API and DB: https://etherpad.openstack.org/p/ovs-firewall-driver-stateless-2
- example of api changes in neutron: https://review.openstack.org/#/c/62129/
- example of api changes in neutronclient: https://review.openstack.org/#/c/62130/
- ovs_neutron_agent issues:
- (1) firewall invoked before agent does anything in C[R]UD operations
- need to at least move VLAN provisioning before firewall invocation (to have correct OVS action on ALLOW path)
- (2) agent removes all flows at initialization (as well as deletes all vif's flows on port_bound)
- requires OVS 1.5.0+ to delete flows based on cookie (current version in XenServer 6.2 and Ubuntu P/Q-release is 1.4.6)
- (1) firewall invoked before agent does anything in C[R]UD operations
- openvswitch statelessness and security groups frontend API and DB: https://etherpad.openstack.org/p/ovs-firewall-driver-stateless-2
- Overview of prototype
- all security group flows on integration bridge
- currently all on table 0, thinking about multi-table setup (table0 port security, other: ingress, egress)
- prototype tested on flat network setup; should work on other network types as-is since the tunnel OVS flows just pass the data to the integration bridge
- still a major WIP:
- adding IPv6 flows
- adding multiple ports in range: debating trying out port bitmask or N flows for N ports or any other suggestions?
- TODO unit/integration tests (integration tests help is always appreciated)
- other ovs_neutron_agent issues:
- lacking ovs atomicity like iptables-restore has (all connections might be dropped/allowed): one possibility is to have a dynamic multi-table hotswap
- neutron-rootwrap-xen-dom0 bugs: https://bugs.launchpad.net/neutron/+bug/1185872/comments/3, https://bugs.launchpad.net/neutron/+bug/1259748 (addressed by https://review.openstack.org/#/c/62346/)
- table, priority, cookie, actions coordination: ok for now to be hard-coded in Neutron, but will need an abstraction layer in the future possibly
