Jump to: navigation, search

Meetings/Neutron blueprint ovs-firewall-driver

< Meetings
Revision as of 19:49, 14 December 2013 by Amir-sadoughi (talk | contribs) (Meeting Dec 16, 2013)

Discussion for <https://blueprints.launchpad.net/neutron/+spec/ovs-firewall-driver>

Meeting Dec 16, 2013

  • Purpose restatement
  • Design decisions
    • openvswitch statelessness and security groups frontend API and DB: https://etherpad.openstack.org/p/ovs-firewall-driver-stateless-2
    • ovs_neutron_agent issues:
      • (1) firewall invoked before agent does anything in C[R]UD operations
        • need to at least extract VLAN provisioning out before firewall invocation (to have correct OVS action on ALLOW path)
      • (2) agent removes all flows at initialization (as well as deletes all vif's flows on port_bound)
        • possibly require OVS 1.5.0+ to delete flows based on cookie (current version in XenServer 6.2 and Ubuntu P/Q-release is 1.4.6)
  • Overview of prototype
    • all security group flows on integration bridge
    • currently all on table 0, thinking about multi-table setup (table0 port security, other: ingress, egress)
    • prototype tested on flat network setup; should work on other network types as-is since the tunnel OVS flows just pass the data to the integration bridge
    • still a WIP: barely functional
      • adding IPv6 flows
      • adding multiple ports in range: debating trying out port bitmask or N flows for N ports or any other suggestions?
      • TODO unit/integration tests (integration tests help is always appreciated)
  • other ovs_neutron_agent issues:
Retrieved from "https://wiki.openstack.org/w/index.php?title=Meetings/Neutron_blueprint_ovs-firewall-driver&oldid=38388"