Neutron port attribute enhancement
NFV and ServiceVM need extensions/enhancements for neutron port. With this page, use cases/requirements are collected and then they will be broken down to actual blueprints and implemtations. For non-port related stuff, please refer to https://wiki.openstack.org/wiki/ServiceVM/neutron-and-other-project-items
|Requirement||Description||Priority||Blueprint Link||design link||Patch Link||Use Case|
|VLAN trunkport/l2-gateway||High||https://blueprints.launchpad.net/neutron/+spec/vlan-aware-vms, https://blueprints.launchpad.net/neutron/+spec/l2-gateway||https://review.openstack.org/97714 https://review.openstack.org/#/c/94612/ https://review.openstack.org/#/c/100278/||https://review.openstack.org/#/c/92541/|
|unfirewalled port|| disable security group/anti-spoofing etc. Fix Security Groups to disable anti-spoofing mechanism to allow non VM IP/mac addresses in traffic from the Service VMs.
security group should be more flexible that allows the service VMs to spoof ip or MAC. Ability to disable security groups on service VM port, at least ML2 OVS mechanism driver (e.g., by implementing the "port-security" extension
|High||https://blueprints.launchpad.net/neutron/+spec/nfv-unaddressed-interfaces https://blueprints.launchpad.net/neutron/+spec/ml2-ovs-portsecurity||https://review.openstack.org/97715 https://review.openstack.org/#/c/99873/||router/vpm vm|
|unaddressed port||allow port creation without IP/MAC address.||Middle?||a FW that is deployed in the bump-in-the-wire mode or tap mode(no ip address, no mac address), change network/subnet of vNIC(neutron port) to other without deleting vNIC in order to save unplug/plug nic(no ip address, mac address kept during unconnected state).|
|sharing mac/IP addres||share a (virtual) mac/IP address by multiple service VM instances or even the two ports on the same VM||redundant port to back up each other and both them have the same MAC and IP|
|port without subnet||port that isn't attached to any subnet. It Thus port without IP address|
|Unplugged port||allow port creation without associating any network/subnetwork. Allow VM creation with such port. And later those port will be pluged into network/subnet and given IP address|
Service VM implements some service, e.g., routing or VPN. That VM will then be connected to a number of Neutron Networks/Subnets in some tenant. To provide its service the VM must be able to FORWARD traffic (i.e., packets come in on one VM interface and same packets leave on another one).
It must be possible to disable security groups on Neutron Ports used by a service VM. There exists an extension for this: https://github.com/openstack/neutron/blob/master/neutron/extensions/portsecurity.py However it is not implemented by the free plugins like ML2, Openvswitch etc.