[openstack-dev] [Quantum] Need review for iptablessecuritygroup bp

Akihiro MOTOKI motoki at da.jp.nec.com
Wed Nov 7 18:05:50 UTC 2012 

Hi Nachi, Kyle and Quantum folks,

>>>>> Date: Wed, 7 Nov 2012 15:22:20 +0000
>>>>> From: "Kyle Mestery (kmestery)" <kmestery at cisco.com>
>>>>> Subject: Re: [openstack-dev] [Quantum] Need review for iptablessecuritygroup bp
> 
> On Nov 6, 2012, at 5:49 PM, Nachi Ueno <nachi at nttmcl.com> wrote:
> > Hi Quantum folks
> > 
> > I need to be reviewd  iptables securitygroup bp.
> > I updated the bp using Gary's template.
> > 
> > https://blueprints.launchpad.net/quantum/+spec/quantum-security-groups-iptables
> > 
> > Actually, I have started the coding, but I do want get the spec agreed
> > before code review.
> > 
> Hi Nachi:
> 
> This looks pretty good. So effectively, the security group code will be run before direct port
> operations are undertaken on the host itself, right?

I think it is an important point. To define iptables rules for a specific
quantum logical port, the tap device needs to be created and attached to a
bridge. Quantum cannot know the exact timing where a tap device is attached
to a bridge. As far as we use agent-based approach some timing lag cannot be
avoid (if my understanding is correct).

> I notice the blueprint only mentions LinuxBridge and OVS plugins. I assume
> there is some anticipated work for the other plugins (Ryu, NEC, NVP, and
> Cisco) once this work lands?

security group extension has been merged, but no OSS implementations are
available for now. Nachi's BP focuses to address it, so he only mentions OVS
and LB only.

Aaron already has security group implementaiton for NVP plugin.
It is under review and I feel it is near merge.
I am also implementing NEC plugin support using OpenFlow.

> For instance, is iptables required for each
> plugin? I imagine Ryu could simply implement security groups using
> OpenFlow rules for example.

iptables is not required for each plugin.
IMO, Linux Bridge plugin uses iptables, but OVS plugin uses its own
filtering mechanism. OVS and iptables cannot coexists at the now.
It is the reason that Nachi says OVS with iptables requires HybridDriver.

It is true ryu can implement sg using OpenFlow though I am not sure how ryu
plugin supports sg. The same thing applies to other OpenFlow based plugin
such as  NVP, NEC, floodlight et el.

Thanks,
Akihiro
> 
> Thanks,
> Kyle
> 
> > Thanks
> > Nachi
> > 
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
> 
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list