[openstack-dev] Reg : Security groups implementation using openflows in quantum ovs plugin
thuleau at gmail.com
Tue Nov 19 13:51:43 UTC 2013
It's an interesting feature.
But just to understand, what do you blame to the actual implementation with
iptables and linux bridge?
The OVS release 1.11.0 implements a new feature calls 'megaflows'
which reduce the number of kernel/usespace crossings.
Actually, OVS neutron agent uses simple default "normal" flow (simple mac
learning switch) which the wildcarding (use by megaflow) will be very good
(just the L2 headers will be matched).
But if we implement security group as OVS flows, the performance will be
reduced. Wildcarding will be worse (L2, L3, and L4headers will be mateched).
Here  and  a post from the OVS mailing list that explain that.
Perhaps we can create security group OVS flow smarter to improve the
Another improvement, I see, is the simplification of the interfaces on the
compute node. All interfaces qbr, qvo and qvb will disappear.
But another simple improvement about that could be to use only one Linux
bridge by network instead of one per VNIC and continous to use Linux bridge
Another problem is the OVS flows are not stateful  but is it necessary?
On Tue, Nov 19, 2013 at 10:31 AM, Kanthi P <pavuluri.kanthi at gmail.com>wrote:
> Hi All,
> Thanks for the response!
> Amir,Mike: Is your implementation being done according to ML2 plugin
> On Tue, Nov 19, 2013 at 1:43 AM, Mike Wilson <geekinutah at gmail.com> wrote:
>> Hi Kanthi,
>> Just to reiterate what Kyle said, we do have an internal implementation
>> using flows that looks very similar to security groups. Jun Park was the
>> guy that wrote this and is looking to get it upstreamed. I think he'll be
>> back in the office late next week. I'll point him to this thread when he's
>> On Mon, Nov 18, 2013 at 3:39 PM, Kyle Mestery (kmestery) <
>> kmestery at cisco.com> wrote:
>>> On Nov 18, 2013, at 4:26 PM, Kanthi P <pavuluri.kanthi at gmail.com> wrote:
>>> > Hi All,
>>> > We are planning to implement quantum security groups using openflows
>>> for ovs plugin instead of iptables which is the case now.
>>> > Doing so we can avoid the extra linux bridge which is connected
>>> between the vnet device and the ovs bridge, which is given as a work around
>>> since ovs bridge is not compatible with iptables.
>>> > We are planning to create a blueprint and work on it. Could you please
>>> share your views on this
>>> Hi Kanthi:
>>> Overall, this idea is interesting and removing those extra bridges would
>>> certainly be nice. Some people at Bluehost gave a talk at the Summit  in
>>> which they explained they have done something similar, you may want to
>>> reach out to them since they have code for this internally already.
>>> The OVS plugin is in feature freeze during Icehouse, and will be
>>> deprecated in favor of ML2  at the end of Icehouse. I would advise you
>>> to retarget your work at ML2 when running with the OVS agent instead. The
>>> Neutron team will not accept new features into the OVS plugin anymore.
>>>  https://wiki.openstack.org/wiki/Neutron/ML2
>>> > Thanks,
>>> > Kanthi
>>> > _______________________________________________
>>> > OpenStack-dev mailing list
>>> > OpenStack-dev at lists.openstack.org
>>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev