[openstack-dev] Reg : Security groups implementation using openflows in quantum ovs plugin

Jian Wen jian.wen at canonical.com
Fri Nov 29 06:25:09 UTC 2013


I don't think we can implement a stateful firewall[1] now.

Once connection tracking capability[2] is added to the Linux OVS, we
could start to implement the ovs-firewall-driver blueprint.

[1] http://en.wikipedia.org/wiki/Stateful_firewall
[2]
http://wiki.xenproject.org/wiki/Xen_Development_Projects#Add_connection_tracking_capability_to_the_Linux_OVS


On Tue, Nov 26, 2013 at 2:23 AM, Mike Wilson <geekinutah at gmail.com> wrote:

> Adding Jun to this thread since gmail is failing him.
>
>
> On Tue, Nov 19, 2013 at 10:44 AM, Amir Sadoughi <
> amir.sadoughi at rackspace.com> wrote:
>
>>  Yes, my work has been on ML2 with neutron-openvswitch-agent.  I’m
>> interested to see what Jun Park has. I might have something ready before he
>> is available again, but would like to collaborate regardless.
>>
>>  Amir
>>
>>
>>
>>  On Nov 19, 2013, at 3:31 AM, Kanthi P <pavuluri.kanthi at gmail.com> wrote:
>>
>>  Hi All,
>>
>>  Thanks for the response!
>> Amir,Mike: Is your implementation being done according to ML2 plugin
>>
>>  Regards,
>> Kanthi
>>
>>
>> On Tue, Nov 19, 2013 at 1:43 AM, Mike Wilson <geekinutah at gmail.com>wrote:
>>
>>> Hi Kanthi,
>>>
>>>  Just to reiterate what Kyle said, we do have an internal
>>> implementation using flows that looks very similar to security groups. Jun
>>> Park was the guy that wrote this and is looking to get it upstreamed. I
>>> think he'll be back in the office late next week. I'll point him to this
>>> thread when he's back.
>>>
>>>  -Mike
>>>
>>>
>>> On Mon, Nov 18, 2013 at 3:39 PM, Kyle Mestery (kmestery) <
>>> kmestery at cisco.com> wrote:
>>>
>>>> On Nov 18, 2013, at 4:26 PM, Kanthi P <pavuluri.kanthi at gmail.com>
>>>> wrote:
>>>>  > Hi All,
>>>> >
>>>> > We are planning to implement quantum security groups using openflows
>>>> for ovs plugin instead of iptables which is the case now.
>>>> >
>>>> > Doing so we can avoid the extra linux bridge which is connected
>>>> between the vnet device and the ovs bridge, which is given as a work around
>>>> since ovs bridge is not compatible with iptables.
>>>> >
>>>> > We are planning to create a blueprint and work on it. Could you
>>>> please share your views on this
>>>> >
>>>>  Hi Kanthi:
>>>>
>>>> Overall, this idea is interesting and removing those extra bridges
>>>> would certainly be nice. Some people at Bluehost gave a talk at the Summit
>>>> [1] in which they explained they have done something similar, you may want
>>>> to reach out to them since they have code for this internally already.
>>>>
>>>> The OVS plugin is in feature freeze during Icehouse, and will be
>>>> deprecated in favor of ML2 [2] at the end of Icehouse. I would advise you
>>>> to retarget your work at ML2 when running with the OVS agent instead. The
>>>> Neutron team will not accept new features into the OVS plugin anymore.
>>>>
>>>> Thanks,
>>>> Kyle
>>>>
>>>> [1]
>>>> http://www.openstack.org/summit/openstack-summit-hong-kong-2013/session-videos/presentation/towards-truly-open-and-commoditized-software-defined-networks-in-openstack
>>>> [2] https://wiki.openstack.org/wiki/Neutron/ML2
>>>>
>>>> > Thanks,
>>>> > Kanthi
>>>> > _______________________________________________
>>>> > OpenStack-dev mailing list
>>>> > OpenStack-dev at lists.openstack.org
>>>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>  _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Cheers,
Jian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131129/838cfd08/attachment.html>


More information about the OpenStack-dev mailing list