[openstack-dev] Reg : Security groups implementation using openflows in quantum ovs plugin

Édouard Thuleau thuleau at gmail.com
Sat Nov 30 10:32:57 UTC 2013 

And what do you think about the performance issue I talked ?
Do you have any thought to improve wildcarding to use megaflow feature ?

Édouard.

On Fri, Nov 29, 2013 at 1:11 PM, Zang MingJie <zealot0630 at gmail.com> wrote:
> On Fri, Nov 29, 2013 at 2:25 PM, Jian Wen <jian.wen at canonical.com> wrote:
>> I don't think we can implement a stateful firewall[1] now.
>
> I don't think we need a stateful firewall, a stateless one should work
> well. If the stateful conntrack is completed in the future, we can
> also take benefit from it.
>
>>
>> Once connection tracking capability[2] is added to the Linux OVS, we
>> could start to implement the ovs-firewall-driver blueprint.
>>
>> [1] http://en.wikipedia.org/wiki/Stateful_firewall
>> [2]
>> http://wiki.xenproject.org/wiki/Xen_Development_Projects#Add_connection_tracking_capability_to_the_Linux_OVS
>>
>>
>> On Tue, Nov 26, 2013 at 2:23 AM, Mike Wilson <geekinutah at gmail.com> wrote:
>>>
>>> Adding Jun to this thread since gmail is failing him.
>>>
>>>
>>> On Tue, Nov 19, 2013 at 10:44 AM, Amir Sadoughi
>>> <amir.sadoughi at rackspace.com> wrote:
>>>>
>>>> Yes, my work has been on ML2 with neutron-openvswitch-agent.  I’m
>>>> interested to see what Jun Park has. I might have something ready before he
>>>> is available again, but would like to collaborate regardless.
>>>>
>>>> Amir
>>>>
>>>>
>>>>
>>>> On Nov 19, 2013, at 3:31 AM, Kanthi P <pavuluri.kanthi at gmail.com> wrote:
>>>>
>>>> Hi All,
>>>>
>>>> Thanks for the response!
>>>> Amir,Mike: Is your implementation being done according to ML2 plugin
>>>>
>>>> Regards,
>>>> Kanthi
>>>>
>>>>
>>>> On Tue, Nov 19, 2013 at 1:43 AM, Mike Wilson <geekinutah at gmail.com>
>>>> wrote:
>>>>>
>>>>> Hi Kanthi,
>>>>>
>>>>> Just to reiterate what Kyle said, we do have an internal implementation
>>>>> using flows that looks very similar to security groups. Jun Park was the guy
>>>>> that wrote this and is looking to get it upstreamed. I think he'll be back
>>>>> in the office late next week. I'll point him to this thread when he's back.
>>>>>
>>>>> -Mike
>>>>>
>>>>>
>>>>> On Mon, Nov 18, 2013 at 3:39 PM, Kyle Mestery (kmestery)
>>>>> <kmestery at cisco.com> wrote:
>>>>>>
>>>>>> On Nov 18, 2013, at 4:26 PM, Kanthi P <pavuluri.kanthi at gmail.com>
>>>>>> wrote:
>>>>>> > Hi All,
>>>>>> >
>>>>>> > We are planning to implement quantum security groups using openflows
>>>>>> > for ovs plugin instead of iptables which is the case now.
>>>>>> >
>>>>>> > Doing so we can avoid the extra linux bridge which is connected
>>>>>> > between the vnet device and the ovs bridge, which is given as a work around
>>>>>> > since ovs bridge is not compatible with iptables.
>>>>>> >
>>>>>> > We are planning to create a blueprint and work on it. Could you
>>>>>> > please share your views on this
>>>>>> >
>>>>>> Hi Kanthi:
>>>>>>
>>>>>> Overall, this idea is interesting and removing those extra bridges
>>>>>> would certainly be nice. Some people at Bluehost gave a talk at the Summit
>>>>>> [1] in which they explained they have done something similar, you may want
>>>>>> to reach out to them since they have code for this internally already.
>>>>>>
>>>>>> The OVS plugin is in feature freeze during Icehouse, and will be
>>>>>> deprecated in favor of ML2 [2] at the end of Icehouse. I would advise you to
>>>>>> retarget your work at ML2 when running with the OVS agent instead. The
>>>>>> Neutron team will not accept new features into the OVS plugin anymore.
>>>>>>
>>>>>> Thanks,
>>>>>> Kyle
>>>>>>
>>>>>> [1]
>>>>>> http://www.openstack.org/summit/openstack-summit-hong-kong-2013/session-videos/presentation/towards-truly-open-and-commoditized-software-defined-networks-in-openstack
>>>>>> [2] https://wiki.openstack.org/wiki/Neutron/ML2
>>>>>>
>>>>>> > Thanks,
>>>>>> > Kanthi
>>>>>> > _______________________________________________
>>>>>> > OpenStack-dev mailing list
>>>>>> > OpenStack-dev at lists.openstack.org
>>>>>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OpenStack-dev mailing list
>>>>>> OpenStack-dev at lists.openstack.org
>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OpenStack-dev mailing list
>>>>> OpenStack-dev at lists.openstack.org
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>
>>
>>
>> --
>> Cheers,
>> Jian
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list