[openstack-dev] [Neutron] Security groups with OVS instead of iptables?

Lorin Hochstein lorin at nimbisservices.com
Tue Sep 3 13:34:34 UTC 2013


(Also asked at
https://ask.openstack.org/en/question/4718/security-groups-with-ovs-instead-of-iptables/
)

The only security group implementations in neutron seem to be
iptables-based. Is it technically possible to implement security groups
using openvswitch flow rules, instead of iptables rules?

It seems like this would cut down on the complexity associated with the
current OVSHybridIptablesFirewallDriver implementation, where we need to
create an extra linux bridge and veth pair to work around the
iptables-openvswitch issues. (This also breaks if the user happens to
install the openvswitch brcompat module).

Lorin
-- 
Lorin Hochstein
Lead Architect - Cloud Services
Nimbis Services, Inc.
www.nimbisservices.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130903/5871c5aa/attachment.html>


More information about the OpenStack-dev mailing list