It is possible to enforce security groups on OVS provided you have Openflow Controller instead of neutron agent managing the OVS switches. On Tue, Sep 3, 2013 at 10:29 AM, Scott Devoid <devoid at anl.gov> wrote: > +1 for an answer to this. > > The reference documentation suggests running Neutron OVS with a total of 6 > software switches between the VM and public NAT addresses. [1] > What are the performances differences folks see with this configuration > vs. the 2 software switch configuration for linux bridge? > > [1] > http://docs.openstack.org/grizzly/openstack-network/admin/content/under_the_hood_openvswitch.html#d6e1178 > > > On Tue, Sep 3, 2013 at 8:34 AM, Lorin Hochstein <lorin at nimbisservices.com>wrote: > >> (Also asked at >> https://ask.openstack.org/en/question/4718/security-groups-with-ovs-instead-of-iptables/ >> ) >> >> The only security group implementations in neutron seem to be >> iptables-based. Is it technically possible to implement security groups >> using openvswitch flow rules, instead of iptables rules? >> >> It seems like this would cut down on the complexity associated with the >> current OVSHybridIptablesFirewallDriver implementation, where we need to >> create an extra linux bridge and veth pair to work around the >> iptables-openvswitch issues. (This also breaks if the user happens to >> install the openvswitch brcompat module). >> >> Lorin >> -- >> Lorin Hochstein >> Lead Architect - Cloud Services >> Nimbis Services, Inc. >> www.nimbisservices.com >> >> _______________________________________________ >> OpenStack-dev mailing list >> OpenStack-dev at lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- Ravi -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130903/ac47f457/attachment.html>