[openstack-dev] [Neutron] Selectively disabling certain built in iptables rules
dara2002-openstack at yahoo.com
Tue Jan 21 13:22:23 UTC 2014
I think there is a blueprint for that. Anyway, see idea for current releases below:
>Feel free to tell me this is a bad idea and scold me for even asking, but please
>help me figure out how to do it anyway. This is for a specific tenant in a
>specific lab that was built specifically for that one tenant to do some
>experimental work that requires VMs to route and other VMs to act as
Therefore all the compute-nodes in that lab can be safely configured to use a
firewall_driver in ovs_neutron_plugin.ini that points to a customised firewall
class. If using Open vSwitch, this can be a subclass of
with the spoofing methods conditionally overridden to be no-ops.
>I need to wrap a conditional around this line
>and this line
>for specific VM instances.
>The criteria could be something like pattern matching on the instance name, or
>based on a specific flavor image type. I don't much care what the criteria is as
>long as it's something the tenant can control. What I'm hoping someone can
Neutron does not know about flavors or images. But it has ports which have a
name attribute that can be set to an arbitrary string, e.g. 'anti_spoof_off'. The
name does not need to be unique within the tenant. Then your overridden methods
could check for that string.
So when the tenant has to create a router or dhcp instance, they would first
create the neutron ports with this name, and then pass these port-ids to Nova.
>provide me with is an example line of code or two with which I can examine some
>property of the image that has been created from within the specific file
>referenced above in order to wrap if statements around those two lines of code
>so that I can prevent them from adding those specific iptables rules in the
>specific cases where my tenant needs to either route or respond to DHCP.
More information about the OpenStack-dev