<div dir="ltr">It is possible to enforce security groups on OVS provided you have Openflow Controller instead of neutron agent managing the OVS switches.</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Sep 3, 2013 at 10:29 AM, Scott Devoid <span dir="ltr"><<a href="mailto:devoid@anl.gov" target="_blank">devoid@anl.gov</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">+1 for an answer to this.<div><br></div><div>The reference documentation suggests running Neutron OVS with a total of 6 software switches between the VM and public NAT addresses. [1]</div>

<div>What are the performances differences folks see with this configuration vs. the 2 software switch configuration for linux bridge?</div>

<div><br></div><div>[1] <a href="http://docs.openstack.org/grizzly/openstack-network/admin/content/under_the_hood_openvswitch.html#d6e1178" target="_blank">http://docs.openstack.org/grizzly/openstack-network/admin/content/under_the_hood_openvswitch.html#d6e1178</a></div>



</div><div class="gmail_extra"><br><br><div class="gmail_quote"><div><div class="h5">On Tue, Sep 3, 2013 at 8:34 AM, Lorin Hochstein <span dir="ltr"><<a href="mailto:lorin@nimbisservices.com" target="_blank">lorin@nimbisservices.com</a>></span> wrote:<br>



</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr"><span style="font-family:arial,sans-serif;font-size:12.727272033691406px">(Also asked at </span><a href="https://ask.openstack.org/en/question/4718/security-groups-with-ovs-instead-of-iptables/" style="font-family:arial,sans-serif;font-size:12.727272033691406px" target="_blank">https://ask.openstack.org/en/question/4718/security-groups-with-ovs-instead-of-iptables/</a><span style="font-family:arial,sans-serif;font-size:12.727272033691406px">)</span><div style="font-family:arial,sans-serif;font-size:12.727272033691406px">




<br></div><div style="font-family:arial,sans-serif;font-size:12.727272033691406px"><div>The only security group implementations in neutron seem to be iptables-based. Is it technically possible to implement security groups using openvswitch flow rules, instead of iptables rules?</div>




<div><br></div><div>It seems like this would cut down on the complexity associated with the current OVSHybridIptablesFirewallDriver implementation, where we need to create an extra linux bridge and veth pair to work around the iptables-openvswitch issues. (This also breaks if the user happens to install the openvswitch brcompat module).</div>



<span><font color="#888888">
<div><br></div><div>Lorin</div></font></span></div><span><font color="#888888">-- <br><div dir="ltr">Lorin Hochstein<br><div>Lead Architect - Cloud Services</div><div>Nimbis Services, Inc.</div><div><a href="http://www.nimbisservices.com" target="_blank">www.nimbisservices.com</a></div>




</div>
</font></span></div>
<br></div></div>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Ravi<br>
</div>