[Openstack] xcp+quantum+vlans= not working security groups

Dan Wendlandt dan at nicira.com
Mon May 14 18:49:23 UTC 2012 

On Mon, May 14, 2012 at 10:36 AM, John Garbutt <John.Garbutt at citrix.com>wrote:

> Hi,
>
> > From Roman Sokolkov:
> > We use XCP + quantum + tenant vlans . One XCP box and one Ubuntu 12.04
> box(controller). Nova-compute host it is domU on XCP. Boxes connected with
> patch-cord and we able to use VLANs inside.
> > There are problems with security groups. They not work at all.
> > We
> use firewall_driver=nova.virt.xenapi.firewall.Dom0IptablesFirewallDriver.
> And I see expected iptables rules on Dom0, but without any profit. As I
> understand iptables couldn't work with L2 openvswitch traffic?
>
> Not sure that was tested with VLANs, and I don't think there has (yet)
> been any work to create and OpenVSwitch based firewall driver.




> Have you seen specific problems with packets getting around the firewall
> rules when using openvswitch?
>

With the existing vif-plugging mechanisms, iptables rules applied directly
to a vif (which is the case with nova's iptables based firewall drivers)
will not be enforced if openvswitch is in use.  Essentially, OVS does not
call the same iptables kernel hooks as the linux bridge does.  We have some
ideas of how we can deal with this, but this work is not planned until
Folsom-2 .  Thanks,

Dan



>
> I know there were plans for making an OpenVSwitch firewall driver, but
> there are some big performance issues around rule explosion. I don't think
> there is anything penciled in for Folsom right now.
>
> I will get in touch with the networking experts and get back to you.
>
> Thanks,
> John
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>



-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dan Wendlandt
Nicira, Inc: www.nicira.com
twitter: danwendlandt
~~~~~~~~~~~~~~~~~~~~~~~~~~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120514/af4d0fb4/attachment.html>

More information about the Openstack mailing list