[OpenvSwitch][Neutron] native flow based firewall Vs LinuxBridge Iptables firewall
Folks, As we know, openvswitch uses a linuxbridge based firewall to implement security-groups on openstack. It works great but it has so many packet hops. It also makes troubleshooting a little complicated. OpenvSwitch does support native firewall features in flows, Does it mature enough to implement in production and replace it with LinuxBridge based IPtables firewall? ~S
H, The OVS flow based Neutron firewall driver is long supported by the community and used by many operators in production, please check the documentation: https://docs.openstack.org/neutron/latest/admin/config-ovsfwdriver.html For some details how it works please check the related internals doc: https://docs.openstack.org/neutron/latest/contributor/internals/openvswitch_... Best wished Lajos (lajoskatona) Satish Patel <satish.txt@gmail.com> ezt írta (időpont: 2023. ápr. 24., H, 3:40):
Folks,
As we know, openvswitch uses a linuxbridge based firewall to implement security-groups on openstack. It works great but it has so many packet hops. It also makes troubleshooting a little complicated.
OpenvSwitch does support native firewall features in flows, Does it mature enough to implement in production and replace it with LinuxBridge based IPtables firewall?
~S
Thanks, I'll check it out. This is great! so no harm to turn it on :) On Mon, Apr 24, 2023 at 2:49 AM Lajos Katona <katonalala@gmail.com> wrote:
H, The OVS flow based Neutron firewall driver is long supported by the community and used by many operators in production, please check the documentation: https://docs.openstack.org/neutron/latest/admin/config-ovsfwdriver.html
For some details how it works please check the related internals doc:
https://docs.openstack.org/neutron/latest/contributor/internals/openvswitch_...
Best wished Lajos (lajoskatona)
Satish Patel <satish.txt@gmail.com> ezt írta (időpont: 2023. ápr. 24., H, 3:40):
Folks,
As we know, openvswitch uses a linuxbridge based firewall to implement security-groups on openstack. It works great but it has so many packet hops. It also makes troubleshooting a little complicated.
OpenvSwitch does support native firewall features in flows, Does it mature enough to implement in production and replace it with LinuxBridge based IPtables firewall?
~S
Hello, We are using it in production since few years now, it works correctly. But, if you think it will be easier to debug, that will surprise me :) Openflow rules are hard to read, understand and debug. We tried working on a tool that help debugging such stuff (see [1]) which is partially used by the team, but that's far from perfect :( [1] https://github.com/openstack/osops/blob/master/contrib/neutron/br-int-flows-... Cheers, Arnaud. On 24.04.23 - 13:32, Satish Patel wrote:
Thanks, I'll check it out.
This is great! so no harm to turn it on :)
On Mon, Apr 24, 2023 at 2:49 AM Lajos Katona <katonalala@gmail.com> wrote:
H, The OVS flow based Neutron firewall driver is long supported by the community and used by many operators in production, please check the documentation: https://docs.openstack.org/neutron/latest/admin/config-ovsfwdriver.html
For some details how it works please check the related internals doc:
https://docs.openstack.org/neutron/latest/contributor/internals/openvswitch_...
Best wished Lajos (lajoskatona)
Satish Patel <satish.txt@gmail.com> ezt írta (időpont: 2023. ápr. 24., H, 3:40):
Folks,
As we know, openvswitch uses a linuxbridge based firewall to implement security-groups on openstack. It works great but it has so many packet hops. It also makes troubleshooting a little complicated.
OpenvSwitch does support native firewall features in flows, Does it mature enough to implement in production and replace it with LinuxBridge based IPtables firewall?
~S
participants (3)
-
Arnaud Morin
-
Lajos Katona
-
Satish Patel