[openstack-dev] [Quantum] Need review for iptables securitygroup bp
Ian Wells
ijw.ubuntu at cack.org.uk
Wed Nov 7 16:54:38 UTC 2012
On 7 November 2012 16:22, Kyle Mestery (kmestery) <kmestery at cisco.com> wrote:
> On Nov 6, 2012, at 5:49 PM, Nachi Ueno <nachi at nttmcl.com> wrote:
>> Hi Quantum folks
>>
>> I need to be reviewd iptables securitygroup bp.
>> I updated the bp using Gary's template.
>>
>> https://blueprints.launchpad.net/quantum/+spec/quantum-security-groups-iptables
>>
>> Actually, I have started the coding, but I do want get the spec agreed
>> before code review.
Can you please define what the firewall driver actually *does* rather
than discuss how it's updated?
In Nova, it does many things: forwarding rules (e.g. the metadata
server), IPv4 filtering and (sometimes) IPv6 filtering; and it also
has some unexpected behaviour, like letting through any non-IP packet.
Apologies if you were just going to copy the code over wholesale, but
I really think that we could use this documentation for the first
driver so that everyone knows what firewalling is supposed to do when
they come to implement it using a different method in Ryu, for
instance.
Aside from that: any reason the firewall driver needs to be
configurable in Quantum? I know it is in Nova; I've never been
completely convinced that that's a good thing.
> Hi Nachi:
>
> This looks pretty good. So effectively, the security group code will be run before direct port operations are undertaken on the host itself, right? I notice the blueprint only mentions LinuxBridge and OVS plugins. I assume there is some anticipated work for the other plugins (Ryu, NEC, NVP, and Cisco) once this work lands? For instance, is iptables required for each plugin? I imagine Ryu could simply implement security groups using OpenFlow rules for example.
I presume that, as in Nova, you use a firewalling mechanism
appropriate to your networking (e.g. iptables code is conveniently
shareable between multiple Quantum plugins, but you could equally use
something else if it's not appropriate). That said, this is not a
configurable module; this is a library module, which a Quantum plugin
would choose to make use of or not as the case may be, without any
need for the user to make a choice and configure it.
--
Ian.
More information about the OpenStack-dev
mailing list