On Wed, Nov 27, 2013 at 09:29:16PM +0200, George Shuklin wrote: > Why iptables, not internal openvswitch flow rules? Those rules allows to > filter packets on L2-L4 headers and operates very fast. Is some > iptables-only features used in ovs-agent? I've seen a couple references floating around about a Security Group driver, implemented using OpenFlow[1] as well as some mailing list discussions[2]. Perhaps it is time for a blueprint to be registered? [1] https://wiki.openstack.org/wiki/Neutron/SecurityGroups#Implementations [2] http://openstack.markmail.org/thread/gxzb2opgm7mvb7h4 -- Sean M. Collins