+1 for an answer to this. The reference documentation suggests running Neutron OVS with a total of 6 software switches between the VM and public NAT addresses. [1] What are the performances differences folks see with this configuration vs. the 2 software switch configuration for linux bridge? [1] http://docs.openstack.org/grizzly/openstack-network/admin/content/under_the_hood_openvswitch.html#d6e1178 On Tue, Sep 3, 2013 at 8:34 AM, Lorin Hochstein <lorin at nimbisservices.com>wrote: > (Also asked at > https://ask.openstack.org/en/question/4718/security-groups-with-ovs-instead-of-iptables/ > ) > > The only security group implementations in neutron seem to be > iptables-based. Is it technically possible to implement security groups > using openvswitch flow rules, instead of iptables rules? > > It seems like this would cut down on the complexity associated with the > current OVSHybridIptablesFirewallDriver implementation, where we need to > create an extra linux bridge and veth pair to work around the > iptables-openvswitch issues. (This also breaks if the user happens to > install the openvswitch brcompat module). > > Lorin > -- > Lorin Hochstein > Lead Architect - Cloud Services > Nimbis Services, Inc. > www.nimbisservices.com > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130903/1a8f47da/attachment.html>