[openstack-dev] [Openstack][nova][Neutron] Launch VM with multiple Ethernet interfaces with I.P. of single subnet.
Chris Friesen
chris.friesen at windriver.com
Thu Apr 17 20:24:39 UTC 2014
On 04/17/2014 06:37 AM, CARVER, PAUL wrote:
> Aaron Rosen wrote:
>
>>Sorry not really. It's still not clear to me why multiple nics would be
> required on the same L2 domain.
>
> I’m a fan of this old paper for nostalgic reasons
> http://static.usenix.org/legacy/publications/library/proceedings/neta99/full_papers/limoncelli/limoncelli.pdf
> but a search for transparent or bridging firewall turns up tons of hits.
>
> Whether any of them are valid use cases for OpenStack is something that
> we could debate, but the general concept of putting two firewall
> interfaces into the same L2 domain and using it to control traffic flow
> between different hosts on the same L2 domain has at least five years of
> history behind it.
If you want it to act as a transparent firewall then you really need two
separate physical networks where the firewall acts as a bridge between
them. Otherwise the traffic isn't forced to go through the firewall it
can just go directly to the target MAC address.
To do this in openstack I think you'd need to decouple virtual networks
from virtual dhcp. So then you'd be able to do stuff like:
1) Create network A with no dhcp server or IP subnet.
2) Create network B with a subnet and dhcp server.
3) Create VM C with a NIC in each network, acting as a bridge/firewall.
4) Connect network B to the outside world.
5) Create VM D with a NIC in network A, it does DHCP broadcast, VM C
forwards the DHCP request to network B where it gets assigned an address.
6) D can then talk to the outside world with C deciding what outside
packets are allowed through to it, monitoring/logging the traffic, doing
traffic shaping, etc.
I wonder if you could do something like this with OpenStack as-is?
Maybe configure network A with no router, and with an IP address range
that doesn't overlap with network B. Then configure network B with a
non-overlapping address range but also with a router? Then C could
still forward packets between the networks...
Chris
More information about the OpenStack-dev
mailing list