[openstack-dev] [Neutron] Selectively disabling certain built in iptables rules

Darragh O'Reilly dara2002-openstack at yahoo.com
Tue Jan 21 13:22:23 UTC 2014 


I think there is a blueprint for that. Anyway, see idea for current releases below:


>Feel free to tell me this is a bad idea and scold me for even asking, but please
>help me figure out how to do it anyway. This is for a specific tenant in a
>specific lab that was built specifically for that one tenant to do some
>experimental work that requires VMs to route and other VMs to act as
>DHCP/PXEBoot servers.

Therefore all the compute-nodes in that lab can be safely configured to use a
firewall_driver in ovs_neutron_plugin.ini that points to a customised firewall
class. If using Open vSwitch, this can be a subclass of 
neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
with the spoofing methods conditionally overridden to be no-ops.

>
>I need to wrap a conditional around this line
>https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py#L201
>and this line
>https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py#L241
>for specific VM instances.
>
>The criteria could be something like pattern matching on the instance name, or
>based on a specific flavor image type. I don't much care what the criteria is as
>long as it's something the tenant can control. What I'm hoping someone can

Neutron does not know about flavors or images. But it has ports which have a 
name attribute that can be set to an arbitrary string, e.g. 'anti_spoof_off'. The
name does not need to be unique within the tenant. Then your overridden methods
could check for that string.

So when the tenant has to create a router or dhcp instance, they would first
create the neutron ports with this name, and then pass these port-ids to Nova.

>provide me with is an example line of code or two with which I can examine some
>property of the image that has been created from within the specific file
>referenced above in order to wrap if statements around those two lines of code
>so that I can prevent them from adding those specific iptables rules in the
>specific cases where my tenant needs to either route or respond to DHCP.
>
>Thanks
>
>--
>Paul Carver

More information about the OpenStack-dev mailing list