[OpenvSwitch][Neutron] native flow based firewall Vs LinuxBridge Iptables firewall
Arnaud Morin
arnaud.morin at gmail.com
Tue May 2 19:13:25 UTC 2023
Hello,
We are using it in production since few years now, it works correctly.
But, if you think it will be easier to debug, that will surprise me :)
Openflow rules are hard to read, understand and debug.
We tried working on a tool that help debugging such stuff (see [1])
which is partially used by the team, but that's far from perfect :(
[1] https://github.com/openstack/osops/blob/master/contrib/neutron/br-int-flows-analyze.py
Cheers,
Arnaud.
On 24.04.23 - 13:32, Satish Patel wrote:
> Thanks, I'll check it out.
>
> This is great! so no harm to turn it on :)
>
> On Mon, Apr 24, 2023 at 2:49 AM Lajos Katona <katonalala at gmail.com> wrote:
>
> > H,
> > The OVS flow based Neutron firewall driver is long supported by the
> > community and used by many operators in production, please check the
> > documentation:
> > https://docs.openstack.org/neutron/latest/admin/config-ovsfwdriver.html
> >
> > For some details how it works please check the related internals doc:
> >
> > https://docs.openstack.org/neutron/latest/contributor/internals/openvswitch_firewall.html
> >
> > Best wished
> > Lajos (lajoskatona)
> >
> > Satish Patel <satish.txt at gmail.com> ezt írta (időpont: 2023. ápr. 24., H,
> > 3:40):
> >
> >> Folks,
> >>
> >> As we know, openvswitch uses a linuxbridge based firewall to implement
> >> security-groups on openstack. It works great but it has so many packet
> >> hops. It also makes troubleshooting a little complicated.
> >>
> >> OpenvSwitch does support native firewall features in flows, Does it
> >> mature enough to implement in production and replace it with LinuxBridge
> >> based IPtables firewall?
> >>
> >> ~S
> >>
> >>
More information about the openstack-discuss
mailing list