[Openstack-operators] [nova] Anyone using libvirt driver port filtering with neutron?
sfinucan at redhat.com
sfinucan at redhat.com
Thu Mar 23 14:08:51 UTC 2017
The nova libvirt driver provides support for ebtables-based port
filtering (using libvirt's nwfilter) to prevent things like MAC, IP
and/or ARP spoofing. I've been looking into deprecating this as part of
the move to deprecate all things nova-network'y, but it appears that,
in some scenarios, it is possible to use this feature with neutron. To
do so, the following must be true:
- neutron's own port filtering must be disabled (as reported in the
port binding)
- security groups must be disabled
- the 'firewall_driver' configuration option must be set to
'libvirt.firewall.IptablesFirewallDriver'
- you must be using linux bridge in some capacity, either as your main
networking backend or through the use of hybrid interfaces
It took me a long time to identify that this feature even existed, due
to a lack of documentation on the matter and the fact that the code is
very intertwined with nova-network code. Given this lack of
documentation, the explicit action required to disable both security
groups and neutron's own port filtering, and nova's long standing
recommendation that one set 'firewall_driver' to the
'NoopFirewallDriver' when using neutron, I'm unsure if anyone is
actually using this.
Could anyone that /is/ using this please make yourself known. If no one
is, this feature is providing a good deal of complexity for little ROI,
and I can deprecate and remove it.
Cheers,
Stephen
More information about the OpenStack-operators
mailing list