[Openstack-operators] [nova] Anyone using libvirt driver port filtering with neutron?
Mathieu Gagné
mgagne at calavera.ca
Thu Mar 23 16:39:57 UTC 2017
On Thu, Mar 23, 2017 at 10:08 AM, <sfinucan at redhat.com> wrote:
> The nova libvirt driver provides support for ebtables-based port
> filtering (using libvirt's nwfilter) to prevent things like MAC, IP
> and/or ARP spoofing. I've been looking into deprecating this as part of
> the move to deprecate all things nova-network'y, but it appears that,
> in some scenarios, it is possible to use this feature with neutron.
Isn't ARP spoofing support now part of Neutron, at least for
Linuxbridge mechanism?
https://review.openstack.org/#/c/196986/
We do use the feature you mentioned but there is too much hack or code
change you need to do to benefit from it.
Especially in our case as you can't use both Neutron network manager
(with security groups, allowed address pairs, etc.) and Nova iptables
driver to benefit from libvirt's nwfilter anti-ARP spoofing.
We are still running Kilo and will be migrating to Mitaka which has
the ARP spoofing protection built-in in Neutron. So no, in our case, I
don't see a reason to keep this feature around as you can get the same
with Neutron port-security extension.
More information about the OpenStack-operators
mailing list