[Openstack] Neutron Service Chains with Linux Bridge?

Kevin Benton kevin at benton.pub
Mon Nov 14 23:09:51 UTC 2016

Well it's not really that Linux Bridge isn't capable of doing the basic
operations used in OVS right now by service chains. Using combinations of
ebtables and iptables (or just nftables), we can get the packet header
rewrites required.

It's mainly an issue of lack of contributors for that type of solution.
Right now the linux bridge agent pretty much just lets the bridge behave
like a bridge, so we don't have the scaffolding setup for complex packet
manipulation pipelines (beyond the basic anti-ARP spoofing and security
groups implementation).

If someone really wanted support in the linux bridge agent, and they could
conceivably even accomplish it with the extension points we have now. It's
just going to take some dedicated effort.

On Mon, Nov 14, 2016 at 6:37 AM, CARVER, PAUL <pc2929 at att.com> wrote:

> Michael Gale [mailto:gale.michael at gmail.com] wrote:
> >Does anyone know if the work for Neutron Service Chains supports
> environments built with Linux Bridge as the Neutron ML2 driver?
> I don’t think it’s possible. I’m not aware of any document that says Linux
> Bridge doesn’t support modifications to its forwarding tables, but I think
> that’s for the same reason that it’s unlikely that a car’s owner’s manual
> is unlikely to mention that you can’t seal the doors and use it for deep
> sea exploration. It’s not at all a use case the designers expected.
> Service chaining is all about manipulating the forwarding tables in order
> to override the normal “forward via most direct path to destination”
> behavior. It relies on the dataplane having a standard, documented and
> designed/intended mechanism for manipulating the forwarding tables in
> arbitrary (or at least fairly flexible) ways. I don’t believe Linux Bridge
> was designed with any intention to allow external software to manipulate
> its forwarding behavior on a per packet/per destination basis.
> OvS and several other dataplanes are explicitly designed with the
> expectation and interface for an external controller to manipulate the
> forwarding in rich and flexible ways.
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20161114/bc855598/attachment.html>

More information about the Openstack mailing list