← Back to team overview

openstack team mailing list archive

Re: xcp+quantum+vlans= not working security groups



> From Roman Sokolkov:
> We use XCP + quantum + tenant vlans . One XCP box and one Ubuntu 12.04 box(controller). Nova-compute host it is domU on XCP. Boxes connected with patch-cord and we able to use VLANs inside. 
> There are problems with security groups. They not work at all. 
> We use firewall_driver=nova.virt.xenapi.firewall.Dom0IptablesFirewallDriver. And I see expected iptables rules on Dom0, but without any profit. As I understand iptables couldn't work with L2 openvswitch traffic?

Not sure that was tested with VLANs, and I don't think there has (yet) been any work to create and OpenVSwitch based firewall driver. Have you seen specific problems with packets getting around the firewall rules when using openvswitch?

I know there were plans for making an OpenVSwitch firewall driver, but there are some big performance issues around rule explosion. I don't think there is anything penciled in for Folsom right now.

I will get in touch with the networking experts and get back to you.


Follow ups