openstack team mailing list archive

Thread
Date

Re: xcp+quantum+vlans= not working security groups

To: 'Roman Sokolkov' <rsokolkov@xxxxxxxxx>, "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
From: John Garbutt <John.Garbutt@xxxxxxxxxx>
Date: Mon, 14 May 2012 18:36:12 +0100
Accept-language: en-US
Acceptlanguage: en-US
In-reply-to: <CACN2ZVCx1NGDH2zmkxLNW=-D9azpkRp=4nhmWvcinFBpwRgdjw@mail.gmail.com>
Thread-index: Ac0xybhtP+S0fXNcSvuE4QarPAJo1wALUIbQ
Thread-topic: [Openstack] xcp+quantum+vlans= not working security groups

Hi,

> From Roman Sokolkov:
> We use XCP + quantum + tenant vlans . One XCP box and one Ubuntu 12.04 box(controller). Nova-compute host it is domU on XCP. Boxes connected with patch-cord and we able to use VLANs inside. 
> There are problems with security groups. They not work at all. 
> We use firewall_driver=nova.virt.xenapi.firewall.Dom0IptablesFirewallDriver. And I see expected iptables rules on Dom0, but without any profit. As I understand iptables couldn't work with L2 openvswitch traffic?

Not sure that was tested with VLANs, and I don't think there has (yet) been any work to create and OpenVSwitch based firewall driver. Have you seen specific problems with packets getting around the firewall rules when using openvswitch?

I know there were plans for making an OpenVSwitch firewall driver, but there are some big performance issues around rule explosion. I don't think there is anything penciled in for Folsom right now.

I will get in touch with the networking experts and get back to you.

Thanks,
John

Follow ups

Re: xcp+quantum+vlans= not working security groups
From: Dan Wendlandt, 2012-05-14

References

xcp+quantum+vlans= not working security groups
From: Roman Sokolkov, 2012-05-14