openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #11695
Re: xcp+quantum+vlans= not working security groups
Hi,
> From Roman Sokolkov:
> We use XCP + quantum + tenant vlans . One XCP box and one Ubuntu 12.04 box(controller). Nova-compute host it is domU on XCP. Boxes connected with patch-cord and we able to use VLANs inside.
> There are problems with security groups. They not work at all.
> We use firewall_driver=nova.virt.xenapi.firewall.Dom0IptablesFirewallDriver. And I see expected iptables rules on Dom0, but without any profit. As I understand iptables couldn't work with L2 openvswitch traffic?
Not sure that was tested with VLANs, and I don't think there has (yet) been any work to create and OpenVSwitch based firewall driver. Have you seen specific problems with packets getting around the firewall rules when using openvswitch?
I know there were plans for making an OpenVSwitch firewall driver, but there are some big performance issues around rule explosion. I don't think there is anything penciled in for Folsom right now.
I will get in touch with the networking experts and get back to you.
Thanks,
John
Follow ups
References