← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #33330

[Bug 1461000] [NEW] [rfe] openvswitch based firewall driver

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Nowadays, when using openvswitch-agent with security groups we must use
hybrid bridging, i.e. per instance we have both openvswitch bridge and
linux bridge. The rationale behind this approach is to set filtering
rules matching on given linux bridge.

We can get rid of linux bridge if filtering is done directly in
openvswitch via openflow rules. The benefits of this approach are better
throughput in data plain due to removal of linux bridge and faster rule
filtering due to not using physdev extension in iptables. Another
improvement is in control plain because currently setting rules via
iptables firewall driver doesn't scale well.

This RFE requests a new firewall driver that is capable of filtering
packets based on specified security groups using openvswitch only.
Requirement for OVS is to have conntrack support which is planned to be
released with OVS 2.4.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1461000

Title:
  [rfe] openvswitch based firewall driver

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  Nowadays, when using openvswitch-agent with security groups we must
  use hybrid bridging, i.e. per instance we have both openvswitch bridge
  and linux bridge. The rationale behind this approach is to set
  filtering rules matching on given linux bridge.

  We can get rid of linux bridge if filtering is done directly in
  openvswitch via openflow rules. The benefits of this approach are
  better throughput in data plain due to removal of linux bridge and
  faster rule filtering due to not using physdev extension in iptables.
  Another improvement is in control plain because currently setting
  rules via iptables firewall driver doesn't scale well.

  This RFE requests a new firewall driver that is capable of filtering
  packets based on specified security groups using openvswitch only.
  Requirement for OVS is to have conntrack support which is planned to
  be released with OVS 2.4.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1461000/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next