yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1461000] Re: [rfe] openvswitch based firewall driver

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1461000@xxxxxxxxxxxxxxxxxx>
Date: Wed, 17 Feb 2016 22:15:14 -0000
Reply-to: Bug 1461000 <1461000@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/249337
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=ef29f7eb9a2a37133eacdb7f019b48ec3f9a42c3
Submitter: Jenkins
Branch:    master

commit ef29f7eb9a2a37133eacdb7f019b48ec3f9a42c3
Author: Jakub Libosvar <libosvar@xxxxxxxxxx>
Date:   Tue Sep 1 15:50:48 2015 +0000

    Open vSwitch conntrack based firewall driver
    
    This firewall requires OVS 2.5+ version supporting conntrack and kernel
    conntrack datapath support (kernel>=4.3). For more information, see
    https://github.com/openvswitch/ovs/blob/master/FAQ.md
    
    As part of this new entry points for current reference firewalls were
    added.
    
    Configuration:
    in openvswitch_agent.ini:
        - in securitygroup section set firewall_driver to openvswitch
    
    DocImpact
    Closes-bug: #1461000
    
    Co-Authored-By: Miguel Angel Ajo Pelayo <mangelajo@xxxxxxxxxx>
    Co-Authored-By: Amir Sadoughi <amir.sadoughi@xxxxxxxxxxxxx>
    
    Change-Id: I13e5cda8b5f3a13a60b14d80e54f198f32d7a529


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1461000

Title:
  [rfe] openvswitch based firewall driver

Status in neutron:
  Fix Released

Bug description:
  Nowadays, when using openvswitch-agent with security groups we must
  use hybrid bridging, i.e. per instance we have both openvswitch bridge
  and linux bridge. The rationale behind this approach is to set
  filtering rules matching on given linux bridge.

  We can get rid of linux bridge if filtering is done directly in
  openvswitch via openflow rules. The benefits of this approach are
  better throughput in data plain due to removal of linux bridge and
  faster rule filtering due to not using physdev extension in iptables.
  Another improvement is in control plain because currently setting
  rules via iptables firewall driver doesn't scale well.

  This RFE requests a new firewall driver that is capable of filtering
  packets based on specified security groups using openvswitch only.
  Requirement for OVS is to have conntrack support which is planned to
  be released with OVS 2.4.

  UPDATE (2015-06-02 jlibosva): What we want to achieve with this rfe is
  to use security groups with openvswitch-agent without having a need of
  linux bridge. The reasons for this include performance and easier
  debugging.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1461000/+subscriptions

References

[Bug 1461000] [NEW] [rfe] openvswitch based firewall driver
From: Jakub Libosvar, 2015-06-02