Re: [openstack-dev] [Openstack][nova][Neutron] Launch VM with multiple Ethernet interfaces with I.P. of single subnet.

Thu, 17 Apr 2014 13:30:16 -0700 

On 04/17/2014 06:37 AM, CARVER, PAUL wrote:

Aaron Rosen wrote:


Sorry not really. It's still not clear to me why multiple nics would be

required on the same L2 domain.

I’m a fan of this old paper for nostalgic reasons
http://static.usenix.org/legacy/publications/library/proceedings/neta99/full_papers/limoncelli/limoncelli.pdf
but a search for transparent or bridging firewall turns up tons of hits.

Whether any of them are valid use cases for OpenStack is something that
we could debate, but the general concept of putting two firewall
interfaces into the same L2 domain and using it to control traffic flow
between different hosts on the same L2 domain has at least five years of
history behind it.
If you want it to act as a transparent firewall then you really need two separate physical networks where the firewall acts as a bridge between them. Otherwise the traffic isn't forced to go through the firewall it can just go directly to the target MAC address.
To do this in openstack I think you'd need to decouple virtual networks from virtual dhcp. So then you'd be able to do stuff like: 

1) Create network A with no dhcp server or IP subnet.
2) Create network B with a subnet and dhcp server.
3) Create VM C with a NIC in each network, acting as a bridge/firewall.
4) Connect network B to the outside world.
5) Create VM D with a NIC in network A, it does DHCP broadcast, VM C forwards the DHCP request to network B where it gets assigned an address. 6) D can then talk to the outside world with C deciding what outside packets are allowed through to it, monitoring/logging the traffic, doing traffic shaping, etc.
I wonder if you could do something like this with OpenStack as-is? Maybe configure network A with no router, and with an IP address range that doesn't overlap with network B. Then configure network B with a non-overlapping address range but also with a router? Then C could still forward packets between the networks... 

Chris

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to