Reviewed: https://review.openstack.org/249337 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=ef29f7eb9a2a37133eacdb7f019b48ec3f9a42c3 Submitter: Jenkins Branch: master
commit ef29f7eb9a2a37133eacdb7f019b48ec3f9a42c3 Author: Jakub Libosvar <libos...@redhat.com> Date: Tue Sep 1 15:50:48 2015 +0000 Open vSwitch conntrack based firewall driver This firewall requires OVS 2.5+ version supporting conntrack and kernel conntrack datapath support (kernel>=4.3). For more information, see https://github.com/openvswitch/ovs/blob/master/FAQ.md As part of this new entry points for current reference firewalls were added. Configuration: in openvswitch_agent.ini: - in securitygroup section set firewall_driver to openvswitch DocImpact Closes-bug: #1461000 Co-Authored-By: Miguel Angel Ajo Pelayo <mangel...@redhat.com> Co-Authored-By: Amir Sadoughi <amir.sadou...@rackspace.com> Change-Id: I13e5cda8b5f3a13a60b14d80e54f198f32d7a529 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1461000 Title: [rfe] openvswitch based firewall driver Status in neutron: Fix Released Bug description: Nowadays, when using openvswitch-agent with security groups we must use hybrid bridging, i.e. per instance we have both openvswitch bridge and linux bridge. The rationale behind this approach is to set filtering rules matching on given linux bridge. We can get rid of linux bridge if filtering is done directly in openvswitch via openflow rules. The benefits of this approach are better throughput in data plain due to removal of linux bridge and faster rule filtering due to not using physdev extension in iptables. Another improvement is in control plain because currently setting rules via iptables firewall driver doesn't scale well. This RFE requests a new firewall driver that is capable of filtering packets based on specified security groups using openvswitch only. Requirement for OVS is to have conntrack support which is planned to be released with OVS 2.4. UPDATE (2015-06-02 jlibosva): What we want to achieve with this rfe is to use security groups with openvswitch-agent without having a need of linux bridge. The reasons for this include performance and easier debugging. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1461000/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp