[RFE] ovs openflow security group driver
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Won't Fix
|
Wishlist
|
Unassigned |
Bug Description
when using standard kernel ovs it may be desirable for performance reasons to use an ovs based security group driver.
When using ovs with dpdk it is not possible to use a kernel(ip tables) based security driver.
one effort leveraging the newly added kernel connection tracker support in ovs is tracked by
https:/
ovs integration with conntrack will be supported in the upcoming ovs 2.5 release.
At present the proposed 2.5 release will only support conntrack with the linux kernel dataplane,
as such a conntrack based openflow security group driver can not currently be used with dpdk,windows or bsd
dataplanes.
to support the security group api with ovs without conntrack we would like summit the learn action based openflow firewall driver
current hosted in networking-ovs-dpdk for inclusion in neutron.
https:/
The networking-ovs-dpdk OVSFirewallDriver was originally developed for liberty with support for ipv4 only.
subsequently support for ipv6 and and multicast have been developed(should be completed this week).
As this security group driver utilities reflective learn actions instead of connection tracking it can in theory support
all ovs datapath. the driver has been developed and tested with ovs 2.4 and both the linux kernel and dpdk datapaths.
Note that while both the iptables and connection tracking approach provide a stateful security group implementation
the lean action based ovs firewall driver uses a stateless design.
If both the conntrack and learn based security group drivers are accepted for the mitaka cycle the deployed
will then be able to select which driver to use based on the requirement of there system.
if the system has ovs 2.5+ and the kernel datapath and a kernel with conntrack support the conntrack based security driver can be used.
if the system has ovs 2.4+ with the userspace netdev datapath(bsd/dpdk) or kernel datapath (linux and possible windows) the learn based security group driver can be used.
if the system has ovs <=2.3 and is using the linux kernel datapath the current iptables security group driver can be used.
Changed in neutron: | |
assignee: | nobody → Rodolfo Alonso (rodolfo-alonso-hernandez) |
summary: |
- ovs openflow security group driver + [RFE] ovs openflow security group driver |
Changed in neutron: | |
status: | New → Confirmed |
importance: | Undecided → Wishlist |
Fix proposed to branch: master /review. openstack. org/264131
Review: https:/