vif_security: {
require_securitygroup : boolean #If True, Quantum does not provide security group feature and Nova requires to provide security group feature,
prevent_spoofing :boolean # If True, Nova requires to setup IP/MAC spoofing filters (Quantum does not provide it). get_firewall_required() in libvirt/vif.py is expected to return True,
require_iptables : boolean # If True, Nova needs to make sure iptables works. If a bridge is
}
I think the first two parameters should be inverted. ie rather than telling Nova what todo, they should describe what Quantum has done. I'd also suggest having separate params for IP & MAC spoofing (even if Quantum does provide both at the same time). eg I'd prefer to see something like this:
vif_security {
has_securitygroup: boolean. True if Quantum has provided a security group.
has_ip_spoofing: boolean. True if Quantum has enabled IP spoofing protection.
has_mac_spoofing: boolean. True if Quantum has enabled MAC spoofing protection
require_iptables: boolean. True if Quantum requires support for iptables
}
Looking at these parameters:
vif_security: { securitygroup : boolean #If True, Quantum does not provide security group feature and Nova requires to provide security group feature, required( ) in libvirt/vif.py is expected to return True,
require_
prevent_spoofing :boolean # If True, Nova requires to setup IP/MAC spoofing filters (Quantum does not provide it). get_firewall_
require_iptables : boolean # If True, Nova needs to make sure iptables works. If a bridge is
}
I think the first two parameters should be inverted. ie rather than telling Nova what todo, they should describe what Quantum has done. I'd also suggest having separate params for IP & MAC spoofing (even if Quantum does provide both at the same time). eg I'd prefer to see something like this:
vif_security { securitygroup: boolean. True if Quantum has provided a security group. mac_spoofing: boolean. True if Quantum has enabled MAC spoofing protection
has_
has_ip_spoofing: boolean. True if Quantum has enabled IP spoofing protection.
has_
require_iptables: boolean. True if Quantum requires support for iptables
}