2015-06-02 09:51:18 |
Jakub Libosvar |
bug |
|
|
added bug |
2015-06-02 10:15:15 |
Sridhar Gaddam |
bug |
|
|
added subscriber Sridhar Gaddam |
2015-06-02 10:39:58 |
Koji Iida |
bug |
|
|
added subscriber Koji Iida |
2015-06-02 15:27:23 |
Assaf Muller |
tags |
|
rfe |
|
2015-06-02 16:26:22 |
Kyle Mestery |
neutron: status |
New |
Confirmed |
|
2015-06-02 16:27:33 |
Kyle Mestery |
neutron: status |
Confirmed |
Triaged |
|
2015-06-02 17:12:03 |
Jakub Libosvar |
neutron: assignee |
|
Jakub Libosvar (libosvar) |
|
2015-06-02 17:35:57 |
Jakub Libosvar |
description |
Nowadays, when using openvswitch-agent with security groups we must use hybrid bridging, i.e. per instance we have both openvswitch bridge and linux bridge. The rationale behind this approach is to set filtering rules matching on given linux bridge.
We can get rid of linux bridge if filtering is done directly in openvswitch via openflow rules. The benefits of this approach are better throughput in data plain due to removal of linux bridge and faster rule filtering due to not using physdev extension in iptables. Another improvement is in control plain because currently setting rules via iptables firewall driver doesn't scale well.
This RFE requests a new firewall driver that is capable of filtering packets based on specified security groups using openvswitch only. Requirement for OVS is to have conntrack support which is planned to be released with OVS 2.4. |
Nowadays, when using openvswitch-agent with security groups we must use hybrid bridging, i.e. per instance we have both openvswitch bridge and linux bridge. The rationale behind this approach is to set filtering rules matching on given linux bridge.
We can get rid of linux bridge if filtering is done directly in openvswitch via openflow rules. The benefits of this approach are better throughput in data plain due to removal of linux bridge and faster rule filtering due to not using physdev extension in iptables. Another improvement is in control plain because currently setting rules via iptables firewall driver doesn't scale well.
This RFE requests a new firewall driver that is capable of filtering packets based on specified security groups using openvswitch only. Requirement for OVS is to have conntrack support which is planned to be released with OVS 2.4.
UPDATE (2015-06-02 jlibosva): What we want to achieve with this rfe is to use security groups with openvswitch-agent without having a need of linux bridge. The reasons for this include performance and easier debugging. |
|
2015-06-03 17:58:51 |
Tony Walker |
bug |
|
|
added subscriber Tony Walker |
2015-06-14 14:06:41 |
yong sheng gong |
bug |
|
|
added subscriber yong sheng gong |
2015-08-17 23:50:16 |
Tomoko Inoue |
bug |
|
|
added subscriber Tomoko Inoue |
2015-10-07 04:19:15 |
Armando Migliaccio |
tags |
rfe |
rfe-approved |
|
2015-10-19 23:21:31 |
Thiago Martins |
bug |
|
|
added subscriber Thiago Martins |
2015-10-20 14:22:30 |
Miguel Angel Ajo |
neutron: importance |
Undecided |
Wishlist |
|
2015-10-23 16:17:19 |
Mickey Spiegel |
bug |
|
|
added subscriber Mickey Spiegel |
2015-11-20 01:49:04 |
Armando Migliaccio |
neutron: milestone |
|
mitaka-1 |
|
2015-11-23 10:24:31 |
Tapio Tallgren |
bug |
|
|
added subscriber Tapio Tallgren |
2015-11-23 12:15:41 |
Sudhakar Gariganti |
bug |
|
|
added subscriber Sudhakar Gariganti |
2015-11-23 21:35:08 |
Randy Tuttle |
bug |
|
|
added subscriber Randy Tuttle |
2015-11-24 06:25:15 |
Wei Li |
bug |
|
|
added subscriber Li Wei |
2015-12-03 19:20:27 |
Armando Migliaccio |
neutron: milestone |
mitaka-1 |
mitaka-2 |
|
2016-01-08 16:09:29 |
OpenStack Infra |
neutron: status |
Triaged |
In Progress |
|
2016-01-14 06:57:59 |
yujie |
bug |
|
|
added subscriber yujie |
2016-01-15 03:18:36 |
OpenStack Infra |
neutron: assignee |
Jakub Libosvar (libosvar) |
Brian Haley (brian-haley) |
|
2016-01-20 18:29:16 |
Armando Migliaccio |
neutron: milestone |
mitaka-2 |
mitaka-3 |
|
2016-01-28 12:55:13 |
OpenStack Infra |
neutron: assignee |
Brian Haley (brian-haley) |
Jakub Libosvar (libosvar) |
|
2016-02-17 22:15:11 |
OpenStack Infra |
neutron: status |
In Progress |
Fix Released |
|
2016-11-15 20:59:56 |
Margaret Frances |
bug |
|
|
added subscriber Margaret Frances |
2017-08-30 06:40:22 |
zoushilin |
bug |
|
|
added subscriber zoushilin |