From what I'm seeing, a much better approach for managing Security Groups on OpenStack, will be to get rid of: "iptables", "ip6tables", "arptables", "ebtables", "ipset"... In favor of "nft".
It will work with OpenvSwitch too!
This way, a single framework, lets call it "nftables-firewall-driver" (instead of "ovs-firewall-driver"), might work for both OpenvSwitch and pure Linux Bridge deployments...
NFTables can also, bring native (NAT66) for a NAT-based IPv6 Floating IP (which I dislike very much but, it is there)...
Guys,
Why not use NFTables, instead of OpenFlow Rules?
From what I'm seeing, a much better approach for managing Security Groups on OpenStack, will be to get rid of: "iptables", "ip6tables", "arptables", "ebtables", "ipset"... In favor of "nft".
It will work with OpenvSwitch too!
This way, a single framework, lets call it "nftables- firewall- driver" (instead of "ovs-firewall- driver" ), might work for both OpenvSwitch and pure Linux Bridge deployments...
NFTables can also, bring native (NAT66) for a NAT-based IPv6 Floating IP (which I dislike very much but, it is there)...
What do you guys think?
http:// people. netfilter. org/2014/ wiki/index. php/List_ of_presentation s
http:// people. netfilter. org/2014/ wiki/images/ 0/04/NFWS2014- OVS%2Bconntrack .pdf
Cheers!
Thiago