migrate from iptables firewall to ovs firewall
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| neutron |
Fix Released
|
Low
|
norman shen | ||
Bug Description
Sorry this is actually a bug report but discussing for better clarification in document.
Currently, we are running iptables firewall in production and saw performance degrade thus
we plan to upgrade to ovs firewall in place. By reading the doc I found upgrading process is described
here https:/
I am interested in method 2 which quotes "plug the tap device into the integration bridge", since it does not
provide the command so I would like to ask how to actually perform it. I tried with
```console
# brctl delif qbrxxx tapxxx
# ovs-vsctl add-port br-int tapxxx
```
but it does not work because network appears to be disconnected.
Another question is that is there an option 4, such that ovs firewall could takes control of existing iptables firewalled port and later users could transition to ovs firewalls gradually.
Thank you.
| Changed in neutron: | |
| assignee: | nobody → norman shen (jshen28) |
| Oleg Bondarev (obondarev) wrote | #2 |
| Changed in neutron: | |
| status: | New → In Progress |
| importance: | Undecided → Low |
| OpenStack Infra (hudson-openstack) wrote Fix included in openstack/neutron 18.0.0.0rc1 | #3 |
| Changed in neutron: | |
| status: | In Progress → Fix Released |
I think it should be mentioned there that during the upgrade from iptables_hybrid to ovs firewall driver, new firewall rules will work for old ports which are plugged using hybrid Linux bridge in the middle.
It won't work in the opposite direction migration obviously.
If You can, please propose patch to change documentation of that and link it here.