On Fri, Oct 31, 2014 at 10:23 AM, Gurucharan Shetty <shet...@nicira.com> wrote: > On Fri, Oct 31, 2014 at 8:19 AM, Kyle Mestery <mest...@mestery.com> wrote: >> On Fri, Oct 31, 2014 at 10:09 AM, Gurucharan Shetty <shet...@nicira.com> >> wrote: >>> On Thu, Oct 30, 2014 at 11:55 PM, FengYu LeiDian >>> <fengyuleidian0...@gmail.com> wrote: >>>> Hi, all >>>> >>>> Standard openstack has a Linux bridge on top of openvswitch bridge[1] >>>> this Linux bridge is used to setup iptables rule to allow VM access >>>> to the outside world, for example, allow VM port 22 access, so external >>>> host could ssh to this VM. >>>> >>>> Can openvswitch bridge has the same mechanism to be allowed to set rules >>>> as the same effort as that of iptables linux bridge? >>> Yes. The controller that you use should be capable of adding openflow >>> rules to do it. >>> >> That's not entirely true. We can't fully implement security groups >> using OVS until we get this work [1] in. There was work to do security >> groups using OpenFlow during the Icehouse/Juno timeframe, but the team >> doing the work determined they could only do 70% of what the existing >> SGs with iptables can do, so they've scrapped it until the work I >> referenced is upstream and then back downstream into the distros. > I see, thanks for correcting me. So "security group" in openstack > includes support for statefull firewall? > Yes, have a peek at this (slightly out of date) wiki here [1] for more info. The work on this is on hold as far as I know.
[1] https://wiki.openstack.org/wiki/Neutron/blueprint_ovs-firewall-driver >> >> Thanks, >> Kyle >> >> [1] http://openvswitch.org/pipermail/dev/2014-May/040567.html >> >>>> >>>> >>>> Thanks >>>> >>>> [1]: >>>> http://docs.openstack.org/admin-guide-cloud/content/figures/14/a/a/common/figures/under-the-hood-scenario-1-ovs-compute.png >>>> >>>> >>>> _______________________________________________ >>>> discuss mailing list >>>> discuss@openvswitch.org >>>> http://openvswitch.org/mailman/listinfo/discuss >>> _______________________________________________ >>> discuss mailing list >>> discuss@openvswitch.org >>> http://openvswitch.org/mailman/listinfo/discuss _______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
