Open vSwitch-based Security Groups: Open vSwitch Implementation of FirewallDriver

Registered by Amir Sadoughi

Purpose: To support the security groups extension in the OVS neutron agent through OVS flows using the existing OVS library with feature parity to the existing iptables-based implementations. In Icehouse, the existing openvswitch plugin is being deprecated, so the blueprint is compatible with the ML2 plugin with the openvswitch mechanism driver.

Current neutron.agent.firewall.FirewallDriver implementations are based off of iptables (neutron/agent/linux/ IptablesFirewallDriver, OVSHybridIptablesFirewallDriver). This blueprint describes implementing a FirewallDriver sub-class with Open vSwitch.

Blueprint information

Mark McClain
Amir Sadoughi
Amir Sadoughi
Series goal:
Milestone target:
milestone icon next
Completed by
Armando Migliaccio

Related branches



-Oct-19-2105(armax): I guess we'll get to this eventually. But it looks like this may need to go through the process once again.

- 11/27/2013 (amir-sadoughi): Working on a first draft approach to upload by next week (with flat networks).
- 12/6/2013 (amir-sadoughi): Basic prototype working at Re-writing a few things and working on a coherent document to explain design decisions and technical issues.
- 12/13/2013 (amir-sadoughi): Discussed blueprint at this past Wednesday's ML2 meeting. Going to have a follow-up meeting on Monday <>
- 12/16/2013 (amir-sadoughi): Held blueprint IRC meeting Further discussion will continue on the openstack-dev mailing list due to lower than expected attendance.
- 12/17/2013 (amir-sadoughi) Sent e-mail to openstack-dev ML to discuss potential security group API addition <> <>
- 1/8/2014 (amir-sadoughi): Working on updating existing reviews 62129, 62130; Also, working on patch for "Firewall is invoked before local VLAN is assigned" described here: <>.
- 2/11/2014 (amir-sadoughi): Move the series goal off of icehouse given the OVS release containing the necessary feature for this blueprint (tcp_flags in OVS 2.1.x) won't ship by code proposal deadline of 2/18; it's more likely to ship in March. <>.
- 4/3/2014 (amir-sadoughi): Re-opened work for blueprint now that juno-1 is open for development and OVS 2.1.0 is available.
- 4/27/2014 (amir-sadoughi): All previously existing patches have been restored/rebased. Also, blueprint re-filed under neutron-specs repo (WIP) <>. Working with vthapar to have working implementation uploaded to Gerrit by summit (next few weeks).
- 5/9/2014 (amir-sadoughi): Juno summit design session <> this Thursday 11:50-12:30p. <>.
- 5/28/2014 (amir-sadoughi): blueprint under review in neutron-specs repo, implementation ongoing.

Gerrit topic:,topic:bp/ovs-firewall-driver,n,z

Addressed by:
    Added source-port-range-{min,max} to sec. groups

Addressed by:
    Added --source-port-range-min, --source-port-range-max

Addressed by:
    Assign local VLANs before port filters

Addressed by:
    Add Open vSwitch cookie support to ovs_neutron_agent

Addressed by:
    Open vSwitch-based Security Groups: OVS FirewallDriver

29-May (mestery): Moving to Juno-2, the BP isn't approved yet and even if it was, code landing in less than two weeks for this is unrealistic.
- 6/13/2014 (amir-sadoughi): Postponing blueprint implementation until K-cycle. I don't think it will be possible to implement and have merged all the new requirements in the Juno timeframe given the current pace. With the K-cycle, we will have access to connection tracking in OVS and the number of changes surrounding the blueprint to get this done will be much fewer and less controversial.


Work Items