Open vSwitch-based Security Groups: Open vSwitch Implementation of FirewallDriver
Purpose: To support the security groups extension in the OVS neutron agent through OVS flows using the existing OVS library with feature parity to the existing iptables-based implementations. In Icehouse, the existing openvswitch plugin is being deprecated, so the blueprint is compatible with the ML2 plugin with the openvswitch mechanism driver.
Current neutron.
Blueprint information
- Status:
- Complete
- Approver:
- Mark McClain
- Priority:
- Medium
- Drafter:
- Amir Sadoughi
- Direction:
- Approved
- Assignee:
- Amir Sadoughi
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
- Deferred
- Milestone target:
- next
- Started by
- Completed by
- Armando Migliaccio
Related branches
Related bugs
Sprints
Whiteboard
-Oct-19-
- 11/27/2013 (amir-sadoughi): Working on a first draft approach to upload by next week (with flat networks).
- 12/6/2013 (amir-sadoughi): Basic prototype working at https:/
- 12/13/2013 (amir-sadoughi): Discussed blueprint at this past Wednesday's ML2 meeting. Going to have a follow-up meeting on Monday <https:/
- 12/16/2013 (amir-sadoughi): Held blueprint IRC meeting http://
- 12/17/2013 (amir-sadoughi) Sent e-mail to openstack-dev ML to discuss potential security group API addition <http://
- 1/8/2014 (amir-sadoughi): Working on updating existing reviews 62129, 62130; Also, working on patch for "Firewall is invoked before local VLAN is assigned" described here: <https:/
- 2/11/2014 (amir-sadoughi): Move the series goal off of icehouse given the OVS release containing the necessary feature for this blueprint (tcp_flags in OVS 2.1.x) won't ship by code proposal deadline of 2/18; it's more likely to ship in March. <http://
- 4/3/2014 (amir-sadoughi): Re-opened work for blueprint now that juno-1 is open for development and OVS 2.1.0 is available.
- 4/27/2014 (amir-sadoughi): All previously existing patches have been restored/rebased. Also, blueprint re-filed under neutron-specs repo (WIP) <https:/
- 5/9/2014 (amir-sadoughi): Juno summit design session <http://
- 5/28/2014 (amir-sadoughi): blueprint under review in neutron-specs repo, implementation ongoing.
Gerrit topic: https:/
Addressed by: https:/
Added source-
Addressed by: https:/
Added --source-
Addressed by: https:/
Assign local VLANs before port filters
Addressed by: https:/
Add Open vSwitch cookie support to ovs_neutron_agent
Addressed by: https:/
Open vSwitch-based Security Groups: OVS FirewallDriver
29-May (mestery): Moving to Juno-2, the BP isn't approved yet and even if it was, code landing in less than two weeks for this is unrealistic.
- 6/13/2014 (amir-sadoughi): Postponing blueprint implementation until K-cycle. I don't think it will be possible to implement and have merged all the new requirements in the Juno timeframe given the current pace. With the K-cycle, we will have access to connection tracking in OVS and the number of changes surrounding the blueprint to get this done will be much fewer and less controversial.