OVS plugin security filtering
Registered by
dan wendlandt
OVS does not play nicely with ebtables + iptables. Thus, mechanisms that rely on ebtables and iptables for filtering (e.g., security groups, and basic limiting of VM spoofing handled by nova) won't work correctly. One strategy would be to use a different strategy for vif-plugging in nova that actually plugins each vif into its own instance of the linux bridge, which would then be "uplinked" to an OVS bridge that does the tunneling. Another more complex strategy would be to try and re-implement this same filtering in OVS.
Blueprint information
- Status:
- Complete
- Approver:
- dan wendlandt
- Priority:
- Medium
- Drafter:
- None
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
-
Not started
- Milestone target:
- None
- Started by
- Completed by
- dan wendlandt
Related branches
Related bugs
Sprints
Whiteboard
currently this is being handled by the hybrid vif driver.
(?)