Iptables implementation of Quantum SecurityGroup Extension (LinuxBridge)

Registered by Nachi Ueno on 2012-10-23

Scope: This bp implements iptables version of Quantum SecurityGroup Extension.
This bg targes LinuxBridge plugin.
Use Cases: See https://blueprints.launchpad.net/quantum/+spec/quantum-security-groups
Implementation Overview:
See https://docs.google.com/presentation/d/1nXzNXKIfCfotdav5BzkceDiOfDypEkvtTfVXCGdq6rY/edit#slide=id.g33084527_0_60
Data Model Changes: N/A
Configuration variables: firewall_driver, package name, The driver to implement firewall function
API's:
RPC API update_port will be notified when security group or security group rule will be update
firewall.py https://github.com/nttmcl/quantum/commit/4987b0ade5e130a38a397c40a81a9ddcfee1bf7a
Plugin Interface:
See https://blueprints.launchpad.net/quantum/+spec/quantum-security-groups
Required Plugin support:
L2-agent should call firewall module before plug the port or update port or unplug the port.
Dependencies:
See https://blueprints.launchpad.net/quantum/+spec/quantum-security-groups
CLI Requirements: N/A
Horizon Requirements: N/A
Usage Example:
See https://blueprints.launchpad.net/quantum/+spec/quantum-security-groups
Test Cases: See https://docs.google.com/presentation/d/1nXzNXKIfCfotdav5BzkceDiOfDypEkvtTfVXCGdq6rY/edit#slide=id.g33084527_0_60

Blueprint information

Status:
Complete
Approver:
dan wendlandt
Priority:
High
Drafter:
Nachi Ueno
Direction:
Needs approval
Assignee:
Nachi Ueno
Definition:
Review
Series goal:
Accepted for grizzly
Implementation:
Implemented
Milestone target:
milestone icon 2013.1
Started by
Nachi Ueno on 2012-11-05
Completed by
dan wendlandt on 2013-01-08

Related branches

Sprints

Whiteboard

Note I change target of this BP for only linuxbridge.
OVS support will go to G2

Gerrit topic: https://review.openstack.org/#q,topic:bp/quantum-security-groups-iptables,n,z

Addressed by: https://review.openstack.org/15156
    Import lockutils and fileutils from openstack-common (master)

Addressed by: https://review.openstack.org/16210
    Iptables secuirty group implementation for LinuxBridge

Note this localrc is needed to run

LIBVIRT_FIREWALL_DRIVER=nova.virt.firewall.NoopFirewallDriver
Q_PLUGIN=linuxbridge

NOTE: Arosen's nova proxy code http://pastebin.com/cDBDD16k

[yong sheng gong] rules samples
https://docs.google.com/document/d/1hqcivTHnB7yrcs834CpM6XF6sUEdF98d0WGFctgtyMA/edit

Gerrit topic: https://review.openstack.org/#q,topic:bug/1095885,n,z

Gerrit topic: https://review.openstack.org/#q,topic:bp/quantum-security-groups-iptables-lb,n,z

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.