OpenStack Compute (nova)

  1. Bug #1112912
  2. Comment #10

Comment 10 for bug 1112912

Revision history for this message
Daniel Berrange (berrange) wrote : Re: get_firewall_required should use VIF parameter from quantum

Looking at these parameters:

vif_security: {
require_securitygroup : boolean #If True, Quantum does not provide security group feature and Nova requires to provide security group feature,
prevent_spoofing :boolean # If True, Nova requires to setup IP/MAC spoofing filters (Quantum does not provide it). get_firewall_required() in libvirt/vif.py is expected to return True,
require_iptables : boolean # If True, Nova needs to make sure iptables works. If a bridge is
}

I think the first two parameters should be inverted. ie rather than telling Nova what todo, they should describe what Quantum has done. I'd also suggest having separate params for IP & MAC spoofing (even if Quantum does provide both at the same time). eg I'd prefer to see something like this:

vif_security {
   has_securitygroup: boolean. True if Quantum has provided a security group.
   has_ip_spoofing: boolean. True if Quantum has enabled IP spoofing protection.
   has_mac_spoofing: boolean. True if Quantum has enabled MAC spoofing protection
  require_iptables: boolean. True if Quantum requires support for iptables
}