OpenStack Compute (nova)

Bug #1112912
Comment #7

Comment 7 for bug 1112912

Revision history for this message

Nachi Ueno (nati-ueno) wrote on 2013-02-17: Re: get_firewall_required should use VIF parameter from quantum

Hi Akihito , Daniel

@Daniel,
We changed the paramter little bit

vif_security: {
require_securitygroup : boolean #If True, Quantum does not provide security group feature and Nova requires to provide security group feature,
prevent_spoofing :boolean # If True, Nova requires to setup IP/MAC spoofing filters (Quantum does not provide it). get_firewall_required() in libvirt/vif.py is expected to return True,
require_iptables : boolean # If True, Nova needs to make sure iptables works. If a bridge is
}

@Akihiro
I agree with you. May be this dynamic configuration may not be in G.
However we should have the function, so IMO it good to update Quantum side first.
( or may be, we should wait to add the parameter )

IMO prevent_spoofing is for both of (a) rules to allow DHCP/RA packets and (b) rules to prevent IP/MAC spoofing.
The reason is allowing only quantum's DHCP/RA server is for dhcp/RA spoofing. so IMO, both of (a) and (b) is for preventing spoofing.