Re: Security Groups implementation


Vishal Thapar <vishal.thapar@...>
 

Hi Aswin,

Just to be clear, by stateless use cases do you mean you're using neither TCP Flags nor Learn action and require user to explicitly configure Ingress SG Rules to allow traffic?

Default SG behaviour is to allow all-egress and block all ingress traffic, ingress here refers to connections originating outside. A truly stateless won't be able to support this and require explicit ingress SG Rules to allow ingress traffic for connections originating from the VM/port.

Is my assumption correct?

Regards,
Vishal.

P.S.: This is an example of pseudo-stateful firewall that works with Default SG behaviour by learning return traffic rules:

https://github.com/stackforge/networking-vsphere/blob/master/networking_vsphere/drivers/ovs_firewall.py

-----Original Message-----
From: ovsdb-dev-bounces@... [mailto:ovsdb-dev-bounces@...] On Behalf Of Suryanarayanan, Aswin
Sent: 09 July 2015 12:54
To: ovsdb-dev@...
Subject: Re: [ovsdb-dev] Security Groups implementation

Hi Vishal,

Yes we are working on the provider in the net-virt. Neutron part is done , but we have to port it to MD-SAL.

Currently we are working with stateless use cases and trying to achieve openstack parity for that. As I understand 0VS 2.4 may support conn-track capabilities, we may have to wait for this to achieve the stateful use cases.

Thanks,
Aswin
----------------------------------------

Date: Thu, 9 Jul 2015 06:12:42 +0000
From: Vishal Thapar <vishal.thapar@...>
To: "neutron-dev@..."
<neutron-dev@...>,
"ovsdb-dev@..." <ovsdb-dev@...>
Subject: [ovsdb-dev] Security Groups implementation
Message-ID:
<060FBE8F9E4A26488766FF6E902B43430F6BCD52@...>
Content-Type: text/plain; charset="us-ascii"

Hi,

I was looking for some information on the SG implementation in ODL. My understanding is that the provider in net-virt is in progress while NeutronNorthbound part of it is complete. Is this correct?

I was working with Amir on OVS Firewall during Icehouse/Juno before it got pushed back till conntrack support was available in OVS. My question is about the ODL implementation in-progress now, is it based off conntrack, or does it use one of the earlier approaches [TCP flags or Learn]?

I didn't find anything in wiki outlining the design of SG implementation. Could anyone shed any light on these?

Regards,
Vishal.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendaylight.org/pipermail/ovsdb-dev/attachments/20150709/f32c1400/attachment-0001.html>

------------------------------
_______________________________________________
ovsdb-dev mailing list
ovsdb-dev@...
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev

Join z.archive.ovsdb-dev@lists.opendaylight.org to automatically receive all group messages.