Hide Forgot
Description of problem: OVS can automatically set the proper iptables rule to allow for GRE tunnelling but the openvswitch init script doesn't enable it because "RHEL6 does not support OVS GRE tunneling yet". But actually, RDO does. Version-Release number of selected component (if applicable): openvswitch-1.11.0_8ce28d-1.el6ost.x86_64 How reproducible: Always Steps to Reproduce: 1. install openvswitch (from RDO Havana repo) 2. grep -i "gre " /etc/init.d/openvswitch Actual results: # RHEL6 does not support OVS GRE tunneling yet, do not add iptables GRE rule # $ovs_ctl --protocol=gre enable-protocol Expected results: # RDO does support OVS GRE tunneling, do add iptables GRE rule $ovs_ctl --protocol=gre enable-protocol Additional info:
We do not want to open up GRE in the default policy. Upstream releases used to add a GRE ACCEPT by default when the service started which is why we put the comment in there in the first place. Upstream has reverted that change since and requires manual enablement of the protocol. If at all the firewall rule should be added by Neutron on demand. Bob, what do you think?
I agree the openvswitch user space should not automatically add iptables rules to open up GRE. For one thing, it cannot know how broadly to allow access (i.e. for source hosts from a specific subnet or set of subnets). I think the same reasoning applies to neutron's openvswitch-agent. Instead this should be handled by deployment tools such as packstack that know something about the overall deployment.
This setting should be demanded to the user based on the needs and cannot be demanded to packstack. I am closing it but I am open to discussion if needed.