Bug 1367678 - [RFE] [Neutron] [OSP-director] Add support for OVS conntrack firewall_driver
Summary: [RFE] [Neutron] [OSP-director] Add support for OVS conntrack firewall_driver
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 10.0 (Newton)
Hardware: Unspecified
OS: Unspecified
Target Milestone: beta
: 10.0 (Newton)
Assignee: Brent Eagles
QA Contact: Eran Kuris
Depends On:
Blocks: 1310654 1325685 1479026
TreeView+ depends on / blocked
Reported: 2016-08-17 08:38 UTC by Nir Yechiel
Modified: 2017-08-07 18:40 UTC (History)
13 users (show)

Fixed In Version: openstack-tripleo-heat-templates-5.0.0-0.20160929150845.4cdc4fc.el7ost
Doc Type: Enhancement
Doc Text:
This enhancement adds `NeutronOVSFirewallDriver`, a new parameter for configuring the Open vSwitch (OVS) firewall driver in Red Hat OpenStack Platform director. This was added because the neutron OVS agent supports a new mechanism for implementing security groups: the 'openvswitch' firewall. `NeutronOVSFirewallDriver` allows users to directly control which implementation is used: `hybrid` - configures neutron to use the old iptables/hybrid based implementation. 'openvswitch' - enables the new flow-based implementation. The new firewall driver includes higher performance and reduces the number of interfaces and bridges used to connect guests to the project network. As a result, users can more easily evaluate the new security group implementation.
Clone Of:
Last Closed: 2016-12-14 15:51:54 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:2948 normal SHIPPED_LIVE Red Hat OpenStack Platform 10 enhancement update 2016-12-14 19:55:27 UTC
OpenStack gerrit 357556 None None None 2016-08-19 00:42:45 UTC
Red Hat Bugzilla 1385341 None CLOSED [RFE] [Neutron] OVS firewall driver - full support with kernel based OVS 2019-07-02 10:57:15 UTC

Internal Links: 1385341

Description Nir Yechiel 2016-08-17 08:38:50 UTC
This firewall requires OVS 2.5+ version supporting conntrack and kernel conntrack datapath support (kernel>=4.3). For more information, see hhttps://review.openstack.org/#/c/249337/

Configuration required: 

in openvswitch_agent.ini - securitygroup section - set firewall_driver to openvswitch

Comment 2 Nir Yechiel 2016-09-10 10:31:16 UTC
Patch is now merged in upstream Newton.

Comment 6 Toni Freger 2016-11-07 10:27:08 UTC
I have updated virt/network/network-environment.yaml before overcloud deployment with  NeutronOVSFirewallDriver: "openvswitch" .
The firewall driver after installation changed to  "firewall_driver = openvswitch" /etc/neutron/plugins/ml2/openvswitch_agent.ini as it supposed to be.

Controller and Compute on top of RHEL release 7.3

All following tests succeeded to run on this setup: 	

Comment 7 Assaf Muller 2016-11-07 16:20:34 UTC
Brent as far as documentation I think we can make do with a doctext here on this RHBZ that would explain how to enable the feature.

Comment 10 errata-xmlrpc 2016-12-14 15:51:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.