OpenNebula
Implement Security Groups for Open vSwitch
Author Name: Stefan Kooman (Stefan Kooman) Original Redmine Issue: 3250, https://dev.opennebula.org/issues/3250 Original Date: 2014-10-20
This will probably connect open vSwitch with a central controller.
The original description of this issue:
The WHITE_PORTS_TCP (and probably _UDP too) rules do not get applied when a VM template with _only_ white ports gets instantiated:
VM in running state, dump of openflow rules on hypervisor:
ovs-ofctl dump-flows uplink
NXST_FLOW reply (xid=0x4):
cookie=0x0, duration=317492.877s, table=0, n_packets=969597, n_bytes=95755656, idle_age=0, hard_age=65534, priority=0 actions=NORMAL
cookie=0x0, duration=282728.832s, table=0, n_packets=5941, n_bytes=501927, idle_age=32, hard_age=65534, priority=40000,in_port=3,dl_src=02:02:b9:3e:10:8d actions=NORMAL
cookie=0x0, duration=282728.820s, table=0, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=39000,in_port=3 actions=drop
There is no rule blocking all traffic _except_ the white port, all traffic is allowed.
Original Redmine Comment Author Name: Ruben S. Montero (@rsmontero) Original Date: 2014-10-24T11:42:49Z
This will be considered together with the security groups feature.
Original Redmine Comment Author Name: Ruben S. Montero (@rsmontero) Original Date: 2014-12-09T16:53:02Z
Updating the issue considering the new security groups functionality
Original Redmine Comment Author Name: Esteban Freire Garcia (Esteban Freire Garcia) Original Date: 2015-10-27T14:00:27Z
Hello all,
I would like to add that we (SURFsara) are also interested in implement Security Groups for Open vSwitch. Please, let us know if you need any information about it or if you need we test anything on our OpenNebula test environment.
As far as I'm concerned this would still be a nice addition to the OpenvSwitch (OVS) driver. According to OpenNebula architecture survey 2023 results almost 1/3 of all deployments use OVS.
