[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Xenserver Iptables with openvswitch

One of the ideas I had is to hook on the vif creation (before the device is actually gets created) and to supply some kind of a veth device (instead of the tap).
By doing so, I will be able to apply iptables on one end of the veth, and connect to the ovs on the other.Â

The problem is that I'm having a hard time to locate the tap creation code in the xenserver (or xen) - maybe you'll be able to help me with that.



On Tue, May 20, 2014 at 11:50 AM, Ian Campbell <Ian.Campbell@xxxxxxxxxx> wrote:
On Tue, 2014-05-20 at 11:24 +0300, Eddi Linder wrote:
> Hi,
> I am currently working on a datapath solution which will be located
> between vm interfaces and the br-int ovs.
> The idea is to implement something similar to the security groups in
> openstack - we want to install additional (TCP flag filter based)
> rules on the iptables on the linux bridges to mirror/redirect specific
> packets to our own hypervisor process.
> The scheme described on openstack's website shows that it uses a linux
> bridges for each interface in between the vm and the br-int ovs, and
> applies iptables rules on the interfaces connected to the bridge.
> http://docs.openstack.org/admin-guide-cloud/content/figures/10/a/common/figures/under-the-hood-scenario-1-ovs-compute.png
> When trying to deploy a similar solution on xenserver, we found out
> that linux bridges and openvswitch kernel modules cannot coexist on
> this specific hypervisor (it is simply not supported on old kernels
> like it has).
> So the question is, how did openstack implement the security groups on
> xenserver hosts, without using the default linux bridge kernel module?

This list is for the development of the upstream version of the Xen

XenServer is a separate project over at http://www.xenserver.org which
has its own lists etc where you will find people able to help with
XenServer problems. Although looking at the question perhaps you should
be asking the openstack (or perhaps openvswitch) folks instead/as well?


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.