Security groups with OpenvSwitch?

Hi all,

In our virtual environment (OpenNebula on Ubuntu hosts with OpenvSwitch set up) I’m currently working on setting up a DMZ. This should eventually encorporate all VMs in the DMZ having a separate virtual network NIC attached which is using a rather restrictive different security group in ONE.

Is support for security groups with OpenvSwitch planned or should I reconsider this idea?



Currently the support to filter flows in openflow is not as flexible as in
iptables. The only supported filtering is based on single port rules. We
plan to include a subset of the security group spec for openvswtich. Other
alternatives would include to pass the ovs traffic through a linux bridge
and apply the rules there, but we are not keen to this kind of traffic

So if openvswitch is a requirement for your setup and you can live with
simple port based rules and can wait for 5.0 go for secgroups… If not you
can either build a firewall appliance and control the rules outside
OpenNebula or move to linux bridges.



Hi Ruben,

thanks for the quick reply! Good to hear the OVS support will be improved in 5.0. If I got it right the port based rules have to be set in the VM template, right? So they are not tied to a vnet but to VM templates?

The reason why we chose OVS was that it supports LACP and 802.1Q out of the box.

Yes in 4.x series those are set in the VM

Are you sure security groups for OpenvSwitch made it into the 5.0 release? The 5.0 docs still say security groups are not supported in the OVS driver :frowning:
(Good to hear we now have dynamic secgroups tho!)

I am using Linux bridging until ovs is fully supported with security groups

On which ONE version?

5.0.1. I have not tried it in this version because the docs says it is not fully working

And are you using VLAN tagging for different virtual networks? LACP? (These were some of the reasons for me to choose OVS)

Yes, using lacp