Security Groups

Kilo - Kilo - Kilo - Kilo - Kilo - Kilo - Kilo - Kilo -

Use the following options in the configuration file for your driver to change security group settings.

Table 9.64. Description of security groups configuration options
Configuration option = Default value	Description
[SECURITYGROUP]
`defer_apply` = `True`	(BoolOpt) Enable defer_apply on security bridge.
`enable_ipset` = `True`	(BoolOpt) Use ipset to speed-up the iptables based security groups.
`enable_security_group` = `True`	(BoolOpt) Controls whether the neutron security group API is enabled in the server. It should be false when using no security groups or using the nova security group API.
`firewall_driver` = `None`	(StrOpt) Driver for security groups firewall in the L2 agent
`ovsvapp_firewall_driver` = `networking_vsphere.drivers.ovs_firewall.OVSFirewallDriver`	(StrOpt) DriverManager implementation for OVS based Firewall.
`security_bridge_mapping` = `br-sec`	(StrOpt) <security_bridge>:<phy_interface>

Note

	Note
Now Networking uses iptables to achieve security group functions. In L2 agent with `enable_ipset` option enabled, it makes use of IPset to improve security group's performance, as it represents a hash set which is insensitive to the number of elements. When a port is created, L2 agent will add an additional IPset chain to it's iptables chain, if the security group that this port belongs to has rules between other security group, the member of that security group will be added to the ipset chain. If a member of a security group is changed, it used to reload iptables rules which is expensive. However, when IPset option is enabled on L2 agent, it does not need to reload iptables if only members of security group were changed, it should just update an IPset.

Now Networking uses iptables to achieve security group functions. In L2 agent with enable_ipset option enabled, it makes use of IPset to improve security group's performance, as it represents a hash set which is insensitive to the number of elements.

When a port is created, L2 agent will add an additional IPset chain to it's iptables chain, if the security group that this port belongs to has rules between other security group, the member of that security group will be added to the ipset chain.

If a member of a security group is changed, it used to reload iptables rules which is expensive. However, when IPset option is enabled on L2 agent, it does not need to reload iptables if only members of security group were changed, it should just update an IPset.

Note

	Note
A single default security group has been introduced in order to avoid race conditions when creating a tenant's default security group. The race conditions are caused by the uniqueness check of a new security group name. A table `default_security_group` implements such a group. It has `tenant_id` field as a primary key and `security_group_id`, which is an identifier of a default security group. The migration that introduces this table has a sanity check that verifies if a default security group is not duplicated in any tenant.

A single default security group has been introduced in order to avoid race conditions when creating a tenant's default security group. The race conditions are caused by the uniqueness check of a new security group name. A table default_security_group implements such a group. It has tenant_id field as a primary key and security_group_id, which is an identifier of a default security group. The migration that introduces this table has a sanity check that verifies if a default security group is not duplicated in any tenant.

Questions? Discuss on ask.openstack.org
Found an error? Report a bug against this page

Legal notices