Backlog #3250

Implement Security Groups for Open vSwitch

Added by Stefan Kooman about 5 years ago. Updated about 4 years ago.

Status:PendingStart date:10/20/2014
Priority:HighDue date:
Assignee:-% Done:


Category:Drivers - Network
Target version:-


This will probably connect open vSwitch with a central controller.

The original description of this issue:

The WHITE_PORTS_TCP (and probably _UDP too) rules do not get applied when a VM template with _only_ white ports gets instantiated:

VM in running state, dump of openflow rules on hypervisor:

ovs-ofctl dump-flows uplink

NXST_FLOW reply (xid=0x4):
 cookie=0x0, duration=317492.877s, table=0, n_packets=969597, n_bytes=95755656, idle_age=0, hard_age=65534, priority=0 actions=NORMAL
 cookie=0x0, duration=282728.832s, table=0, n_packets=5941, n_bytes=501927, idle_age=32, hard_age=65534, priority=40000,in_port=3,dl_src=02:02:b9:3e:10:8d actions=NORMAL
 cookie=0x0, duration=282728.820s, table=0, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=39000,in_port=3 actions=drop

There is no rule blocking all traffic _except_ the white port, all traffic is allowed.

template - vm_template_white_port_3389 (1.75 KB) Stefan Kooman, 10/20/2014 06:42 AM

Related issues

Related to Feature #3175: Implement Security Groups Closed 11/28/2014
Duplicated by Feature #2033: Improve firewalling rules for OpenvSwitch Closed 05/13/2013


#1 Updated by Ruben S. Montero about 5 years ago

#2 Updated by Ruben S. Montero about 5 years ago

This will be considered together with the security groups feature.

#3 Updated by Ruben S. Montero almost 5 years ago

  • Tracker changed from Bug to Backlog
  • Subject changed from WHITE_PORTS_TCP Network Filtering with Open vSwitch does not work to Implement Security Groups for Open vSwitch
  • Description updated (diff)
  • Category set to Drivers - Network
  • Priority changed from Normal to High

Updating the issue considering the new security groups functionality

#4 Updated by Esteban Freire Garcia about 4 years ago

Hello all,

I would like to add that we (SURFsara) are also interested in implement Security Groups for Open vSwitch. Please, let us know if you need any information about it or if you need we test anything on our OpenNebula test environment.

#5 Updated by Jaime Melis about 2 years ago

  • Duplicated by Feature #2033: Improve firewalling rules for OpenvSwitch added

Also available in: Atom PDF