[Doc] Add section about diffs between ovs and iptables fw drivers
And add note about different handling of packets marked as INVALID by both those drivers. Change-Id: I3d436289073e95312e5f5077acabd136266b9e8a Closes-Bug: #1896587
This commit is contained in:
parent
6ccfc34227
commit
f57b59a179
@ -67,3 +67,25 @@ kernel modules at boot time, for example, ``/etc/modules``. Check with your
|
|||||||
distribution for further information.
|
distribution for further information.
|
||||||
|
|
||||||
This isn't necessary to use ``gre`` tunnel network type Neutron.
|
This isn't necessary to use ``gre`` tunnel network type Neutron.
|
||||||
|
|
||||||
|
Differences between OVS and iptables firewall drivers
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
Both OVS and iptables firewall drivers should always behave in the same way if
|
||||||
|
the same rules are configured for the security group. But in some cases that is
|
||||||
|
not true and there may be slight differences between those drivers.
|
||||||
|
|
||||||
|
+----------------------------------------+-----------------------+-----------------------+
|
||||||
|
| Case | OVS | iptables |
|
||||||
|
+========================================+=======================+=======================+
|
||||||
|
| Traffic marked as INVALID by conntrack | Blocked | Allowed because it |
|
||||||
|
| but matching some of the SG rules | | first matches SG rule,|
|
||||||
|
| (please check [1]_ and [2]_ | | never reaches rule to |
|
||||||
|
| for details) | | drop invalid packets |
|
||||||
|
+----------------------------------------+-----------------------+-----------------------+
|
||||||
|
|
||||||
|
References
|
||||||
|
~~~~~~~~~~
|
||||||
|
|
||||||
|
.. [1] https://bugs.launchpad.net/neutron/+bug/1460741
|
||||||
|
.. [2] https://bugs.launchpad.net/neutron/+bug/1896587
|
||||||
|
Loading…
Reference in New Issue
Block a user