New Question

neutron-ovs-agent and security groups

asked 2017-01-12 14:45:57 +0200

mario-sommer gravatar image

Does neutron-ovs-agent with OVS 2.6 support security groups? I can't find anything except for the "enablesecuritygroup=false" line in the blogpost. What would be the correct firewall_driver value?

edit retag flag offensive close merge delete

4 answers

Sort by » oldest newest most voted

answered 2017-01-13 01:29:52 +0200

abalutoiu gravatar image

updated 2017-01-13 01:31:34 +0200

Hello! Unfortunately it seems that you need the enhanced RPC support to use firewall_driver with neutron OVS agent. This was implemented in Mitaka, you can either upgrade your environment, either try to backport to mitaka this patch .

edit flag offensive delete link more

answered 2017-01-12 16:53:30 +0200

mario-sommer gravatar image

I tried both.

firewalldriver=neutron.plugins.hyperv.agent.securitygroups_driver.HyperVSecurityGroupsDriver leads to...

2017-01-12 15:38:49.619 9352 INFO neutron.agent.securitygroups_rpc [req-c0cbda72-00ef-4b68-b7e2-59a016bf74f8 - - - - -] Preparing filters for devices set([u'397417cc-b531-48bc-aa0c-78943d63542a', u'37a063ab-9bb2-4721-893b-b4fda26268ff'])
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent [req-c0cbda72-00ef-4b68-b7e2-59a016bf74f8 - - - - -] Error while processing VIF ports
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent Traceback (most recent call last):
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "C:\Program Files (x86)\Cloudbase Solutions\OpenStack\Nova\Python27\lib\site-packages\neutron\plugins\ml2\drivers\openvswitch\agent\", line 1756, in rpc_loop
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     ovs_restarted)
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "C:\Program Files (x86)\Cloudbase Solutions\OpenStack\Nova\Python27\lib\site-packages\neutron\plugins\ml2\drivers\openvswitch\agent\", line 1510, in process_network_ports
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     port_info.get('updated', set()))
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "C:\Program Files (x86)\Cloudbase Solutions\OpenStack\Nova\Python27\lib\site-packages\neutron\agent\", line 286, in setup_port_filters
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     self.prepare_devices_filter(new_devices)
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "C:\Program Files (x86)\Cloudbase Solutions\OpenStack\Nova\Python27\lib\site-packages\neutron\agent\", line 142, in decorated_function
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     *args, **kwargs)
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "C:\Program Files (x86)\Cloudbase Solutions\OpenStack\Nova\Python27\lib\site-packages\neutron\agent\", line 167, in prepare_devices_filter
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     security_groups, security_group_member_ips)
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "C:\Program Files (x86)\Cloudbase Solutions\OpenStack\Nova\Python27\lib\site-packages\neutron\agent\", line 173, in _update_security_group_info
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     self.firewall.update_security_group_rules(sg_id, sg_rules)
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent   File "C:\Program Files (x86)\Cloudbase Solutions\OpenStack\Nova\Python27\lib\site-packages\neutron\agent\", line 118, in update_security_group_rules
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent     raise NotImplementedError()
2017-01-12 15:38:51.259 9352 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent NotImplementedError

With firewall_driver=openvswitch the agent doesn't even start

2017-01-12 15:36:04.611 5040 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent [req-47dd3401-0bb9-4012-ae0f-0d45a46ff071 - - - - -] Empty module name Agent terminated!

I'm using Openstack Liberty and GRE Tunnels. Everything else works fine with Hyper-V and the OVS agent.

edit flag offensive delete link more

answered 2017-01-12 16:32:43 +0200

aserdean gravatar image

For OVS 2.5 you could use the following:


The above will use Windows ACL's (

For OVS 2.6 you have two options. One is the above and the other is:

firewall_driver = openvswitch

This will use conntrack from OVS. Small caveat it does not support IPv6 and also does not support IPv4 fragments.

Thanks, Alin.

edit flag offensive delete link more

answered 2017-01-12 17:52:33 +0200

abalutoiu gravatar image

The firewall_driver=openvswitch can only be used since the Mitaka release, please upgrade your environment to Mitaka or above to be able to use this option.

Regarding the first issue, I think you're missing this commit If that's the case, you need to add the commit on your Windows node. Here are the details on how you can achieve that:

git clone
cd networking-hyperv
git checkout liberty-eol
net stop neutron-ovs-agent
pip install .
net start neutron-ovs-agent
edit flag offensive delete link more


Still no luck with that. pip install said "Successfully installed networking-hyperv-1.0.5.dev5" and I see the new files under hyperv\neutron. But after restarting neutron-ovs-agent I still get the same NotImplementedError as before.

mario-sommer gravatar imagemario-sommer ( 2017-01-12 19:29:48 +0200 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2017-01-12 14:45:57 +0200

Seen: 884 times

Last updated: Jan 12 '17