ML2PortSecurityExtensionDriver is working

在openstack的kilo版本终于加上了这个ML2PortSecurityExtensionDriver，这样在openstack里做NFV的实验就会轻松很多，因为很多时候需要让流量通过VM;

Openstack kilo的最新port-security介绍文档如下
http://specs.openstack.org/openstack/neutron-specs/specs/kilo/ml2-ovs-portsecurity.html
Openstack kilo的最新port-security配置文档如下
https://wiki.openstack.org/wiki/Neutron/ML2PortSecurityExtensionDriver

port-security代码如下：

from neutron.api import extensions
from neutron.api.v2 import attributes
from neutron.common import exceptions as nexception


class PortSecurityPortHasSecurityGroup(nexception.InUse):
    message = _("Port has security group associated. Cannot disable port "
                "security or ip address until security group is removed")


class PortSecurityAndIPRequiredForSecurityGroups(nexception.InvalidInput):
    message = _("Port security must be enabled and port must have an IP"
                " address in order to use security groups.")


class PortSecurityBindingNotFound(nexception.InvalidExtensionEnv):
    message = _("Port does not have port security binding.")

PORTSECURITY = 'port_security_enabled'
EXTENDED_ATTRIBUTES_2_0 = {
    'networks': {
        PORTSECURITY: {'allow_post': True, 'allow_put': True,
                       'convert_to': attributes.convert_to_boolean,
                       'enforce_policy': True,
                       'default': True,
                       'is_visible': True},
    },
    'ports': {
        PORTSECURITY: {'allow_post': True, 'allow_put': True,
                       'convert_to': attributes.convert_to_boolean,
                       'default': attributes.ATTR_NOT_SPECIFIED,
                       'enforce_policy': True,
                       'is_visible': True},
    }
}


class Portsecurity(extensions.ExtensionDescriptor):
    """Extension class supporting port security."""

    @classmethod
    def get_name(cls):
        return "Port Security"

    @classmethod
    def get_alias(cls):
        return "port-security"

    @classmethod
    def get_description(cls):
        return "Provides port security"

    @classmethod
    def get_updated(cls):
        return "2012-07-23T10:00:00-00:00"

    def get_extended_resources(self, version):
        if version == "2.0":
            return EXTENDED_ATTRIBUTES_2_0
        else:
            return {}

在 /etc/neutron/plugins/ml2/ml2_conf.ini 添加如下配置

新建network如下：
neutron net-create net2 –port-security-enabled=False
neutron subnet-create net2 6.6.6.0/24 –enable-dhcp=False –name subnet2

发现port－security已经false了，这样今后的ipables就可以不用删除了。

接下去把floodlight和opendaylight装进去

whole picture如下：