neutron

[RFE] L3 - netfilter Contrack Helper Support

Bug #1823633 reported by Harald Jensås on 2019-04-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Wishlist	Harald Jensås

Bug Description

OS distributions started to disable the nf_conntrack_helper functionality by default. (Ubuntu Bionic) Without the nf_conntrack_helper traffic such as tftp and other protocols that require a nf_conntrack module will not work. (This became apparent with Openstack Ironic which uses tftp transfer boot images during Pre Boot Execution (PXE) stopped working.)

Deactivating the automatic conntrack helper assignment is better security practice, ref:
https://github.com/regit/secure-conntrack-helpers/blob/master/secure-conntrack-helpers.rst

This RFE is for adding support in Neutron to configure protocol specific CT target rules. This was discussed in meeting[1] 2019-03-20 with consensus on adding an L3 extension.

[1] http://eavesdrop.openstack.org/irclogs/%23openstack-meeting/%23openstack-meeting.2019-03-20.log.html#t2019-03-20T14:47:08

See original description

Tags:

Slawek Kaplonski (slaweq) on 2019-04-08

Changed in neutron:
importance:	Undecided → Wishlist

Miguel Lavalle (minsel) on 2019-04-12

tags:

added: rfe-triaged
removed: rfe

Revision history for this message

Miguel Lavalle (minsel) wrote on 2019-04-12:

This RFE was approved by the drivers today, with the assumption that the behavior will be the same for all distros

tags:

added: rfe-approved
removed: rfe-triaged

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-04-21: Related fix merged to neutron-lib (master)

Reviewed: https://review.opendev.org/650271
Committed: https://git.openstack.org/cgit/openstack/neutron-lib/commit/?id=c6b907a2cfa9626260348f07284206ab87e5712d
Submitter: Zuul
Branch: master

commit c6b907a2cfa9626260348f07284206ab87e5712d
Author: Harald Jensås <email address hidden>
Date: Thu Apr 4 02:12:34 2019 +0200

L3 Conntrack Helper Extension

    Introduces a new API extension exposing conntrack_helpers
    field in Router response. The extension requires the
    ``router`` and ``conntrack_helper`` service plugin.

Related-Bug: #1823633
Change-Id: I55d659c47f3e9a65af78509fbd63416373a501f3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-05-21: Related fix merged to neutron (master)

Reviewed: https://review.opendev.org/650269
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=3ab7878384b2c2738baead86919dd77821b53807
Submitter: Zuul
Branch: master

commit 3ab7878384b2c2738baead86919dd77821b53807
Author: Harald Jensås <email address hidden>
Date: Tue Mar 26 13:41:17 2019 +0100

Conntrack Helper - OVO and db script

    Implements the conntrack helper OVO and db layer code.
    - New object 'ConntrackHelper'
    - New db model
    - migration db script

Related-Bug: #1823633
Change-Id: I0d9c039b260845b6544eccf63f5a2ffaa929120b

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-06-05: Related fix proposed to neutron-lib (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/663446

Harald Jensås (harald-jensas) on 2019-06-05

description:	updated
description:	updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-06-10: Related fix merged to neutron-lib (master)

Reviewed: https://review.opendev.org/663446
Committed: https://git.openstack.org/cgit/openstack/neutron-lib/commit/?id=7a0a41b90447a1b739d9da0f3498ca0916d0a315
Submitter: Zuul
Branch: master

commit 7a0a41b90447a1b739d9da0f3498ca0916d0a315
Author: Harald Jensås <email address hidden>
Date: Wed Jun 5 23:06:39 2019 +0200

Add conntrack helper to parent resource mapping

For policy to work router must map to the conntrack
helper service plug-in.

Related-Bug: #1823633
Change-Id: Ib4e0c412e1e20f5148c11a909c549413859e1bc9

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-07-15: Related fix proposed to neutron (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/670836

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-07-15:

Related fix proposed to branch: master
Review: https://review.opendev.org/670837

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-07-18: Related fix proposed to neutron-lib (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/671528

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-07-19: Related fix merged to neutron-lib (master)

Reviewed: https://review.opendev.org/671528
Committed: https://git.openstack.org/cgit/openstack/neutron-lib/commit/?id=6d9f9e2841edcf3a92bbcba7f7a45d9d464a14ee
Submitter: Zuul
Branch: master

commit 6d9f9e2841edcf3a92bbcba7f7a45d9d464a14ee
Author: Harald Jensås <email address hidden>
Date: Thu Jul 18 19:08:51 2019 +0200

Fix - L3 Conntrack Helper validator

    'type:string' is validated by length, the definition was
    passing in validators.validate_string instead of a number.
    In python3 this causes a TypeError:
     '>' not supported between instances of 'int' and 'function'

Set the length to 64, matching the db model:
https://opendev.org/openstack/neutron/src/branch/master/neutron/db/models/conntrack_helper.py#L32

Related-Bug: #1823633
Change-Id: Idd9b442a30de294ce3fc97069cadba4457d746ab

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-08-30: Related fix merged to neutron (master)

#10

Reviewed: https://review.opendev.org/650270
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=16679e9700b68b1bc64072751dd3b38b38492546
Submitter: Zuul
Branch: master

commit 16679e9700b68b1bc64072751dd3b38b38492546
Author: Harald Jensås <email address hidden>
Date: Wed Mar 27 19:44:43 2019 +0100

Conntrack Helper - Plugin

    Implements Conntrack Helper service plugin for conntrack
    helper resources. Supports create, update and delete
    conntrack helper for l3 routers.

    A new configuration option:
      [l3-conntrack-helpers]/allowed_conntrack_helpers
    introduced to allow the operator to configure CT
    helpers, and the helper protocol constraints.

    Related-Bug: #1823633
    Depends-On: https://review.opendev.org/663446
    Change-Id: I58193955261f50b18b1946261fe662da6b20f0f5

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-16:

#11

Reviewed: https://review.opendev.org/670836
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=2c095811afa8a66b30fa8cf34831b83fcb873fe6
Submitter: Zuul
Branch: master

commit 2c095811afa8a66b30fa8cf34831b83fcb873fe6
Author: Harald Jensås <email address hidden>
Date: Thu Mar 28 13:54:05 2019 +0100

L3 Conntrack Helper - Release Note

The releasenote for the L3 Conntrack helper extension.

Related-Bug: #1823633
Change-Id: I4fe429f7fd938f428fa80d2d51deb755c9c59c91

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-16:

#12

Reviewed: https://review.opendev.org/670837
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=6c99bf195200422d6db4e8307f5a2e61c2242dc1
Submitter: Zuul
Branch: master

commit 6c99bf195200422d6db4e8307f5a2e61c2242dc1
Author: Harald Jensås <email address hidden>
Date: Thu Jun 13 22:06:26 2019 +0200

Add l3 conntrack helper to devstack plugin

This commit adds possibility to configure L3 conntrack_helper
service plugin and l3 extension with devstack plugin.

Related-Bug: #1823633
Change-Id: Ie96ff80f1c296c40ec2cd82c8d917a8bb262b12e

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-26: Related fix merged to neutron-tempest-plugin (master)

#13

Reviewed: https://review.opendev.org/662874
Committed: https://git.openstack.org/cgit/openstack/neutron-tempest-plugin/commit/?id=c9782faa9a5dda329b6c2c13457350548a652f27
Submitter: Zuul
Branch: master

commit c9782faa9a5dda329b6c2c13457350548a652f27
Author: Harald Jensås <email address hidden>
Date: Mon Jun 3 22:35:41 2019 +0200

Add tests for L3 conntrack helper

API tests for L3 Conntrack Helper plugin.

    Related-Bug: #1823633
    Depends-On: https://review.opendev.org/670837
    Change-Id: Ie085100f508f7a1cdb0fd4efbcffa1e2b485fbba

Harald Jensås (harald-jensas) on 2019-09-26

Changed in neutron:
assignee:	nobody → Harald Jensås (harald-jensas)
status:	New → Incomplete
status:	Incomplete → In Progress
status:	In Progress → Fix Committed

Rodolfo Alonso (rodolfo-alonso-hernandez) on 2022-10-26

Changed in neutron:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.