neutron

RFE: Security Rules should support VRRP protocol

Bug #1475717 reported by German Eichberger on 2015-07-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Wishlist	Sreekumar S	neutron mitaka-3 "m3"

Bug Description

We are following http://blog.aaronorosen.com/implementing-high-availability-instances-with-neutron-using-vrrp/ to set up two "service vms" as an active-standby pair using VRRP for the Octavia project. While doing so we noticed that all VRRP packets were blocked and the protocol is not supported by the current security groups. Since that will gain more momentum with the NFV story we propose to add this additional protocol to security groups.

Tags:

Revision history for this message

Kyle Mestery (mestery) wrote on 2015-07-17:

Seems reasonable to me. Following the new decoder ring process, moving the state to "Triaged" and you can move forward with implementation.

Changed in neutron:
status:	New → Triaged
milestone:	none → liberty-3
importance:	Undecided → Low

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-07-17: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/203173

Changed in neutron:
assignee:	nobody → German Eichberger (german-eichberger)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-28: Change abandoned on neutron (master)

Change abandoned by Kyle Mestery (<email address hidden>) on branch: master
Review: https://review.openstack.org/203173
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2015-08-31: Re: Security Rules should support VRRP protocol

It looks like there's no actual loss of functionality without this fix. VRRP can be enabled, but it would be nice to do so by just using its well-known name.

Changed in neutron:
importance:	Low → Wishlist
status:	In Progress → New
milestone:	liberty-3 → none

Revision history for this message

Li Ma (nick-ma-z) wrote on 2015-09-05:

Hello, are you still working on this bug?

Revision history for this message

German Eichberger (german-eichberger) wrote on 2015-09-06:

As I said in my patch we found another way to do it and stopped working on it. Feel free to resurrect the patch and fix the problems highlighted..

Li Ma (nick-ma-z) on 2015-09-07

Changed in neutron:
assignee:	German Eichberger (german-eichberger) → Li Ma (nick-ma-z)

Revision history for this message

Li Ma (nick-ma-z) wrote on 2015-09-07:

OK, I will work on this spec.

summary:

- Security Rules should support VRRP protocol
+ RFE: Security Rules should support VRRP protocol

Revision history for this message

Li Ma (nick-ma-z) wrote on 2015-09-07:

So, is this rfe accepted? I wonder.

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2015-09-29:

If we go forward with this, let's just map all of the protocols right now so we don't keep doing them one at a time as people want them.

Revision history for this message

Kyle Mestery (mestery) wrote on 2015-09-29:

#10

Approved, though we may want to fold in adding support for protocols other than just VRRP.

Changed in neutron:
status:	New → Triaged

Armando Migliaccio (armando-migliaccio) on 2015-10-07

tags:

added: rfe-approved
removed: rfe

Revision history for this message

Li Ma (nick-ma-z) wrote on 2015-10-22:

#11

In the current implementation, all the protocol parameters are defined as individual constant in the codebase:

https://github.com/openstack/neutron/blob/master/neutron/common/constants.py#L119

and only tcp/udp/icmp/icmp6 are respected.

When we map all the necessary protocols, I don't suggest to follow the original implementation by defining lots of individual constants. Instead, a map is given to hold all these constants as follows:

PROTOCOL_MAP = {
'tcp': 6, 'udp': 17, 'icmp': 1, 'icmpv6': 58, ...
}

Any comments on this refactor? Do I need to propose a blueprint to discuss with it?

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2015-10-22:

#12

How's that gonna differ? Besides, using the map will make you lose the string literals that can prevent accidental typos. I'd say stick with what we got, but no, you don't need to propose a blueprint for this.

Revision history for this message

Li Ma (nick-ma-z) wrote on 2015-10-23:

#13

OK, I will stick with the constants. This rfe is proposed for VRRP protocol. As stated before, it is suggested to work on all the protocols. It is exhausting and I'm not sure which protocol is welcomed.

Here I select some popular IP protocols defined as RFC from the list [1] . I'd appreciated any suggestions.

ICMP
IGMP
TCP
EGP
UDP
IPv6
IPv6-route
IPv6-flag
RSVP
GRE
ESP
AH
IPv6-ICMP
IPv6-NoNxt
IPv6-Opts
OSPF
VRRP
PGM
L2TP
VRRP

[1] https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers

Armando Migliaccio (armando-migliaccio) on 2015-11-20

Changed in neutron:
milestone:	none → mitaka-1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-02: Fix proposed to neutron (master)

#14

Fix proposed to branch: master
Review: https://review.openstack.org/252155

Changed in neutron:
status:	Triaged → In Progress

Armando Migliaccio (armando-migliaccio) on 2015-12-03

Changed in neutron:
milestone:	mitaka-1 → mitaka-2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-17: Related fix proposed to neutron-lib (master)

#15

Related fix proposed to branch: master
Review: https://review.openstack.org/259037

Armando Migliaccio (armando-migliaccio) on 2016-01-20

Changed in neutron:
milestone:	mitaka-2 → mitaka-3

OpenStack Infra (hudson-openstack) on 2016-01-22

Changed in neutron:
assignee:	Li Ma (nick-ma-z) → Sreekumar S (sreesiv)

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2016-01-28:

#16

status update: http://eavesdrop.openstack.org/meetings/neutron_drivers/2016/neutron_drivers.2016-01-28-22.20.log.txt

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-02-05: Fix merged to neutron (master)

#17

Reviewed: https://review.openstack.org/252155
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=592b548bb6720760efae4b10bec59e78a753f4d7
Submitter: Jenkins
Branch: master

commit 592b548bb6720760efae4b10bec59e78a753f4d7
Author: Li Ma <email address hidden>
Date: Wed Dec 2 10:30:22 2015 +0800

Add popular IP protocols for security group

    Add these additional protocols listed below to
    security groups brings convenience to operators
    on configuring these protocols. In addition, make
    the security group rules more readable.

    The added protocols are: ah, dccp, egp, esp, gre,
    ipv6-encap, ipv6-frag, ipv6-nonxt, ipv6-opts,
    ipv6-route, ospf, pgm, rsvp, sctp, udplite, vrrp.

A related patch is submitted to neutron-lib project:
https://review.openstack.org/259037

    DocImpact: You can specify protocol names rather than
    protocol number in API and CLI commands. I'll update
    the documentation when it is merged.

APIImpact

Change-Id: Iaef9b650449b4d9d362a59305c45e0aa3831507c
Closes-Bug: #1475717