Allow connection tracking to be disabled per-port
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Won't Fix
|
Wishlist
|
Unassigned |
Bug Description
This RFE is being raised in the context of this use case https:/
OpenStack implements levels of per-VM security protection (security groups, anti-spoofing rules). If you want to deploy a trusted VM which itself is providing network security functions, as with the above use case, then it is often necessary to disable some of the native OpenStack protection so as not to interfere with the protection offered by the VM or use excessive host resources.
Neutron already allows you to disable security groups on a per-port basis. However, the Linux kernel will still perform connection tracking on those ports. With default Linux config, VMs will be severely scale limited without specific host configuration of connection tracking limits - for example, a Session Border Controller VM may be capable of handling millions of concurrent TCP connections, but a default host won't support anything like that. This bug is therefore a RFE to request that disabling security group function for a port further disables kernel connection tracking for IP addresses associated with that port.
tags: | added: sg-fw |
Changed in neutron: | |
importance: | Undecided → Wishlist |
tags: | added: api |
Changed in neutron: | |
status: | New → Confirmed |
tags: | added: loadimpact |
tags: | removed: api |
Changed in neutron: | |
status: | Confirmed → Triaged |
tags: | removed: ovs-fw |
I am not sure I understand the use case here. Neutron allows you to disable port security and remove security groups on the port. If the linux kernel gets in the way, it doesn't seem like it's Neutron's job to fiddle with the kernel. Shouldn't the the system management tool be in better position to disable connection tracking? What exactly are you looking for? Unloading conntrack modules?