[RFE] NFTables Firewall Driver
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Triaged
|
Wishlist
|
Unassigned |
Bug Description
Nowadays, when using openvswitch-agent with security groups we must use hybrid bridging, i.e. per instance we have both openvswitch bridge and linux bridge. The rationale behind this approach is to set filtering rules matching on given linux bridge.
The hybrid bridging looks like a workaround, it is slow, harder to debug and make things very complicated to work NFV (specially instances running L2 Bridge applications (DPDK for example)...
If you do not use OpenvSwitch, and stick with Linux Bridges only, you have a much simpler setup, no hybrid bridges and easier to debug, nevertheless, you still make use of tons of solutions, like for example:
* iptables;
* ip6tables;
* artables;
* ebtables;
* ipset...
On the other hand, if we manage to create the nftables-
* nft.
Also, NFTables might work, as-is, for both Linux Bridges and OpenvSwitch! Without involving hybrid bridging!!! One single and elegant solution, to solve all problems at once.
http://
http://
Not to mention that with NFTables. we can have native NAT66 (which I dislike very much but, it is there, because NAT is a ugly workaround to deal with IPv4 exhaustion, it have nothing to do with IPv6), that might help us to create Floating IPv6 using the very same approach for Floating IPv4. Please, keep in mind that a Floating IPv6 using NAT66 is very, very bad, and it should be disabled by default. A better Floating IPv6 can be designed without any kind of NAT.
Plus, with NFTables, we might create something like Suricata-
https:/
So, a Neutron nftables-
Time to move to NFTables!
Cheers!
Thiago
Changed in neutron: | |
importance: | Undecided → Wishlist |
Changed in neutron: | |
milestone: | mitaka-2 → mitaka-3 |
summary: |
- NFTables Firewall Driver + [RFE] NFTables Firewall Driver |
tags: | removed: rfe |
This sounds good. What's the distribution support like for NFT?