[RFE] Grouping remote_ip_prefix by ipset
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Won't Fix
|
Wishlist
|
Unassigned |
Bug Description
This RFE is requesting a feature for grouping IP addresses of remote_ip_prefix using ipset to improve network performance.
[Background]
To allow access from/to specific IP address, remote_ip_prefix can be used in security group rule. This is used for:
o To allow access from/to machines which is outside OpenStack environment.
o To allow access between datacenter in multi-site environment.
[Existing problem]
For the usage above, We have to specify IP address(CIDR) as remote_ip_prefix one by one and the number of security group rules are increased. It caused performance degradation of network.
We had the same problem about remote_group_id and it is solved by enable_ipset feature[1]. This feature improves network performance by grouping IP addresses which belong to the same security group. I want to extend this feature for remote_ip_prefix.
[Proposal]
To solve the problem above, I propose the following feature.
1) Introduce new feature to group many CIDRs into one set and specify the set as remote_ip_prefix collectively.
2) Improve neutron and L2 agent so that L2 agent updates iptables using ipset for this set of CIDRs.
By this feature, we can reduce the number of security group rules when many remote_ip_prefix is used.
When we specify IP address to allow access, we need to do like this:
neutron security-
neutron security-
neutron security-
...
Therefore many security group rules are generated and it causes degradation of network performance. I propose new feature to group these CIDRs into one set and specify this set as remote_ip_prefix.
And then, L2 agent converts this CIDR set to the ipset group and apples it to iptables. This is the same manner as converting remote_group_id to ipset group.
[1]
https:/
Changed in neutron: | |
status: | New → Confirmed |
importance: | Undecided → Wishlist |
Changed in neutron: | |
assignee: | nobody → Takao Indoh (tindoh) |
Changed in neutron: | |
assignee: | Takao Indoh (tindoh) → nobody |
I must be missing something but the IP consolidation may happen even without making API changes. Are you sure that this is a degradation problem worth fixing? Do you have hard data that shows evidence of performance degradation at scale?