[RFE] Support stateless firewall
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| neutron |
Wishlist
|
Tom Stappaerts |
Bug Description
Neutron currently only provides stateful security groups. The rules of these security groups are then configured in a stateful manner.
The goal of this RFE is to support stateless security groups. Analogous to stateful security groups, all rules of a stateless security group will be implemented as stateless. The statefulness of a security group can be modified only if it has no associated ports. By default, security groups are stateful.
For some use cases, this statelessness will allow operators to choose for optimized datapath performance whereas stateful security groups impose extra processing on the system. On the downside, operators need to provision security group rules for ingress and egress to their exact intent, as reverse traffic is no longer automatically allowed.
The motivation for defining statefulness/
From an API point of view, a new boolean attribute `stateful` will be added to security groups, defaulting to True. When the attribute is set to False, a stateless security group is created. As this attribute will be persisted, alembic migration is needed. Currently existing security groups will all be set to stateful during the alembic migration.
The following OpenStack components will need to be modified when implementing this feature:
- neutron: implementing stateless security groups and unit tests
- python-
- python-
- horizon: adding the new security group attribute
- heat: adding a resource property
We will implement and verify this feature for OVS/iptables.
Changed in neutron: | |
assignee: | nobody → Giel Dops (nuage.gieldops) |
Giel Dops (nuage.gieldops) wrote : | #2 |
I was not aware of this actually. This RFE has been in the pipeline since before the PTG last week.
tags: | added: fwaas sg-fw |
tags: | added: api |
Changed in neutron: | |
status: | New → Confirmed |
importance: | Undecided → Wishlist |
Miguel Lavalle (minsel) wrote : | #3 |
Yes, we discussed stateless firewalling with the FWaaS team in Dublin Friday morning. The FWaaS is on-board with it. I think this should be one effort
tags: |
added: rfe-confirmed removed: rfe |
We had a brief discussion about this RfE in the weekly FWaaS meetings as well (http://
I am also curious if we actually need that functionality in SG if we would add it to FWaaS.
I was wondering the same thing. Should this extension be implemented as a part of SG or FWaaS?
I have created a summary of the feature and the possible approaches I can think of (https:/
I am of the opinion that this should be implemented as a part of FWaaS.
Miguel Lavalle (minsel) wrote : | #6 |
@Giel,
Any feedback as to whether you are an on-board with pursuing this in the context of FWaaS?
Miguel Lavalle (minsel) wrote : | #7 |
Stateless firewall is already being implemented by the Firewall team. Since we haven't heard from the submitter of this RFE, we will assume that approaching this from the FWaaS side is acceptable
tags: |
added: rfe-triaged removed: rfe-confirmed |
Miguel Lavalle (minsel) wrote : | #8 |
This RFE was discussed during today's drivers meeting. We agreed in continuing it as part of FWaaS. With that, the RFE is approved
summary: |
- [RFE] Support stateless security groups + [RFE] Support stateless firewall |
tags: |
added: rfe-approved removed: rfe-triaged |
Kris Sterckx (krissterckx) wrote : | #9 |
Hi @minsel,
Apology for late response. Replying on behalf of Giel who left the team and Giel leaving caused the delay in our response.
At Nuage/Nokia we believe that as long as Security Groups are not deprecated in OpenStack, it would make sense the support statelessness for Security Groups as well.
If you're interested in what we did and share progress one to another, we could upload a patchset for a prototype implementation that we meanwhile have. We had some questions about how to deal with mixing stateless & stateful SG's on a given port though, hence initially we thought of disallowing that at the API (as a baseline implementation)
Let me know your thoughts.
Again, apology for late reply.
Kris
Kris Sterckx (krissterckx) wrote : | #10 |
Hi
Please look at https:/
It has at this stage been manually tested.
Also at this stage one can't combine stateful and stateless SG's on a same port.
Thanks
Nguyen Phuong An (annp) wrote : | #11 |
Hi Kris,
From my understanding, I'd suggest you implement stateless firewall in FWaaS V2, then combining stateful and stateless on a same port is resolved. Because firewall group can work co-existence with security group at port-level.
[1]http://
Fix proposed to branch: master
Review: https:/
Changed in neutron: | |
assignee: | Giel Dops (nuage.gieldops) → aditya_reddy.nagaram@nuagenetworks.net (adityarn) |
status: | Confirmed → In Progress |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit f470973446e8ef9
Author: Aditya Reddy Nagaram <email address hidden>
Date: Tue Nov 26 12:46:10 2019 +0100
add "stateful-
commit adds "stateful-
neutron-lib for implementing stateless security groups.
Needed-By: https:/
Partial-Bug: #1753466
Change-Id: I72addb21b7515d
Tom Stappaerts (tstappae) wrote : | #14 |
Hi everyone, with the merge in of the fullstack tests and the CLI commands, I regard this RFE as implemented now. Please let me know if there are any concerns.
Changed in neutron: | |
status: | In Progress → Fix Committed |
assignee: | aditya_reddy.nagaram@nuagenetworks.net (adityarn) → Tom Stappaerts (tstappae) |
Bernard Cafarelli (bcafarel) wrote : | #15 |
As discussed in Victoria PTG, I created separate LP bugs to add OVS firewall and OVN support:
https:/
https:/
LIU Yulong (dragon889) wrote : | #16 |
Is there anyone going to implement ml2 OVS backend stateless security group without iptables?
The introduction of stateless firewalling (much like ACLs) was discussed at the Rocky PTG. Are you aware of this? There is interest in this as an addition to the FWaaS sub-component of Neutron however the extension of security groups was not discussed.