[RFE] Support stateless firewall
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Wishlist
|
Tom Stappaerts |
Bug Description
Neutron currently only provides stateful security groups. The rules of these security groups are then configured in a stateful manner.
The goal of this RFE is to support stateless security groups. Analogous to stateful security groups, all rules of a stateless security group will be implemented as stateless. The statefulness of a security group can be modified only if it has no associated ports. By default, security groups are stateful.
For some use cases, this statelessness will allow operators to choose for optimized datapath performance whereas stateful security groups impose extra processing on the system. On the downside, operators need to provision security group rules for ingress and egress to their exact intent, as reverse traffic is no longer automatically allowed.
The motivation for defining statefulness/
From an API point of view, a new boolean attribute `stateful` will be added to security groups, defaulting to True. When the attribute is set to False, a stateless security group is created. As this attribute will be persisted, alembic migration is needed. Currently existing security groups will all be set to stateful during the alembic migration.
The following OpenStack components will need to be modified when implementing this feature:
- neutron: implementing stateless security groups and unit tests
- python-
- python-
- horizon: adding the new security group attribute
- heat: adding a resource property
We will implement and verify this feature for OVS/iptables.
Changed in neutron: | |
assignee: | nobody → Giel Dops (nuage.gieldops) |
tags: | added: fwaas sg-fw |
tags: | added: api |
Changed in neutron: | |
status: | New → Confirmed |
importance: | Undecided → Wishlist |
Changed in neutron: | |
status: | Fix Committed → Fix Released |
The introduction of stateless firewalling (much like ACLs) was discussed at the Rocky PTG. Are you aware of this? There is interest in this as an addition to the FWaaS sub-component of Neutron however the extension of security groups was not discussed.