[RFE] Support stateless firewall

The introduction of stateless firewalling (much like ACLs) was discussed at the Rocky PTG. Are you aware of this? There is interest in this as an addition to the FWaaS sub-component of Neutron however the extension of security groups was not discussed.

I was not aware of this actually. This RFE has been in the pipeline since before the PTG last week.

Yes, we discussed stateless firewalling with the FWaaS team in Dublin Friday morning. The FWaaS is on-board with it. I think this should be one effort

We had a brief discussion about this RfE in the weekly FWaaS meetings as well (http://eavesdrop.openstack.org/meetings/fwaas/2018/fwaas.2018-03-15-14.00.log.txt) and we would like to combine efforts as minsel suggested. Let's make sure we don't duplicate work.

I am also curious if we actually need that functionality in SG if we would add it to FWaaS.

I was wondering the same thing. Should this extension be implemented as a part of SG or FWaaS?

I have created a summary of the feature and the possible approaches I can think of (https://docs.google.com/document/d/1pWU5wSIlba7oixpKT8CSxpJnFCJt8zJj18c-mVE9uUM/edit?usp=sharing).

I am of the opinion that this should be implemented as a part of FWaaS.

@Giel,

Any feedback as to whether you are an on-board with pursuing this in the context of FWaaS?

Stateless firewall is already being implemented by the Firewall team. Since we haven't heard from the submitter of this RFE, we will assume that approaching this from the FWaaS side is acceptable

This RFE was discussed during today's drivers meeting. We agreed in continuing it as part of FWaaS. With that, the RFE is approved

Hi @minsel,

Apology for late response. Replying on behalf of Giel who left the team and Giel leaving caused the delay in our response.

At Nuage/Nokia we believe that as long as Security Groups are not deprecated in OpenStack, it would make sense the support statelessness for Security Groups as well.
If you're interested in what we did and share progress one to another, we could upload a patchset for a prototype implementation that we meanwhile have. We had some questions about how to deal with mixing stateless & stateful SG's on a given port though, hence initially we thought of disallowing that at the API (as a baseline implementation)

Let me know your thoughts.
Again, apology for late reply.

Kris

Hi

Please look at https://review.openstack.org/#/c/572767/ for what has been done by Nokia team so far wrt Stateless SG's.

It has at this stage been manually tested.

Also at this stage one can't combine stateful and stateless SG's on a same port.

Thanks

Hi Kris,

From my understanding, I'd suggest you implement stateless firewall in FWaaS V2, then combining stateful and stateless on a same port is resolved. Because firewall group can work co-existence with security group at port-level.

[1]http://superuser.openstack.org/articles/firewall-service-openstack/

Fix proposed to branch: master
Review: https://review.opendev.org/696070

Reviewed: https://review.opendev.org/696070
Committed: https://git.openstack.org/cgit/openstack/neutron-lib/commit/?id=f470973446e8ef9b25f5a038c4c6f1fbd854f7a2
Submitter: Zuul
Branch: master

commit f470973446e8ef9b25f5a038c4c6f1fbd854f7a2
Author: Aditya Reddy Nagaram <email address hidden>
Date: Tue Nov 26 12:46:10 2019 +0100

    add "stateful-security-group" api extension

    commit adds "stateful-security-group" API extension to
    neutron-lib for implementing stateless security groups.

    Needed-By: https://review.opendev.org/572767

    Partial-Bug: #1753466

    Change-Id: I72addb21b7515d7120768c91e02660258959373e

Hi everyone, with the merge in of the fullstack tests and the CLI commands, I regard this RFE as implemented now. Please let me know if there are any concerns.

As discussed in Victoria PTG, I created separate LP bugs to add OVS firewall and OVN support:
https://bugs.launchpad.net/neutron/+bug/1885261
https://bugs.launchpad.net/neutron/+bug/1885262

Is there anyone going to implement ml2 OVS backend stateless security group without iptables?