[RFE] L3 - netfilter Contrack Helper Support

Bug #1823633 reported by Harald Jensås on 2019-04-08
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Wishlist
Unassigned

Bug Description

OS distributions started to disable the nf_conntrack_helper functionality by default. (Ubuntu Bionic) Without the nf_conntrack_helper traffic such as tftp and other protocols that require a nf_conntrack module will not work. (This became apparent with Openstack Ironic which uses tftp transfer boot images during Pre Boot Execution (PXE) stopped working.)

Desactivate the automatic conntrack helper assignment i better securitu practice, ref:
https://github.com/regit/secure-conntrack-helpers/blob/master/secure-conntrack-helpers.rst

This RFE is for adding support in Neutron to configure protocol specific CT target rules. This was discussed in meeting[1] 2019-03-20 with consensus on adding an L3 extension.

[1] http://eavesdrop.openstack.org/irclogs/%23openstack-meeting/%23openstack-meeting.2019-03-20.log.html#t2019-03-20T14:47:08

Changed in neutron:
importance: Undecided → Wishlist
Miguel Lavalle (minsel) on 2019-04-12
tags: added: rfe-triaged
removed: rfe
Miguel Lavalle (minsel) wrote :

This RFE was approved by the drivers today, with the assumption that the behavior will be the same for all distros

tags: added: rfe-approved
removed: rfe-triaged

Reviewed: https://review.opendev.org/650271
Committed: https://git.openstack.org/cgit/openstack/neutron-lib/commit/?id=c6b907a2cfa9626260348f07284206ab87e5712d
Submitter: Zuul
Branch: master

commit c6b907a2cfa9626260348f07284206ab87e5712d
Author: Harald Jensås <email address hidden>
Date: Thu Apr 4 02:12:34 2019 +0200

    L3 Conntrack Helper Extension

    Introduces a new API extension exposing conntrack_helpers
    field in Router response. The extension requires the
    ``router`` and ``conntrack_helper`` service plugin.

    Related-Bug: #1823633
    Change-Id: I55d659c47f3e9a65af78509fbd63416373a501f3

Reviewed: https://review.opendev.org/650269
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=3ab7878384b2c2738baead86919dd77821b53807
Submitter: Zuul
Branch: master

commit 3ab7878384b2c2738baead86919dd77821b53807
Author: Harald Jensås <email address hidden>
Date: Tue Mar 26 13:41:17 2019 +0100

    Conntrack Helper - OVO and db script

    Implements the conntrack helper OVO and db layer code.
    - New object 'ConntrackHelper'
    - New db model
    - migration db script

    Related-Bug: #1823633
    Change-Id: I0d9c039b260845b6544eccf63f5a2ffaa929120b

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers