neutron

Add stateless firewall support to OVS firewall

Bug #1885261 reported by Bernard Cafarelli on 2020-06-26

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	Confirmed	Wishlist	LIU Yulong

Bug Description

In Ussuri, we added support for stateless firewall [1]

This added support for stateful attribute in security group, with needed parts in API extensions "stateful-security-group", database, ... [2]

However implementation is currently only done for the iptables drivers, this limitation is noted in release notes for the feature.

As proposed discussed in the Victoria PTG [3], we should add support for this attribute in OVS firewall driver (default in devstack, and also needed for hardware offlad).

Most changes would be around skipping any parts involving conntrack. An implementation example also existed in networking-ovs-dpdk [4]

[1] https://bugs.launchpad.net/neutron/+bug/1753466
[2] https://review.opendev.org/#/c/572767/
[3] https://etherpad.opendev.org/p/neutron-victoria-ptg L162
[4] https://opendev.org/x/networking-ovs-dpdk/src/branch/stable/rocky/networking_ovs_dpdk/agent/ovs_dpdk_firewall.py

Tags:

Slawek Kaplonski (slaweq) on 2020-06-29

Changed in neutron:
status:	New → Confirmed
importance:	Undecided → Wishlist

Revision history for this message

LIU Yulong (dragon889) wrote on 2020-12-23:

Is there anyone going to implement this?

Revision history for this message

LIU Yulong (dragon889) wrote on 2021-04-26:

OK, long time no response. I'm going to take over this. This clould be easily to accomplish with some mirrored code of [4].

[4] https://opendev.org/x/networking-ovs-dpdk/src/branch/stable/rocky/networking_ovs_dpdk/agent/ovs_dpdk_firewall.py

Changed in neutron:
assignee:	nobody → LIU Yulong (dragon889)

Revision history for this message

Lajos Katona (lajos-katona) wrote on 2021-10-01:

For reference I link here the logs from the Team meeting when we discussed the topic:
https://meetings.opendev.org/meetings/networking/2021/networking.2021-09-28-14.00.log.html#l-124

and the drivers meeting logs when we discussed this:
https://meetings.opendev.org/meetings/neutron_drivers/2021/neutron_drivers.2021-10-01-14.07.log.html

The agreement is to have this new fw driver intree as a new driver, and have a spec where the details can be discussed and formed

tags:

added: rfe-approved

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.