← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1586352] [NEW] [RFE] Grouping remote_ip_prefix by ipset

 

Public bug reported:

This RFE is requesting a feature for grouping IP addresses of
remote_ip_prefix using ipset to improve network performance.

[Background]
To allow access from/to specific IP address, remote_ip_prefix can be used in security group rule. This is used for:
o To allow access from/to machines which is outside OpenStack environment.
o To allow access between datacenter in multi-site environment.

[Existing problem]
For the usage above, We have to specify IP address(CIDR) as remote_ip_prefix one by one and the number of security group rules are increased. It caused performance degradation of network.

We had the same problem about remote_group_id and it is solved by
enable_ipset feature[1]. This feature improves network performance by
grouping IP addresses which belong to the same security group. I want to
extend this feature for remote_ip_prefix.

[Proposal]
To solve the problem above, I propose the following feature.

1) Introduce new feature to group many CIDRs into one set and specify the set as remote_ip_prefix collectively.
2) Improve neutron and L2 agent so that L2 agent updates iptables using ipset for this set of CIDRs.

By this feature, we can reduce the number of security group rules when
many remote_ip_prefix is used.

When we specify IP address to allow access, we need to do like this:

neutron security-group-rule-create --remote-ip-prefix 192.168.100.10/32
neutron security-group-rule-create --remote-ip-prefix 192.168.101.15/32
neutron security-group-rule-create --remote-ip-prefix 192.168.102.20/32
...

Therefore many security group rules are generated and it causes
degradation of network performance. I propose new feature to group these
CIDRs into one set and specify this set as remote_ip_prefix.

And then, L2 agent converts this CIDR set to the ipset group and apples
it to iptables. This is the same manner as converting remote_group_id to
ipset group.

[1]
https://specs.openstack.org/openstack/neutron-specs/specs/juno/add-ipset-to-security.html

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: rfe

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1586352

Title:
  [RFE] Grouping remote_ip_prefix by ipset

Status in neutron:
  New

Bug description:
  This RFE is requesting a feature for grouping IP addresses of
  remote_ip_prefix using ipset to improve network performance.

  [Background]
  To allow access from/to specific IP address, remote_ip_prefix can be used in security group rule. This is used for:
  o To allow access from/to machines which is outside OpenStack environment.
  o To allow access between datacenter in multi-site environment.

  [Existing problem]
  For the usage above, We have to specify IP address(CIDR) as remote_ip_prefix one by one and the number of security group rules are increased. It caused performance degradation of network.

  We had the same problem about remote_group_id and it is solved by
  enable_ipset feature[1]. This feature improves network performance by
  grouping IP addresses which belong to the same security group. I want
  to extend this feature for remote_ip_prefix.

  [Proposal]
  To solve the problem above, I propose the following feature.

  1) Introduce new feature to group many CIDRs into one set and specify the set as remote_ip_prefix collectively.
  2) Improve neutron and L2 agent so that L2 agent updates iptables using ipset for this set of CIDRs.

  By this feature, we can reduce the number of security group rules when
  many remote_ip_prefix is used.

  When we specify IP address to allow access, we need to do like this:

  neutron security-group-rule-create --remote-ip-prefix 192.168.100.10/32
  neutron security-group-rule-create --remote-ip-prefix 192.168.101.15/32
  neutron security-group-rule-create --remote-ip-prefix 192.168.102.20/32
  ...

  Therefore many security group rules are generated and it causes
  degradation of network performance. I propose new feature to group
  these CIDRs into one set and specify this set as remote_ip_prefix.

  And then, L2 agent converts this CIDR set to the ipset group and
  apples it to iptables. This is the same manner as converting
  remote_group_id to ipset group.

  [1]
  https://specs.openstack.org/openstack/neutron-specs/specs/juno/add-ipset-to-security.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1586352/+subscriptions


Follow ups