yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1596976] [NEW] optimize refresh firewall on ipset member update

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: venkata anil <anilvenkata@xxxxxxxxxx>
Date: Tue, 28 Jun 2016 15:09:28 -0000
Reply-to: Bug 1596976 <1596976@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Before the ipset, a port was creating explicit firewall rule to other ports(member of the same security group) i.e
port's firewall rules without ipset
-A neutron-openvswi-i92605eaf-b -s 192.168.83.17/32 -j RETURN
-A neutron-openvswi-i92605eaf-b -s 192.168.83.18/32 -j RETURN
-A neutron-openvswi-i92605eaf-b -s 192.168.83.15/32 -j RETURN
with ipset
-A neutron-openvswi-i92605eaf-b -m set –match-set ${ipset_name} src -j RETURN

With ipset, when a new port is up on remote ovs agent, then on local ovs
agent, only kernel ipset has to be updated and no need to update any
firewall rules. When port on remote agent is deleted, then it has to be
deleted from local agent's ipset, and corresponding connection tracking
entries has to deleted. In both the above scenarios, ovs shouldn't
update firewall rules.

 But current implementation is trying to update firewall rules(this will
result in removing all in-memory firewall rules and again creating them,
but still no iptable rules are updated on system). This is consuming lot
of agent's time. We can optimize this by avoid updating in-memory
firewall rules for this scenario, and make firewall refresh for
securitygroup-member-update faster.

** Affects: neutron
     Importance: Undecided
     Assignee: venkata anil (anil-venkata)
         Status: New

** Changed in: neutron
     Assignee: (unassigned) => venkata anil (anil-venkata)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1596976

Title:
  optimize refresh firewall  on ipset member update

Status in neutron:
  New

Bug description:
  Before the ipset, a port was creating explicit firewall rule to other ports(member of the same security group) i.e
  port's firewall rules without ipset
  -A neutron-openvswi-i92605eaf-b -s 192.168.83.17/32 -j RETURN
  -A neutron-openvswi-i92605eaf-b -s 192.168.83.18/32 -j RETURN
  -A neutron-openvswi-i92605eaf-b -s 192.168.83.15/32 -j RETURN
  with ipset
  -A neutron-openvswi-i92605eaf-b -m set –match-set ${ipset_name} src -j RETURN

  With ipset, when a new port is up on remote ovs agent, then on local
  ovs agent, only kernel ipset has to be updated and no need to update
  any firewall rules. When port on remote agent is deleted, then it has
  to be deleted from local agent's ipset, and corresponding connection
  tracking entries has to deleted. In both the above scenarios, ovs
  shouldn't update firewall rules.

   But current implementation is trying to update firewall rules(this
  will result in removing all in-memory firewall rules and again
  creating them, but still no iptable rules are updated on system). This
  is consuming lot of agent's time. We can optimize this by avoid
  updating in-memory firewall rules for this scenario, and make firewall
  refresh for securitygroup-member-update faster.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1596976/+subscriptions

Follow ups

[Bug 1596976] Re: optimize refresh firewall on ipset member update
From: venkata anil, 2016-07-11