yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #62281
[Bug 1506076] Re: Allow connection tracking to be disabled per-port
Just an update: I think it would be wise to disable connection tracking
(e.g. adding iptables -t raw -j NOTRACK ....) when port security is
disabled for a port. It can make a huge difference on the used conntrack
entries in the kernel.
** Changed in: neutron
Status: Expired => New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1506076
Title:
Allow connection tracking to be disabled per-port
Status in neutron:
New
Bug description:
This RFE is being raised in the context of this use case
https://review.openstack.org/#/c/176301/ from the TelcoWG.
OpenStack implements levels of per-VM security protection (security
groups, anti-spoofing rules). If you want to deploy a trusted VM
which itself is providing network security functions, as with the
above use case, then it is often necessary to disable some of the
native OpenStack protection so as not to interfere with the protection
offered by the VM or use excessive host resources.
Neutron already allows you to disable security groups on a per-port
basis. However, the Linux kernel will still perform connection
tracking on those ports. With default Linux config, VMs will be
severely scale limited without specific host configuration of
connection tracking limits - for example, a Session Border Controller
VM may be capable of handling millions of concurrent TCP connections,
but a default host won't support anything like that. This bug is
therefore a RFE to request that disabling security group function for
a port further disables kernel connection tracking for IP addresses
associated with that port.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1506076/+subscriptions
References