← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #71501

[Bug 1753466] [NEW] [RFE] Support stateless security groups

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Neutron currently only provides stateful security groups. The rules of
these security groups are then configured in a stateful manner.

The goal of this RFE is to support stateless security groups. Analogous
to stateful security groups, all rules of a stateless security group
will be implemented as stateless. The statefulness of a security group
can be modified only if it has no associated ports. By default, security
groups are stateful.

For some use cases, this statelessness will allow operators to choose
for optimized datapath performance whereas stateful security groups
impose extra processing on the system. On the downside, operators need
to provision security group rules for ingress and egress to their exact
intent, as reverse traffic is no longer automatically allowed.

The motivation for defining statefulness/statelessness at security group
level and not at rule level is to avoid operational complexity when
mixing up both. However, it would be possible to assign both stateless
and stateful security groups to the same port.

>From an API point of view, a new boolean attribute `stateful` will be
added to security groups, defaulting to True. When the attribute is set
to False, a stateless security group is created. As this attribute will
be persisted, alembic migration is needed. Currently existing security
groups will all be set to stateful during the alembic migration.

The following OpenStack components will need to be modified when implementing this feature:
  - neutron: implementing stateless security groups and unit tests
  - python-openstacksdk: add new resource property
  - python-openstackclient: support for the new security group attribute
  - horizon: adding the new security group attribute
  - heat: adding a resource property

We will implement and verify this feature for OVS/iptables.

** Affects: neutron
     Importance: Undecided
     Assignee: Giel Dops (nuage.gieldops)
         Status: New


** Tags: rfe

** Changed in: neutron
     Assignee: (unassigned) => Giel Dops (nuage.gieldops)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1753466

Title:
  [RFE] Support stateless security groups

Status in neutron:
  New

Bug description:
  Neutron currently only provides stateful security groups. The rules of
  these security groups are then configured in a stateful manner.

  The goal of this RFE is to support stateless security groups.
  Analogous to stateful security groups, all rules of a stateless
  security group will be implemented as stateless. The statefulness of a
  security group can be modified only if it has no associated ports. By
  default, security groups are stateful.

  For some use cases, this statelessness will allow operators to choose
  for optimized datapath performance whereas stateful security groups
  impose extra processing on the system. On the downside, operators need
  to provision security group rules for ingress and egress to their
  exact intent, as reverse traffic is no longer automatically allowed.

  The motivation for defining statefulness/statelessness at security
  group level and not at rule level is to avoid operational complexity
  when mixing up both. However, it would be possible to assign both
  stateless and stateful security groups to the same port.

  From an API point of view, a new boolean attribute `stateful` will be
  added to security groups, defaulting to True. When the attribute is
  set to False, a stateless security group is created. As this attribute
  will be persisted, alembic migration is needed. Currently existing
  security groups will all be set to stateful during the alembic
  migration.

  The following OpenStack components will need to be modified when implementing this feature:
    - neutron: implementing stateless security groups and unit tests
    - python-openstacksdk: add new resource property
    - python-openstackclient: support for the new security group attribute
    - horizon: adding the new security group attribute
    - heat: adding a resource property

  We will implement and verify this feature for OVS/iptables.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1753466/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next