yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1885261] [NEW] Add stateless firewall support to OVS firewall

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Bernard Cafarelli <1885261@xxxxxxxxxxxxxxxxxx>
Date: Fri, 26 Jun 2020 10:14:19 -0000
Reply-to: Bug 1885261 <1885261@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

In Ussuri, we added support for stateless firewall [1]

This added support for stateful attribute in security group, with needed
parts in API extensions "stateful-security-group", database, ... [2]

However implementation is currently only done for the iptables drivers,
this limitation is noted in release notes for the feature.

As proposed discussed in the Victoria PTG [3], we should add support for
this attribute in OVS firewall driver (default in devstack, and also
needed for hardware offlad).

Most changes would be around skipping any parts involving conntrack. An
implementation example also existed in networking-ovs-dpdk [4]

[1] https://bugs.launchpad.net/neutron/+bug/1753466
[2] https://review.opendev.org/#/c/572767/
[3] https://etherpad.opendev.org/p/neutron-victoria-ptg L162
[4] https://opendev.org/x/networking-ovs-dpdk/src/branch/stable/rocky/networking_ovs_dpdk/agent/ovs_dpdk_firewall.py

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: ovs-fw

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1885261

Title:
  Add stateless firewall support to OVS firewall

Status in neutron:
  New

Bug description:
  In Ussuri, we added support for stateless firewall [1]

  This added support for stateful attribute in security group, with
  needed parts in API extensions "stateful-security-group", database,
  ... [2]

  However implementation is currently only done for the iptables
  drivers, this limitation is noted in release notes for the feature.

  As proposed discussed in the Victoria PTG [3], we should add support
  for this attribute in OVS firewall driver (default in devstack, and
  also needed for hardware offlad).

  Most changes would be around skipping any parts involving conntrack.
  An implementation example also existed in networking-ovs-dpdk [4]

  [1] https://bugs.launchpad.net/neutron/+bug/1753466
  [2] https://review.opendev.org/#/c/572767/
  [3] https://etherpad.opendev.org/p/neutron-victoria-ptg L162
  [4] https://opendev.org/x/networking-ovs-dpdk/src/branch/stable/rocky/networking_ovs_dpdk/agent/ovs_dpdk_firewall.py

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1885261/+subscriptions