yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #83435
[Bug 1889431] [NEW] Add source-ip-prefix to Neutron metering label rules
Public bug reported:
Problem Description
=================
Neutron metering label rules have a parameter called "--remote-ip-prefix", which would allow operators to filter traffic based on the remote IP address. However, since [1], its meaning was changed to the exact opposite, which makes a bit of confusion. Instead of matching on the remote prefix (towards the external interface), it matches the local prefix (towards the OS tenant network).
Ideally, to satisfy the use case presented in [1] (which was achieved by
inverting the use of "remote-ip-prefix"), operators should be able to
create rules based on source-ip-prefix and remote-ip-prefix.
[1]
https://opendev.org/openstack/neutron/commit/92db1d4a2c49b1f675b6a9552a8cc5a417973b64
Proposed Change
===============
Therefore, we propose to introduce a new parameter in the Neutron metering rule API. This new parameter would be called "source_ip_prefix", representing the source IP of the traffic.
This change would also introduce a change in behavior of the
"remote_ip_prefix", which would start to match the remote IP, instead of
the local/source IP as it is doing since [1].
The "remote_ip_prefix" and "source_ip_prefix" could be used together, or
only one of them can be defined. However, a metering rule must always
have at least one of them (source_ip_prefix or remote_ip_prefix)
defined.
## API JSON
Current JSON for "v2.0/metering/metering-label-rules" endpoint:
{
"remote_ip_prefix": "0.0.0.0/0",
"direction": "egress",
"metering_label_id": "9ffd6512-9d2a-4dd2-9657-6a605126264d",
"id": "f1694467-d866-4d8e-a8dc-18da516caedc",
"excluded": false
}
Adding new attributes :
{
"remote_ip_prefix": "0.0.0.0/0",
"source_ip_prefix": "192.168.0.14/32",
"direction": "egress",
"metering_label_id": "9ffd6512-9d2a-4dd2-9657-6a605126264d",
"id": "f1694467-d866-4d8e-a8dc-18da516caedc",
"excluded": false
}
## Database table changes
Currently, the table "meteringlabelrules" is defined as:
+-------------------+--------------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-------------------+--------------------------+------+-----+---------+-------+
| id | varchar(36) | NO | PRI | NULL | |
| direction | enum('ingress','egress') | YES | | NULL | |
| remote_ip_prefix | varchar(64) | YES | | NULL | |
| metering_label_id | varchar(36) | NO | MUL | NULL | |
| excluded | tinyint(1) | YES | | 0 | |
+-------------------+--------------------------+------+-----+---------+-------+
We would add a new field to it. Therefore, it would look like:
+-------------------+--------------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-------------------+--------------------------+------+-----+---------+-------+
| id | varchar(36) | NO | PRI | NULL | |
| direction | enum('ingress','egress') | YES | | NULL | |
| remote_ip_prefix | varchar(64) | YES | | NULL | |
| source_ip_prefix | varchar(64) | YES | | NULL | |
| metering_label_id | varchar(36) | NO | MUL | NULL | |
| excluded | tinyint(1) | YES | | 0 | |
+-------------------+--------------------------+------+-----+---------+-------+
Moreover, during the upgrade process, the "remote_ip_prefix" would be
set to "source_ip_prefix", and then we would set null in the
"remote_ip_prefix" column. This is done to maintain compatibility with
the changes introduced via [1].
## Neutron Metering agent changes
The IPtables driver in the metering agent will need to handle the new parameters "source_ip_prefix" and "remote_ip_prefix" properly. When building the IPtable rules the parameter "remote_ip_prefix" (if defined) will be used with the option "-d" (IPtables option) for egress rules and "-s" (IPtables option) for ingress rules. On the other hand, the parameter "source_ip_prefix" (if defined) will be used with option "-s"(IPtables option) for egress rules, and "-d"(IPtables option) for ingress rules.
## API impacts
People using the API to configure local IP prefixes via the "remote_ip_prefix" parameter would need to start using the "source_ip_prefix" parameter.
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1889431
Title:
Add source-ip-prefix to Neutron metering label rules
Status in neutron:
New
Bug description:
Problem Description
=================
Neutron metering label rules have a parameter called "--remote-ip-prefix", which would allow operators to filter traffic based on the remote IP address. However, since [1], its meaning was changed to the exact opposite, which makes a bit of confusion. Instead of matching on the remote prefix (towards the external interface), it matches the local prefix (towards the OS tenant network).
Ideally, to satisfy the use case presented in [1] (which was achieved
by inverting the use of "remote-ip-prefix"), operators should be able
to create rules based on source-ip-prefix and remote-ip-prefix.
[1]
https://opendev.org/openstack/neutron/commit/92db1d4a2c49b1f675b6a9552a8cc5a417973b64
Proposed Change
===============
Therefore, we propose to introduce a new parameter in the Neutron metering rule API. This new parameter would be called "source_ip_prefix", representing the source IP of the traffic.
This change would also introduce a change in behavior of the
"remote_ip_prefix", which would start to match the remote IP, instead
of the local/source IP as it is doing since [1].
The "remote_ip_prefix" and "source_ip_prefix" could be used together,
or only one of them can be defined. However, a metering rule must
always have at least one of them (source_ip_prefix or
remote_ip_prefix) defined.
## API JSON
Current JSON for "v2.0/metering/metering-label-rules" endpoint:
{
"remote_ip_prefix": "0.0.0.0/0",
"direction": "egress",
"metering_label_id": "9ffd6512-9d2a-4dd2-9657-6a605126264d",
"id": "f1694467-d866-4d8e-a8dc-18da516caedc",
"excluded": false
}
Adding new attributes :
{
"remote_ip_prefix": "0.0.0.0/0",
"source_ip_prefix": "192.168.0.14/32",
"direction": "egress",
"metering_label_id": "9ffd6512-9d2a-4dd2-9657-6a605126264d",
"id": "f1694467-d866-4d8e-a8dc-18da516caedc",
"excluded": false
}
## Database table changes
Currently, the table "meteringlabelrules" is defined as:
+-------------------+--------------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-------------------+--------------------------+------+-----+---------+-------+
| id | varchar(36) | NO | PRI | NULL | |
| direction | enum('ingress','egress') | YES | | NULL | |
| remote_ip_prefix | varchar(64) | YES | | NULL | |
| metering_label_id | varchar(36) | NO | MUL | NULL | |
| excluded | tinyint(1) | YES | | 0 | |
+-------------------+--------------------------+------+-----+---------+-------+
We would add a new field to it. Therefore, it would look like:
+-------------------+--------------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-------------------+--------------------------+------+-----+---------+-------+
| id | varchar(36) | NO | PRI | NULL | |
| direction | enum('ingress','egress') | YES | | NULL | |
| remote_ip_prefix | varchar(64) | YES | | NULL | |
| source_ip_prefix | varchar(64) | YES | | NULL | |
| metering_label_id | varchar(36) | NO | MUL | NULL | |
| excluded | tinyint(1) | YES | | 0 | |
+-------------------+--------------------------+------+-----+---------+-------+
Moreover, during the upgrade process, the "remote_ip_prefix" would be
set to "source_ip_prefix", and then we would set null in the
"remote_ip_prefix" column. This is done to maintain compatibility with
the changes introduced via [1].
## Neutron Metering agent changes
The IPtables driver in the metering agent will need to handle the new parameters "source_ip_prefix" and "remote_ip_prefix" properly. When building the IPtable rules the parameter "remote_ip_prefix" (if defined) will be used with the option "-d" (IPtables option) for egress rules and "-s" (IPtables option) for ingress rules. On the other hand, the parameter "source_ip_prefix" (if defined) will be used with option "-s"(IPtables option) for egress rules, and "-d"(IPtables option) for ingress rules.
## API impacts
People using the API to configure local IP prefixes via the "remote_ip_prefix" parameter would need to start using the "source_ip_prefix" parameter.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1889431/+subscriptions
Follow ups
