Difference between revisions of "Meetings/Neutron blueprint ovs-firewall-driver"
< Meetings
(→Meeting Dec 16, 2013) |
(→Meeting Dec 16, 2013) |
||
| (21 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | Discussion for <https://blueprints.launchpad.net/neutron/+spec/ovs-firewall-driver> | ||
| + | |||
=== '''Meeting Dec 16, 2013''' === | === '''Meeting Dec 16, 2013''' === | ||
| Line 4: | Line 6: | ||
* Design decisions | * Design decisions | ||
** openvswitch statelessness and security groups frontend API and DB: https://etherpad.openstack.org/p/ovs-firewall-driver-stateless-2 | ** openvswitch statelessness and security groups frontend API and DB: https://etherpad.openstack.org/p/ovs-firewall-driver-stateless-2 | ||
| + | *** example of api changes in neutron: https://review.openstack.org/#/c/62129/ | ||
| + | *** example of api changes in neutronclient: https://review.openstack.org/#/c/62130/ | ||
| + | * ovs_neutron_agent issues/tasks | ||
| + | ** (1) firewall invoked before agent does anything in C[R]UD operations | ||
| + | *** need to at least move VLAN provisioning before firewall invocation (to have correct OVS action on ALLOW path) | ||
| + | ** (2) agent removes all flows at initialization (as well as deletes all vif's flows on port_bound) | ||
| + | *** requires OVS 1.5.0+ to delete flows based on cookie (current version in XenServer 6.2 and Ubuntu P/Q-release is 1.4.6) | ||
* Overview of prototype | * Overview of prototype | ||
** all security group flows on integration bridge | ** all security group flows on integration bridge | ||
| − | ** currently all on table 0, thinking about multi-table setup | + | ** currently all on table 0, thinking about multi-table setup (table0 port security, other: ingress, egress) |
** prototype tested on flat network setup; should work on other network types as-is since the tunnel OVS flows just pass the data to the integration bridge | ** prototype tested on flat network setup; should work on other network types as-is since the tunnel OVS flows just pass the data to the integration bridge | ||
| − | ** still a WIP: | + | ** still a major WIP: |
*** adding IPv6 flows | *** adding IPv6 flows | ||
| − | *** adding multiple ports in range | + | *** adding multiple ports in range: debating trying out port bitmask or N flows for N ports or any other suggestions? |
| − | *** | + | *** TODO unit/integration tests (integration tests help is always appreciated) |
| − | * | + | * other ovs_neutron_agent issues: |
| − | + | ** lacking ovs atomicity like iptables-restore has (all connections might be dropped/allowed): one possibility is to have a dynamic multi-table hotswap | |
| − | ** | + | ** neutron-rootwrap-xen-dom0 bugs: https://bugs.launchpad.net/neutron/+bug/1185872/comments/3, https://bugs.launchpad.net/neutron/+bug/1259748 (addressed by https://review.openstack.org/#/c/62346/) |
| − | + | ** table, priority, cookie, actions coordination: ok for now to be hard-coded in Neutron, but will need an abstraction layer in the future possibly | |
| − | |||
| − | ** neutron-rootwrap-xen-dom0 bugs: https://bugs.launchpad.net/neutron/+bug/1185872/comments/3, https://bugs.launchpad.net/neutron/+bug/1259748 | ||
| − | |||
| − | ** table, priority coordination: ok for now to be hard-coded in Neutron, but will need an abstraction in the future possibly | ||
Latest revision as of 19:47, 16 December 2013
Discussion for <https://blueprints.launchpad.net/neutron/+spec/ovs-firewall-driver>
Meeting Dec 16, 2013
- Purpose restatement
- Design decisions
- openvswitch statelessness and security groups frontend API and DB: https://etherpad.openstack.org/p/ovs-firewall-driver-stateless-2
- example of api changes in neutron: https://review.openstack.org/#/c/62129/
- example of api changes in neutronclient: https://review.openstack.org/#/c/62130/
- openvswitch statelessness and security groups frontend API and DB: https://etherpad.openstack.org/p/ovs-firewall-driver-stateless-2
- ovs_neutron_agent issues/tasks
- (1) firewall invoked before agent does anything in C[R]UD operations
- need to at least move VLAN provisioning before firewall invocation (to have correct OVS action on ALLOW path)
- (2) agent removes all flows at initialization (as well as deletes all vif's flows on port_bound)
- requires OVS 1.5.0+ to delete flows based on cookie (current version in XenServer 6.2 and Ubuntu P/Q-release is 1.4.6)
- (1) firewall invoked before agent does anything in C[R]UD operations
- Overview of prototype
- all security group flows on integration bridge
- currently all on table 0, thinking about multi-table setup (table0 port security, other: ingress, egress)
- prototype tested on flat network setup; should work on other network types as-is since the tunnel OVS flows just pass the data to the integration bridge
- still a major WIP:
- adding IPv6 flows
- adding multiple ports in range: debating trying out port bitmask or N flows for N ports or any other suggestions?
- TODO unit/integration tests (integration tests help is always appreciated)
- other ovs_neutron_agent issues:
- lacking ovs atomicity like iptables-restore has (all connections might be dropped/allowed): one possibility is to have a dynamic multi-table hotswap
- neutron-rootwrap-xen-dom0 bugs: https://bugs.launchpad.net/neutron/+bug/1185872/comments/3, https://bugs.launchpad.net/neutron/+bug/1259748 (addressed by https://review.openstack.org/#/c/62346/)
- table, priority, cookie, actions coordination: ok for now to be hard-coded in Neutron, but will need an abstraction layer in the future possibly
