Browse Source

(Operator-only) Extend logging framework for FWaaS v2

This spec follows up the original spec[1] to extend the
work to support for FWaaS v2.

[1] https://specs.openstack.org/openstack/neutron-specs/specs/pike/logging-API-for-security-group-rules.html

Partial-Bug: #1720727

Co-Authored-By: Yushiro FURUKAWA <y.furukawa_2@jp.fujitsu.com>
Co-Authored-By: Nguyen Phuong An <AnNP@vn.fujitsu.com>
Co-Authored-By: Cuong Nguyen <cuongnv@vn.fujitsu.com>
Change-Id: I409265229853f3d5c7e7a698c5b0787586ac1558
Cao Xuan Hoang 1 year ago
parent
commit
6a1372079a
1 changed files with 337 additions and 0 deletions
  1. 337
    0
      specs/rocky/extend-logging-framework-to-support-for-FWaaS-v2.rst

+ 337
- 0
specs/rocky/extend-logging-framework-to-support-for-FWaaS-v2.rst View File

@@ -0,0 +1,337 @@
1
+..
2
+ This work is licensed under a Creative Commons Attribution 3.0 Unported
3
+ License.
4
+
5
+ http://creativecommons.org/licenses/by/3.0/legalcode
6
+
7
+================================================
8
+Extend logging framework to support FWaaS v2
9
+================================================
10
+
11
+https://bugs.launchpad.net/neutron/+bug/1720727
12
+
13
+All content of this spec is based on `original spec <https://specs.openstack.org/openstack/neutron-specs/specs/pike/logging-API-for-security-group-rules.html>`_
14
+and to extend supporting the logging feature for FWaaS v2 which was mentioned
15
+in the *Future work beyond this spec* section.
16
+
17
+We expect reviewers to check `original spec`_ before going ahead with below sections.
18
+
19
+Problem Description
20
+===================
21
+
22
+The current logging framework just supports security group as an initial
23
+implementation. FWaaS v2 lacks this useful feature.
24
+
25
+Proposed Change
26
+===============
27
+
28
+To extend the feature to support FWaaS v2, we would like to propose
29
+additional information comparable to *Proposed Change* section in
30
+`original spec`_ as following:
31
+
32
+Logging implementation
33
+----------------------
34
+
35
+Currently, Logging API is designed as a service plugin. It is also defined as a
36
+generic logging API for resources such as security groups and firewall.
37
+Reference implementation can be found in [1]_.
38
+
39
+The server side is one aspect we need to handle. At the moment in Neutron
40
+Security Group logging implementation, we have a function as request validator [2]_.
41
+This code should be moved out from neutron to neutron-lib and will
42
+be more generic so it can handle both Neutron SG and FWaaS.
43
+The expected outcome of this step is to make sure this validator is still
44
+working for Security Group and it can also be applied for FWaaS.
45
+
46
+
47
+Regarding to agent side:
48
+
49
+For L2 layer, the *LoggingExtension* is an L2 agent extension. It is common for
50
+all logging resources like security groups and firewall. For L3 layer,
51
+*LoggingL3AgentExtension* is an L3 agent extension dedicated for firewall.
52
+These agent extensions will receive CREATED/UPDATED/DELETED events of the
53
+logging resource and pass these events to logging drivers. Each logging driver
54
+defines the resources it supports. In case of FWaaS v2, logging driver named
55
+*FWaaSv2LoggingDriver* will be implemented. This class will inherit
56
+from *LoggingDriver* class.
57
+
58
+Regarding to driver side:
59
+
60
+There are two drivers will be implemented in order to support for both
61
+L2 layer (instance) and L3 layer (router).
62
+
63
+For L2 layer, a driver named *FWaaSv2L2LoggingDriver* will be implemented. It
64
+acts as a controller program.
65
+This driver will insert flows log into table=91 and table=92 with
66
+ct_state=NEW to generate ACCEPT events, insert flows log into
67
+table=93 to generate DROP events.
68
+
69
+For L3 layer, a driver named *FWaaSv2L3LoggingDriver* will be implemented based on
70
+iptables in user namespace level. It runs in network node to handle router's
71
+port by adding NFLOG rules to iptables. We would like to propose detail solution
72
+as following:
73
+
74
+(1) The structure of iptables rules.
75
+
76
+    We will introduce two new chains:
77
+
78
+    - neutron-l3-agent-accepted: log first accept packet and accept all
79
+      packets which are matched with firewall rules.
80
+
81
+    - neutron-l3-agent-dropped: log and drop all packets.
82
+
83
+
84
+    New iptables structure when logging is enabled would look like::
85
+
86
+        Chain INPUT (policy ACCEPT)
87
+        target     prot opt source               destination
88
+        neutron-l3-agent-INPUT  all  --  anywhere             anywhere
89
+
90
+        Chain FORWARD (policy ACCEPT)
91
+        target     prot opt source               destination
92
+        neutron-filter-top  all  --  anywhere             anywhere
93
+        neutron-l3-agent-FORWARD  all  --  anywhere             anywhere
94
+
95
+        Chain OUTPUT (policy ACCEPT)
96
+        target     prot opt source               destination
97
+        neutron-filter-top  all  --  anywhere             anywhere
98
+        neutron-l3-agent-OUTPUT  all  --  anywhere             anywhere
99
+
100
+        Chain neutron-filter-top (2 references)
101
+        target     prot opt source               destination
102
+        neutron-l3-agent-local  all  --  anywhere             anywhere
103
+
104
+        Chain neutron-l3-agent-FORWARD (1 references)
105
+        target     prot opt source               destination
106
+        neutron-l3-agent-scope  all  --  anywhere             anywhere
107
+        neutron-l3-agent-iv4dd529723  all  --  anywhere             anywhere
108
+        neutron-l3-agent-ov4dd529723  all  --  anywhere             anywhere
109
+        neutron-l3-agent-fwaas-defau  all  --  anywhere             anywhere
110
+        neutron-l3-agent-fwaas-defau  all  --  anywhere             anywhere
111
+
112
+        Chain neutron-l3-agent-INPUT (1 references)
113
+        target     prot opt source               destination
114
+        ACCEPT     all  --  anywhere             anywhere             mark match 0x1/0xffff
115
+        DROP       tcp  --  anywhere             anywhere             tcp dpt:9697
116
+
117
+        Chain neutron-l3-agent-OUTPUT (1 references)
118
+        target     prot opt source               destination
119
+
120
+        Chain neutron-l3-agent-fwaas-defau (2 references)
121
+        target     prot opt source               destination
122
+        DROP       all  --  anywhere             anywhere
123
+
124
+        Chain neutron-l3-agent-iv4dd529723 (1 references)
125
+        target     prot opt source               destination
126
+        neutron-l3-agent-dropped       all  --  anywhere             anywhere             state INVALID
127
+        neutron-l3-agent-accepted     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
128
+        neutron-l3-agent-dropped       all  --  anywhere             anywhere
129
+
130
+        Chain neutron-l3-agent-local (1 references)
131
+        target     prot opt source               destination
132
+
133
+        Chain neutron-l3-agent-ov4dd529723 (1 references)
134
+        target     prot opt source               destination
135
+        neutron-l3-agent-dropped       all  --  anywhere             anywhere             state INVALID
136
+        neutron-l3-agent-accepted     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
137
+        neutron-l3-agent-accepted     all  --  anywhere             anywhere
138
+
139
+        Chain neutron-l3-agent-scope (1 references)
140
+        target     prot opt source               destination
141
+        DROP       all  --  anywhere             anywhere             mark match ! 0x4000000/0xffff0000
142
+
143
+        Chain neutron-l3-agent-fw-chain (2 references)
144
+        target     prot opt source               destination
145
+        ACCEPT     all  --  anywhere             anywhere
146
+
147
+        chain neutron-l3-agent-accepted
148
+        target     prot opt source               destination
149
+        NFLOG      all  --  anywhere             anywhere             state NEW limit: avg 100/sec burst 25 nflog-prefix  12823226497704342389
150
+        ACCEPT     all  --  anywhere             anywhere
151
+
152
+        chain neutron-l3-agent-dropped
153
+        target     prot opt source               destination
154
+        NFLOG      all  --  anywhere             anywhere             limit: avg 100/sec burst 25 nflog-prefix  12823226497704342389
155
+        DROP       all  --  anywhere             anywhere
156
+
157
+
158
+(2) How to capture packets and parse information of packets. This requires at least two steps.
159
+
160
+    - First we need to dump packets into raw format.
161
+
162
+      * We propose to implement a python binding for `libnetfilter_log`, same
163
+        idea like [3]_.
164
+
165
+    - After we have packets in raw format, we need to parse these data into
166
+      human readable format.
167
+
168
+      * In order to do that, we propose to use `ryu` [4]_ library for this step.
169
+        PoC implementation looks like [5]_.
170
+
171
+About how to configure logging feature,
172
+See `networking guide <https://review.openstack.org/#/c/480117/>`_ for detail.
173
+
174
+Expected API behavior
175
+---------------------
176
+
177
+This spec takes FWaaS v2 logging as an example:
178
+
179
+Operators can collect security events (ALLOW/DROP or ALL) for some cases:
180
+
181
+(1) Collect events related to a specific firewall group applied to all
182
+    instances/routers ports by passing its firewall group ID to ``resource_id``.
183
+
184
+(2) Collect events related to a specific firewall group applied to a
185
+    specific instance/router by passing its firewall group ID to ``resource_id``
186
+    and its bound Neutron port ID to ``target_id``.
187
+
188
+(3) Collect events related to all firewall groups being applied to a
189
+    specific instance by passing its Neutron port ID to ``target_id``.
190
+
191
+(4) Collect events related to firewall groups in a project: in this case
192
+    operators do not pass any value to ``resource_id`` or ``target_id``.
193
+
194
+
195
+API operation sample
196
+--------------------
197
+
198
+Same as `original spec`_
199
+
200
+
201
+Data Model Impact
202
+-----------------
203
+
204
+None
205
+
206
+REST API Impact
207
+---------------
208
+
209
+Same as `original spec`_
210
+
211
+Add support firewall_group as ``loggable_resource`` type.
212
+In order to do that, there are two changes required:
213
+
214
+- Make request validator and rpc callback to be more generic in order to
215
+  support firewall_group.
216
+- On FWaaS, use above generic methods to register to Neutron side.
217
+
218
+Security Impact
219
+---------------
220
+
221
+Same as `original spec`_
222
+
223
+
224
+Notifications Impact
225
+--------------------
226
+
227
+None
228
+
229
+
230
+Operators CLI Impact
231
+--------------------
232
+
233
+Add `firewall_group` to be on of --resource-type. Also add `firewall_group`
234
+in output of supported logging capabilities.
235
+
236
+Performance Impact
237
+------------------
238
+
239
+Same as `original spec`_
240
+
241
+IPv6 Impact
242
+-----------
243
+
244
+Same as `original spec`_
245
+
246
+
247
+Other Deployer Impact
248
+---------------------
249
+
250
+None as it done along with logging feature.
251
+
252
+
253
+Developer Impact
254
+----------------
255
+
256
+None
257
+
258
+
259
+Community Impact
260
+----------------
261
+
262
+None
263
+
264
+
265
+Alternatives
266
+------------
267
+
268
+None
269
+
270
+
271
+Implementation
272
+==============
273
+
274
+Assignee(s)
275
+-----------
276
+
277
+Primary assignee:
278
+  y-furukawa-2
279
+
280
+Other contributors:
281
+  hoangcx,
282
+  annp,
283
+  cuongnv
284
+
285
+
286
+Work Items
287
+----------
288
+
289
+* Finalize a way to log data
290
+* Implement *FWaaSv2LoggingDriver* based reference implementation
291
+
292
+
293
+Dependencies
294
+============
295
+
296
+None
297
+
298
+
299
+Testing
300
+=======
301
+
302
+Same as `original spec`_
303
+
304
+Tempest Tests
305
+-------------
306
+
307
+Same as `original spec`_
308
+
309
+
310
+Functional Tests
311
+----------------
312
+
313
+Same as `original spec`_
314
+
315
+
316
+API Tests
317
+---------
318
+
319
+Same as `original spec`_
320
+
321
+
322
+Documentation Impact
323
+====================
324
+
325
+User Documentation
326
+------------------
327
+
328
+Same as `original spec`_
329
+
330
+References
331
+==========
332
+
333
+.. [1] https://review.openstack.org/#/c/395504/
334
+.. [2] https://github.com/openstack/neutron/blob/139c8341f4eaa5f214050d4f7f1cca3f2a1cae34/neutron/services/logapi/common/validators.py#L111
335
+.. [3] https://github.com/commonism/python-libnetfilter
336
+.. [4] https://github.com/osrg/ryu
337
+.. [5] https://review.openstack.org/#/c/445827/26/neutron/privileged/agent/linux/libnetfilter_log.py

Loading…
Cancel
Save