148 lines
3.2 KiB
ReStructuredText
148 lines
3.2 KiB
ReStructuredText
..
|
|
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
|
License.
|
|
|
|
http://creativecommons.org/licenses/by/3.0/legalcode
|
|
|
|
==========================================
|
|
Conntrack zones support
|
|
==========================================
|
|
|
|
https://blueprints.launchpad.net/neutron/+spec/conntrack-in-security-group
|
|
|
|
Problem Description
|
|
===================
|
|
Network isolation could be broken since security groups created for one
|
|
network can affect connectivity between ports of other network if they have
|
|
same IP addresses as ports on the initial network.
|
|
|
|
Forcing connection close via conntrack by IP will break existing connections
|
|
on networks which aren't related to security group being enforced.
|
|
|
|
See [1] for the reference.
|
|
|
|
Proposed Change
|
|
===============
|
|
The goal is to add support for conntrack zones which allow to handle multiple
|
|
connections with equal identities in conntrack and NAT.
|
|
|
|
A zone is simply a numerical identifier associated with a network
|
|
device that is incorporated into the various hashes and used to
|
|
distinguish entries in addition to the connection tuples. Additionally
|
|
it is used to separate conntrack defragmentation queues. An iptables
|
|
target for the raw table could be used alternatively to the network
|
|
device for assigning conntrack entries to zones. See [3] for more information.
|
|
|
|
In the case of security groups, each conntrack zone should correspond to a
|
|
neutron network. Adding some sort of network identifier makes connection tuple
|
|
unique.
|
|
|
|
In fact, that is already done in ovs agent, where there is a local vlan mapping.
|
|
Exactly the same strategy could be applied to conntrack zones.
|
|
Local vlan ids could be used as a conntrack zone id.
|
|
|
|
Changes are required in Firewall driver. It should keep current network-to-zone
|
|
mapping and apply port firewall rules with this additional parameter.
|
|
Upon ovs agent start/restart this mapping could be populated from local vlan
|
|
mapping. Changing zone identifies is ok because iptables rules are updated
|
|
after ovs agent restart.
|
|
|
|
This could also be utilized by other agents such as OFAgent.
|
|
|
|
Data Model Impact
|
|
-----------------
|
|
None
|
|
|
|
REST API Impact
|
|
---------------
|
|
None
|
|
|
|
Security Impact
|
|
---------------
|
|
This feature should actually improve security by fixing tenant network isolation.
|
|
|
|
Notifications Impact
|
|
--------------------
|
|
None
|
|
|
|
Other End User Impact
|
|
---------------------
|
|
None
|
|
|
|
Performance Impact
|
|
------------------
|
|
None or insignificant.
|
|
|
|
IPv6 Impact
|
|
-----------
|
|
None
|
|
|
|
Other Deployer Impact
|
|
---------------------
|
|
None
|
|
|
|
Developer Impact
|
|
----------------
|
|
None
|
|
|
|
Community Impact
|
|
----------------
|
|
None
|
|
|
|
Alternatives
|
|
------------
|
|
None
|
|
|
|
Implementation
|
|
==============
|
|
|
|
Assignee(s)
|
|
-----------
|
|
yangxurong
|
|
|
|
Work Items
|
|
----------
|
|
1. The implementation for ovs agent. See [2]
|
|
2. Functional tests.
|
|
3. Implementations for other affected agents.
|
|
|
|
Dependencies
|
|
============
|
|
None
|
|
|
|
Testing
|
|
=======
|
|
|
|
Tempest Tests
|
|
-------------
|
|
None
|
|
|
|
Functional Tests
|
|
----------------
|
|
Functional test is required.
|
|
|
|
API Tests
|
|
---------
|
|
None
|
|
|
|
Documentation Impact
|
|
====================
|
|
|
|
User Documentation
|
|
------------------
|
|
None
|
|
|
|
|
|
Developer Documentation
|
|
-----------------------
|
|
None
|
|
|
|
|
|
References
|
|
==========
|
|
[1] https://bugs.launchpad.net/neutron/+bug/1359523
|
|
[2] https://review.openstack.org/#/c/118274/
|
|
[3] http://lwn.net/Articles/370152/
|
|
|
|
|