[Doc] Add section about diffs between ovs and iptables fw drivers

And add note about different handling of packets marked as INVALID
by both those drivers.

Change-Id: I3d436289073e95312e5f5077acabd136266b9e8a
Closes-Bug: #1896587
This commit is contained in:
Slawek Kaplonski 2020-10-02 13:26:27 +02:00
parent 6ccfc34227
commit f57b59a179

View File

@ -67,3 +67,25 @@ kernel modules at boot time, for example, ``/etc/modules``. Check with your
distribution for further information. distribution for further information.
This isn't necessary to use ``gre`` tunnel network type Neutron. This isn't necessary to use ``gre`` tunnel network type Neutron.
Differences between OVS and iptables firewall drivers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Both OVS and iptables firewall drivers should always behave in the same way if
the same rules are configured for the security group. But in some cases that is
not true and there may be slight differences between those drivers.
+----------------------------------------+-----------------------+-----------------------+
| Case | OVS | iptables |
+========================================+=======================+=======================+
| Traffic marked as INVALID by conntrack | Blocked | Allowed because it |
| but matching some of the SG rules | | first matches SG rule,|
| (please check [1]_ and [2]_ | | never reaches rule to |
| for details) | | drop invalid packets |
+----------------------------------------+-----------------------+-----------------------+
References
~~~~~~~~~~
.. [1] https://bugs.launchpad.net/neutron/+bug/1460741
.. [2] https://bugs.launchpad.net/neutron/+bug/1896587