openstack/neutron
Code Issues Proposed changes
9b27020a65
neutron/doc/source/admin/deploy-lb.rst
Rodolfo Alonso Hernandez 960b810eac Document Linux Bridge compatibility with "nftables" 
Until the migration to the new native "nftables" API is completed,
Neutron Linux Bridge mechanism driver can work with:
- The legacy binaries ("iptables", "ip6tables", "arptables" and
  " ebtables").
- The "nftables" legacy API tools. "ipset" tool is not compatible
  with "nftables" and must be disabled.

Closes-Bug: #1915341
Related-Bug: #1508155
Related-Bug: #1922892

Change-Id: I10ef4e9124ba8f243680acde506eebc586c2f9a7
2021-04-09 08:23:03 +00:00

3.2 KiB
Raw Blame History

Linux bridge mechanism driver

The Linux bridge mechanism driver uses only Linux bridges and veth pairs as interconnection devices. A layer-2 agent manages Linux bridges on each compute node and any other node that provides layer-3 (routing), DHCP, metadata, or other network services.

Compatibility with nftables

nftables replaces iptables, ip6tables, arptables and ebtables, in order to provide a single API for all Netfilter operations. nftables provides a backwards compatibility set of tools for those replaced binaries that present the legacy API to the user while using the new packet classification framework. As reported in LP#1915341 and LP#1922892, the tool ebtables-nft is not totally compatible with the legacy API and returns some errors. To use Linux Bridge mechanism driver in newer operating systems that use nftables by default, it is needed to switch back to the legacy tool.

# /usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-legacy

Since LP#1922127 and LP#1922892 were fixed, Neutron Linux Bridge mechanism driver is compatible with the nftables binaries using the legacy API.

Note

Just to unravel the possible terminology confusion, these are the three Netfilter available framework alternatives:

  • The legacy binaries (iptables, ip6tables, arptables and ebtables) that use the legacy API.
  • The new nftables binaries that use the legacy API, to help in the transition to this new framework. Those binaries replicate the same commands as the legacy one but using the new framework. The binaries have the same name ended in -nft.
  • The new nftables framework using the new API. All Netfilter operations are executed using this new API and one single binary, nft.

Currently we support the first two options. The migration (total or partial) to the new API is tracked in LP#1508155.

In order to use the nftables binaries with the legacy API, it is needed to execute the following commands.

# /usr/bin/update-alternatives --set iptables /usr/sbin/iptables-nft
# /usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
# /usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-nft
# /usr/bin/update-alternatives --set arptables /usr/sbin/arptables-nft

The ipset tool is not compatible with nftables. To disable it, enable_ipset must be set to False in the ML2 plugin configuration file /etc/neutron/plugins/ml2/ml2_conf.ini.

[securitygroup]
# ...
enable_ipset = False

deploy-lb-provider deploy-lb-selfservice deploy-lb-ha-vrrp