add conntrack management to security group

Registered by shihanzhang on 2014-09-20

when L2 agent use OVSHybridIptablesFirewallDriver, the IP connection tracking will work, but there is a serious issue for security group, if a security group has a rule witch allow another security group ingress, when two VMs in these two security group, they keep communitcate, then delete this rule, these two VMs still can communitcate.
we can use utils of 'conntrack' to manager the IP connection

Blueprint information

Status:
Complete
Approver:
Kyle Mestery
Priority:
Medium
Drafter:
shihanzhang
Direction:
Approved
Assignee:
shihanzhang
Definition:
Approved
Series goal:
Accepted for liberty
Implementation:
Implemented
Milestone target:
milestone icon 7.0.0
Started by
Kyle Mestery on 2015-01-07
Completed by
shihanzhang on 2015-08-28

Related branches

Sprints

Whiteboard

Auguest-26 (mestery): Is this complete for Liberty now?

March-19 (mestery): Out of Kilo, we'll revisit in Liberty. Thanks!

February-3 (mestery): Moving to Kilo-3.

December-3 (mestery): Approving, marking as Kilo-2 for now.

(mestery): Please do not set milestones until the BP is approved in neutron-specs. Also, this needs a spec in neutron-specs.

Gerrit topic: https://review.openstack.org/#q,topic:bp/conntrack-in-security-group,n,z

Addressed by: https://review.openstack.org/137140 (Merged)
    Add support for conntrack zones

https://review.openstack.org/#/c/118274/
    Use iptables zone to seperate different conntrack

the other patch will commit as soon as possible!

Gerrit topic: https://review.openstack.org/#q,topic:bug/1359523,n,z

Addressed by: https://review.openstack.org/146778 (Abandoned)
    add conntrack-tool to manage security group

Addressed by: https://review.openstack.org/147713
    Add conntrack-tool to manage security group

Addressed by: https://review.openstack.org/118274
    Use iptables zone to seperate different conntrack

Gerrit topic: https://review.openstack.org/#q,topic:bug/1374473,n,z

Addressed by: https://review.openstack.org/211492
    Merge remote-tracking branch 'origin/master' into merge-branch

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.