Open vSwitch-based Security Groups: Open vSwitch Implementation of FirewallDriver

Registered by Amir Sadoughi on 2013-10-30

Purpose: To support the security groups extension in the OVS neutron agent through OVS flows using the existing OVS library with feature parity to the existing iptables-based implementations. In Icehouse, the existing openvswitch plugin is being deprecated, so the blueprint is compatible with the ML2 plugin with the openvswitch mechanism driver.

Current neutron.agent.firewall.FirewallDriver implementations are based off of iptables (neutron/agent/linux/iptables_firewall.py: IptablesFirewallDriver, OVSHybridIptablesFirewallDriver). This blueprint describes implementing a FirewallDriver sub-class with Open vSwitch.

Blueprint information

Status:
Complete
Approver:
Mark McClain
Priority:
Medium
Drafter:
Amir Sadoughi
Direction:
Approved
Assignee:
Amir Sadoughi
Definition:
Obsolete
Series goal:
None
Implementation:
Deferred
Milestone target:
milestone icon next
Completed by
Armando Migliaccio on 2015-10-20

Related branches

Sprints

Whiteboard

-Oct-19-2105(armax): I guess we'll get to this eventually. But it looks like this may need to go through the process once again.

- 11/27/2013 (amir-sadoughi): Working on a first draft approach to upload by next week (with flat networks).
- 12/6/2013 (amir-sadoughi): Basic prototype working at https://github.com/asadoughi/neutron/compare/master...ovs_firewall_driver. Re-writing a few things and working on a coherent document to explain design decisions and technical issues.
- 12/13/2013 (amir-sadoughi): Discussed blueprint at this past Wednesday's ML2 meeting. Going to have a follow-up meeting on Monday <https://wiki.openstack.org/wiki/Meetings#Neutron_blueprint_ovs-firewall-driver_Meeting>
- 12/16/2013 (amir-sadoughi): Held blueprint IRC meeting http://eavesdrop.openstack.org/meetings/blueprint_ovs_firewall_driver/2013/blueprint_ovs_firewall_driver.2013-12-16-20.00.html Further discussion will continue on the openstack-dev mailing list due to lower than expected attendance.
- 12/17/2013 (amir-sadoughi) Sent e-mail to openstack-dev ML to discuss potential security group API addition <http://lists.openstack.org/pipermail/openstack-dev/2013-December/022518.html> <https://wiki.openstack.org/wiki/Neutron/blueprint_ovs-firewall-driver#Security_groups_extension_API_addition_discussion>
- 1/8/2014 (amir-sadoughi): Working on updating existing reviews 62129, 62130; Also, working on patch for "Firewall is invoked before local VLAN is assigned" described here: <https://wiki.openstack.org/wiki/Neutron/blueprint_ovs-firewall-driver#ovs_neutron_agent_related_changes>.
- 2/11/2014 (amir-sadoughi): Move the series goal off of icehouse given the OVS release containing the necessary feature for this blueprint (tcp_flags in OVS 2.1.x) won't ship by code proposal deadline of 2/18; it's more likely to ship in March. <http://openvswitch.org/pipermail/discuss/2014-February/012997.html>.
- 4/3/2014 (amir-sadoughi): Re-opened work for blueprint now that juno-1 is open for development and OVS 2.1.0 is available.
- 4/27/2014 (amir-sadoughi): All previously existing patches have been restored/rebased. Also, blueprint re-filed under neutron-specs repo (WIP) <https://review.openstack.org/#/c/89712/>. Working with vthapar to have working implementation uploaded to Gerrit by summit (next few weeks).
- 5/9/2014 (amir-sadoughi): Juno summit design session <http://junodesignsummit.sched.org/event/4205f2c4084e8a0c3bd8d420803ddf02#.U21rWq1dVus> this Thursday 11:50-12:30p. <https://etherpad.openstack.org/p/juno-neutron-modular-l2-agent>.
- 5/28/2014 (amir-sadoughi): blueprint under review in neutron-specs repo, implementation ongoing.

Gerrit topic: https://review.openstack.org/#q,topic:bp/ovs-firewall-driver,n,z

Addressed by: https://review.openstack.org/62129
    Added source-port-range-{min,max} to sec. groups

Addressed by: https://review.openstack.org/62130
    Added --source-port-range-min, --source-port-range-max

Addressed by: https://review.openstack.org/65557
    Assign local VLANs before port filters

Addressed by: https://review.openstack.org/67316
    Add Open vSwitch cookie support to ovs_neutron_agent

Addressed by: https://review.openstack.org/89712
    Open vSwitch-based Security Groups: OVS FirewallDriver

29-May (mestery): Moving to Juno-2, the BP isn't approved yet and even if it was, code landing in less than two weeks for this is unrealistic.
- 6/13/2014 (amir-sadoughi): Postponing blueprint implementation until K-cycle. I don't think it will be possible to implement and have merged all the new requirements in the Juno timeframe given the current pace. With the K-cycle, we will have access to connection tracking in OVS and the number of changes surrounding the blueprint to get this done will be much fewer and less controversial.

(?)

Work Items