Event report mechanism to security groups for dropped packets

Registered by Lionel Zerbib

The current implementation of security groups (using iptables) is not reporting packet drops in these scenarios:
    - Protecting against IP/MAC spoofing: i.e. connection attempts from another MAC/IP address.
    - Dropping all packets that do not match on an "allow" rule.

Event report can help to detect miss-configuration, as well as provide data for external applications that do network activity analysis and threat detection.

This blueprint proposes to add event report mechanism to the security group definition.

Blueprint information

Status:
Complete
Approver:
None
Priority:
Undefined
Drafter:
Lionel Zerbib
Direction:
Needs approval
Assignee:
Lionel Zerbib
Definition:
Superseded
Series goal:
Proposed for liberty
Implementation:
Beta Available
Milestone target:
None
Started by
Lionel Zerbib
Completed by
Armando Migliaccio

Related branches

Sprints

Whiteboard

There's https://bugs.launchpad.net/neutron/+bug/1468366 that overlaps with this one.

Gerrit topic: https://review.openstack.org/#q,topic:bp/security-groups-dropped-packets-event,n,z

Addressed by: https://review.openstack.org/169784
    RST for blueprint security-groups-dropped-packets-event

Addressed by: https://review.openstack.org/173310
    Add events on dropped packet by security groups firewall.

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.