neutron

[RFE][fwaas][OVN]support l3 firewall for ovn driver

Bug #1971958 reported by Liu Xie
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Triaged
Undecided
Liu Xie

Bug Description

As neutron-fwaas project is re-maintenance, and ovn become one of the main driver for neutron project.
Maybe we could implement l3 firewall for ovn driver.

Liu Xie (liushy)
tags: added: fwaas
Elvira García Ruiz (elviragr)
tags: added: rfe
Revision history for this message
Lajos Katona (lajos-katona) wrote :

We discussed this RFE during the drivers meeting (see [1]) and agreed that this is a good idea, but we would like you to add some extra details and the exact goals to have clear direction and see if it is possible with OVN.

[1]: https://meetings.opendev.org/meetings/neutron_drivers/2022/neutron_drivers.2022-05-13-14.01.log.html#l-14

tags: added: rfe-approved
Revision history for this message
Lajos Katona (lajos-katona) wrote :

I created a blueprint for this RFE:
https://blueprints.launchpad.net/neutron/+spec/support-l3-firewall-for-ovn-driver

Please reference the blueprint also in your commit messages, not only this RFE, example:
Partially-Implements: blueprint support-l3-firewall-for-ovn-driver

Changed in neutron:
status: New → Triaged
Revision history for this message
Liu Xie (liushy) wrote :

I have test it that l3 acl with ovn backend.It is work fine when put any stateless acls for lrp which is gateway of subnet.
So we could implement one driver with ovn backend through transform firewall rules to stateless acls for lrp.
Any one has other opinions?

Revision history for this message
ZhouHeng (zhouhenglc) wrote :

Is it only effective in the gateway subnet? What about the internal subnet interface?

Revision history for this message
Liu Xie (liushy) wrote :

@ZhouHeng
We test it use gateway port of internal subnet.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-fwaas (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-fwaas/+/845756

Liu Xie (liushy)
Changed in neutron:
assignee: nobody → Liu Xie (liushy)
Revision history for this message
Liu Xie (liushy) wrote (last edit ):

This patch[1] use stateless acls but the drop action in OVN implementation also is stateful, it will cause a matter when we use drop action.
And We are trying to implement an new action that support stateless drop in OVN could solve this matter.
Currently, it only works good with stateless security if use this patch.

[1]https://review.opendev.org/c/openstack/neutron-fwaas/+/845756

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.