Slawek Kaplonski d842d0dbf0 [Docs] Add info about how multicast is treated by fw drivers

This patch adds info about how multicast traffic is treated by
openvswitch and iptables based firewall drivers.
Patch [1] was trying to fix behaviour of OVS based driver to make
it similar to how iptables drivers works but it introduced bug [2]
which we wasn't able to fix without basically disabling what [1] did
for some ports on the compute nodes.
So based on that we decided to revert [1] - it is done in [3] and to
document different behaviour between those 2 firewall drivers which is
done by this patch.

[1] https://review.opendev.org/#/c/748719/
[2] https://bugs.launchpad.net/neutron/+bug/1899967
[3] https://review.opendev.org/#/c/759555/

Change-Id: If8a56579c62f58befdc57f5916a5763e9fb99531
Related-Bug: #1899967
Related-Bug: #1889631

2020-10-29 10:59:46 +00:00

4.3 KiB

Raw Blame History

Native Open vSwitch firewall driver

Historically, Open vSwitch (OVS) could not interact directly with iptables to implement security groups. Thus, the OVS agent and Compute service use a Linux bridge between each instance (VM) and the OVS integration bridge br-int to implement security groups. The Linux bridge device contains the iptables rules pertaining to the instance. In general, additional components between instances and physical network infrastructure cause scalability and performance problems. To alleviate such problems, the OVS agent includes an optional firewall driver that natively implements security groups as flows in OVS rather than the Linux bridge device and iptables. This increases scalability and performance.

Configuring heterogeneous firewall drivers

L2 agents can be configured to use differing firewall drivers. There is no requirement that they all be the same. If an agent lacks a firewall driver configuration, it will default to what is configured on its server. This also means there is no requirement that the server has any firewall driver configured at all, as long as the agents are configured correctly.

Prerequisites

The native OVS firewall implementation requires kernel and user space support for conntrack, thus requiring minimum versions of the Linux kernel and Open vSwitch. All cases require Open vSwitch version 2.5 or newer.

Kernel version 4.3 or newer includes conntrack support.
Kernel version 3.3, but less than 4.3, does not include conntrack support and requires building the OVS modules.

Enable the native OVS firewall driver

On nodes running the Open vSwitch agent, edit the openvswitch_agent.ini file and enable the firewall driver.
```
[securitygroup]
firewall_driver = openvswitch
```

For more information, see the /contributor/internals/openvswitch_firewall and the video.

Using GRE tunnels inside VMs with OVS firewall driver

If GRE tunnels from VM to VM are going to be used, the native OVS firewall implementation requires nf_conntrack_proto_gre module to be loaded in the kernel on nodes running the Open vSwitch agent. It can be loaded with the command:

# modprobe nf_conntrack_proto_gre

Some Linux distributions have files that can be used to automatically load kernel modules at boot time, for example, /etc/modules. Check with your distribution for further information.

This isn't necessary to use gre tunnel network type Neutron.

Differences between OVS and iptables firewall drivers

Both OVS and iptables firewall drivers should always behave in the same way if the same rules are configured for the security group. But in some cases that is not true and there may be slight differences between those drivers.

Case	OVS	iptables
Traffic marked as INVALID by conntrack but matching some of the SG rules (please check¹ and² for details)	Blocked	Allowed because it first matches SG rule, never reaches rule to drop invalid packets
Multicast traffic sent in the group 224.0.0.X (please check³ for details)	Allowed always	Blocked, Can be enabled by SG rule.

4.3 KiB Raw Blame History