<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
text-align:justify;
text-justify:inter-ideograph;
font-size:10.5pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
/* Page Definitions */
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="ZH-CN" link="#0563C1" vlink="#954F72" style="text-justify-trim:punctuation">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US">Hi all,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Nova currently allows us to filter instances by fixed IP address(es). This feature is known to be useful in an operational scenario that cloud administrators detect abnormal traffic in an IP address and want to trace
down to the instance that this IP address belongs to. This feature works well except a limitation that it only supports fixed IP address(es). In the real operational scenarios, cloud administrators might find that the abused IP address is a floating IP and
want to do the filtering in the same way as fixed IP.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Right now, unfortunately, the experience is diverged between these two classes of IP address. Cloud administrators need to deploy the logic to (i) detect the class of IP address (fixed or floating), (ii) use nova’s IP
filter if the address is a fixed IP address, (iii) do manual filtering if the address is a floating IP address. I wonder if nova team is willing to accept an enhancement that makes the IP filter support both. Optimally, cloud administrators can simply pass
the abused IP address to nova and nova will handle the heterogeneity.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">In term of implementation, I expect the change is small. After this patch [1], Nova will query Neutron to compile a list of ports’ device_ids (device_id is equal to the uuid of the instance to which the port binds) and
use the device_ids to query the instances. If Neutron returns an empty list, Nova can give a second try to query Neutron for floating IPs. There is a RFE [2] and POC [3] for proposing to add a device_id attribute to the floating IP API resource. Nova can leverage
this attribute to compile a list of instances uuids and use it as filter on listing the instances.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">If this feature is implemented, will it benefit the general community? Finally, I also wonder how others are tackling a similar problem. Appreciate your feedback.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">[1] <a href="https://review.openstack.org/#/c/525505/">
https://review.openstack.org/#/c/525505/</a><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">[2] <a href="https://bugs.launchpad.net/neutron/+bug/1723026">
https://bugs.launchpad.net/neutron/+bug/1723026</a><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">[3] <a href="https://review.openstack.org/#/c/534882/">
https://review.openstack.org/#/c/534882/</a><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Best regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Hongbin<o:p></o:p></span></p>
</div>
</body>
</html>