<div dir="ltr"><div id="gmail-magicdomid2" class="gmail-ace-line"><span class="gmail-author-a-1z73zz76zz88zprz70zz82zyz83zz71zg2z78z7h">Hello Neutrinos: </span></div><div id="gmail-magicdomid3" class="gmail-ace-line"><span class="gmail-author-a-1z73zz76zz88zprz70zz82zyz83zz71zg2z78z7h"> </span></div><div id="gmail-magicdomid486" class="gmail-ace-line"><span class="gmail-author-a-1z73zz76zz88zprz70zz82zyz83zz71zg2z78z7h">D</span><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06">uring
 Wallaby I've been working on enabling "nftables" support in Neutron. 
The goal was to use the new Netfilter framework replacing the legacy 
tools ("iptables", "ip6tables", "arptables" and "ebtables").</span></div><div id="gmail-magicdomid488" class="gmail-ace-line"><br></div><div id="gmail-magicdomid834" class="gmail-ace-line"><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06">Because
 each namespace has its own Netfilter process, isolated from other 
namespaces, the migration process could be segmented in several tasks: 
dnat, fip, router, dhcp, metadata, Linux Bridge FW and OVS hybrid FW (I 
think I'm not missing anything here).</span></div><div id="gmail-magicdomid836" class="gmail-ace-line"><br></div><div id="gmail-magicdomid2080" class="gmail-ace-line"><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06">When
 swapping to the new "nftables" framework, we can use the legacy API 
tools provided. Those tools provide a smooth transition to the new 
tooling (we found some differences that are now solved). That means we 
can keep the current code while using "nftables".</span></div><div id="gmail-magicdomid2082" class="gmail-ace-line"><br></div><div id="gmail-magicdomid2193" class="gmail-ace-line"><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06">Please, read [3] before reading the next paragraph, explaining the three "Netfilter" available framework alternatives.</span></div><div id="gmail-magicdomid1198" class="gmail-ace-line"><br></div><div id="gmail-magicdomid1498" class="gmail-ace-line"><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06">I
 started creating a "nft" (the "nftables" native binary) parser [1] to 
implement a NFtablesManager class, same as IPtablesManager. But soon I 
found that the transition to the new API is not that easy. This is not 
only a matter of creating the equivalent rule in the "nft" API but considering how those rules are handled in "nftables". Other problems found when using the new "nft" API:</span></div><div id="gmail-magicdomid1723" class="gmail-ace-line"><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06">-
 The "--checksum-fill" command used in OVN metadata and DHCP namespace 
has no equivalent in "nft". That means old DHCP servers incorrectly 
calculating the packet checksum or DKDP environments won't work correctly.</span></div><div id="gmail-magicdomid2390" class="gmail-ace-line"><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06">-
 "ipset" tool, used to group IP addresses and reduce the LB FW rule 
size, can be converted into a "map" [3]. The problem is this is only 
understood by the new API, not the "nftables" binaries using the legacy 
API.</span></div><div id="gmail-magicdomid2062" class="gmail-ace-line"><br></div><div id="gmail-magicdomid2407" class="gmail-ace-line"><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06">In a nutshell, what is the current status? We support (a) legacy tools and (b) "nftables" binaries with legacy API. This is the list of patches enabling the second option:</span></div><div id="gmail-magicdomid2573" class="gmail-ace-line"><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06">- </span><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06 gmail-url"><a href="https://review.opendev.org/c/openstack/neutron/+/784913" rel="noreferrer noopener">https://review.opendev.org/c/openstack/neutron/+/784913</a></span><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06">: this problem was affecting LB FW when "ipset" was disabled (merged).</span></div><div id="gmail-magicdomid2563" class="gmail-ace-line"><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06">- </span><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06 gmail-url"><a href="https://review.opendev.org/c/openstack/neutron/+/785177" rel="noreferrer noopener">https://review.opendev.org/c/openstack/neutron/+/785177</a></span><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06">: reorder the "ebtables" rules and prevent execution error 4 with empty chains.</span></div><div id="gmail-magicdomid2713" class="gmail-ace-line"><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06">- </span><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06 gmail-url"><a href="https://review.opendev.org/c/openstack/neutron/+/785144" rel="noreferrer noopener">https://review.opendev.org/c/openstack/neutron/+/785144</a></span><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06">:
 this patch, on top of the other two, creates two new 
neutron-tempest-plugin CI jobs, based on "linuxbridge" and 
"openvswitch-iptables_hybrid", to test the execution with the new 
binaries.</span></div><div id="gmail-magicdomid2819" class="gmail-ace-line"><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06">- </span><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06 gmail-url"><a href="https://review.opendev.org/c/openstack/neutron/+/775413" rel="noreferrer noopener">https://review.opendev.org/c/openstack/neutron/+/775413</a></span><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06">: this patch tests what is implemented in the previous one but testing those jobs in the "check" queue (it is a DNM patch just for testing).</span></div><div id="gmail-magicdomid1990" class="gmail-ace-line"><br></div><div id="gmail-magicdomid3076" class="gmail-ace-line"><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06">About the third option, to 
support the native "nft" API, I don't know if now we have the resources 
(time) and the need for that. This could be discussed again in the next 
PTG and in this mail too.</span></div><div id="gmail-magicdomid3066" class="gmail-ace-line"><br></div><div id="gmail-magicdomid3073" class="gmail-ace-line"><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06">Regards.</span></div><div id="gmail-magicdomid150" class="gmail-ace-line"><br></div><div id="gmail-magicdomid2088" class="gmail-ace-line"><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06">[1]</span><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06 gmail-url"><a href="https://review.opendev.org/c/openstack/neutron/+/759874" rel="noreferrer noopener">https://review.opendev.org/c/openstack/neutron/+/759874</a></span></div><div id="gmail-magicdomid2090" class="gmail-ace-line"><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06">[2]</span><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06 gmail-url"><a href="https://review.opendev.org/c/openstack/neutron/+/785137/3/doc/source/admin/deploy-lb.rst" rel="noreferrer noopener">https://review.opendev.org/c/openstack/neutron/+/785137/3/doc/source/admin/deploy-lb.rst</a></span></div><div id="gmail-magicdomid2086" class="gmail-ace-line"><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06">[3]</span><span class="gmail-author-a-5ejz67z2ffz76zz80zh63rm06 gmail-url"><a href="https://review.opendev.org/c/openstack/neutron/+/775413/10/neutron/agent/linux/ipset_manager.py" rel="noreferrer noopener">https://review.opendev.org/c/openstack/neutron/+/775413/10/neutron/agent/linux/ipset_manager.py</a></span></div><div id="gmail-magicdomid2087" class="gmail-ace-line"><br></div><div id="gmail-magicdomid2038" class="gmail-ace-line"><br><br></div></div>