Hello Neutrinos:
During
Wallaby I've been working on enabling "nftables" support in Neutron.
The goal was to use the new Netfilter framework replacing the legacy
tools ("iptables", "ip6tables", "arptables" and "ebtables").
Because
each namespace has its own Netfilter process, isolated from other
namespaces, the migration process could be segmented in several tasks:
dnat, fip, router, dhcp, metadata, Linux Bridge FW and OVS hybrid FW (I
think I'm not missing anything here).
When
swapping to the new "nftables" framework, we can use the legacy API
tools provided. Those tools provide a smooth transition to the new
tooling (we found some differences that are now solved). That means we
can keep the current code while using "nftables".
Please, read [3] before reading the next paragraph, explaining the three "Netfilter" available framework alternatives.
I
started creating a "nft" (the "nftables" native binary) parser [1] to
implement a NFtablesManager class, same as IPtablesManager. But soon I
found that the transition to the new API is not that easy. This is not
only a matter of creating the equivalent rule in the "nft" API but considering how those rules are handled in "nftables". Other problems found when using the new "nft" API:
-
The "--checksum-fill" command used in OVN metadata and DHCP namespace
has no equivalent in "nft". That means old DHCP servers incorrectly
calculating the packet checksum or DKDP environments won't work correctly.
-
"ipset" tool, used to group IP addresses and reduce the LB FW rule
size, can be converted into a "map" [3]. The problem is this is only
understood by the new API, not the "nftables" binaries using the legacy
API.
In a nutshell, what is the current status? We support (a) legacy tools and (b) "nftables" binaries with legacy API. This is the list of patches enabling the second option:
About the third option, to
support the native "nft" API, I don't know if now we have the resources
(time) and the need for that. This could be discussed again in the next
PTG and in this mail too.
Regards.