Re: Security Group
Hello Benyamin: Please check the Neutron security group documentation. What you are doing is to filter by an inport, traffic type (IPv4, TCP) and a dst port. This is something that you can done using the SG API: https://docs.openstack.org/python-openstackclient/pike/cli/command-objects/s... . Regards. On Wed, Jan 24, 2024 at 10:15 AM benyamin sam khanyani < bsamkhaniyani@gmail.com> wrote:
Hello Rodolf:
As an example, I have added an ACL rule by following command:
ovn-nbctl acl-add c56beb58-5eca-4c16-ad75-b28ff2b33b83 to-lport 1002 "outport == @pg_55bcfed5_3355_4de7_a5c3_53f256f83e81 && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 555" allow-related
I can see it when I run the "ovn-nbctl list acl" command and it works properly in my environment. Now, I want to make it permanent but as you said, it's not possible and the only source of truth is Neutron.
As a result, none of ovn-nbctl commands work permanently and everything must be changed by Neutron. So, I want to ask you if it is possible to have a way to make these commands permanent. I think the db_sync function can be enhanced and it can facilitate networking in OpenStack because there are a variety of changes we can apply by ovn-nbctl commands and these are not possible by using Neutron.
Best, Ben
On Tue, 23 Jan 2024 at 20:08, Rodolfo Alonso Hernandez < ralonsoh@redhat.com> wrote:
Hello Benyamin:
Can you specify what rules are you manually creating the OVN database?
The code you are referring to is the sync tool. The goal of this tool is to sync both databases, OVN and Neutron. But please remember that Neutron is the CMS, is the only source of truth and it controls the network backend, in this case OVN. Any definition should be done in Neutron and any manual change in the OVN database will be restored or the environment will fail.
Regards.
On Tue, Jan 23, 2024 at 11:15 AM benyamin sam khanyani < bsamkhaniyani@gmail.com> wrote:
Thanks for your comprehensive reply.
I apply completely similar rules to what Neutron installs on OVN Northbound Database and I think it is compatible with LB, OVS, and OVN. I think the main issue is the sync mechanism between Neutron DB and OVN Northbound DB[1](Line 244). Clearly, It's not a bug but I think this function can be enhanced in order to support changes which can be defined directly in OVN Northbound DB. As there are a variety of functionalities in ovn-nbctl and ovn-sbctl command line tools, I believe that it could be beneficial.
[1] https://github.com/openstack/neutron/blob/dad8c3fecc4e97764a92f558d9df510fa2...
On Mon, 22 Jan 2024 at 18:31, Rodolfo Alonso Hernandez < ralonsoh@redhat.com> wrote:
Hello Benyamin:
I'm guessing from your mail that you are referring to Neutron security groups and you are using ML2/OVN. Any SG rule should be defined in Neutron, not in OVN directly. The Neutron SG rules are translated to ACLs and applied to a port group. If you are interested in how this is done, please check [1].
If you want to add any new functionality to the SG rules, you should create a LP bug [2] with a RFE. This RFE should be a high level description of what want to implement. Be aware that we have multiple mechanism drivers in-tree: LB, OVS and OVN. This feature should be compatible with all of them. The RFE can be discussed during the Neutron drivers meetings [3].
Regards.
[1] https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/drivers... [2]https://bugs.launchpad.net/neutron/ [3]https://meetings.opendev.org/#Neutron_drivers_Meeting
On Mon, Jan 22, 2024 at 3:41 PM benyamin sam khanyani < bsamkhaniyani@gmail.com> wrote:
Hi,
I am working on the security group and aim to extend its functionality by applying custom rules based on source and destination ports, arbitrary match criteria, actions, and so on. I did it by using ovn-nbctl commands and everything worked well. Unfortunately, the only issue is that I can not see my custom rules in MariaDB and I didn't find any other solution for defining security group rules with my desired options. So, I want to ask you how I can tackle this issue?
Regards, Benjamin Sam
participants (1)
-
Rodolfo Alonso Hernandez