[openstack-dev] [neutron] Neutron API rate limiting

Rick Jones rick.jones2 at hp.com
Fri May 15 19:01:53 UTC 2015


> On May 14, 2015 9:26 PM, "Gal Sagie" <gal.sagie at gmail.com<mailto:gal.sagie at gmail.com>> wrote:
> Hello Ryan,
>
> We have proposed a spec to liberty to add rate limit functionality to security groups [1].
> We see two big use cases for it, one as you mentioned is DDoS for east-west and another
> is brute force prevention (for example port scanning).
>
> We are re-writing the spec as an extension to the current API, we also have a proposal
> to enhance the Security Group / FWaaS implementation in order to make it easily extendible by such
> new classes of security rules.
>
> We are planning to discuss all of that in the SG/FWaaS future directions session [2].
> I or Lionel will update you as soon as we have the fixed spec for review, and feel free to come to the discussion
> as we are more then welcoming everyone to help this effort.
>
> Gal.
>
> [1] https://review.openstack.org/#/c/151247/
> [2] https://etherpad.openstack.org/p/YVR-neutron-sg-fwaas-future-direction

Isn't there already described a way to rate-limit instances (overall) by 
putting qdiscs onto their tap devices?

Having looked only briefly at the spec, I would say you want to have the 
option to "MARK" that traffic which is EDN enabled the rate limiting 
might have otherwise dropped.

The extant mechanism I mentioned uses HTB in one direction (instance 
inbound/tap outbound) and a policing filter in the other.  I've used it 
(as a mostly end user) and have noticed that as described, one can 
introduce non-trivial bufferbloat inbound to the instance.

And I've always wished (as in if wishes were horses) that the instance 
outbound throttle were actually implemented in a way where it becomes 
immediately apparent to the instance by causing the tx queue in the 
instance to build-up.  That wouldn't be something on a tap device though.

Does there need to be both a packet and bit rate limit?  I've some 
experience with bit rate limits and have seen otherwise rather throttled 
(bitrate) instances cause non-trivial problems with a network node.

rick jones



More information about the OpenStack-dev mailing list