[neutron] Neutron, nftables support and other fantastic beasts
Rodolfo Alonso Hernandez
ralonsoh at redhat.com
Fri Apr 9 09:40:29 UTC 2021
Hello Neutrinos:
During Wallaby I've been working on enabling "nftables" support in Neutron.
The goal was to use the new Netfilter framework replacing the legacy tools
("iptables", "ip6tables", "arptables" and "ebtables").
Because each namespace has its own Netfilter process, isolated from other
namespaces, the migration process could be segmented in several tasks:
dnat, fip, router, dhcp, metadata, Linux Bridge FW and OVS hybrid FW (I
think I'm not missing anything here).
When swapping to the new "nftables" framework, we can use the legacy API
tools provided. Those tools provide a smooth transition to the new tooling
(we found some differences that are now solved). That means we can keep the
current code while using "nftables".
Please, read [3] before reading the next paragraph, explaining the three
"Netfilter" available framework alternatives.
I started creating a "nft" (the "nftables" native binary) parser [1] to
implement a NFtablesManager class, same as IPtablesManager. But soon I
found that the transition to the new API is not that easy. This is not only
a matter of creating the equivalent rule in the "nft" API but considering
how those rules are handled in "nftables". Other problems found when using
the new "nft" API:
- The "--checksum-fill" command used in OVN metadata and DHCP namespace has
no equivalent in "nft". That means old DHCP servers incorrectly calculating
the packet checksum or DKDP environments won't work correctly.
- "ipset" tool, used to group IP addresses and reduce the LB FW rule size,
can be converted into a "map" [3]. The problem is this is only understood
by the new API, not the "nftables" binaries using the legacy API.
In a nutshell, what is the current status? We support (a) legacy tools and
(b) "nftables" binaries with legacy API. This is the list of patches
enabling the second option:
- https://review.opendev.org/c/openstack/neutron/+/784913: this problem was
affecting LB FW when "ipset" was disabled (merged).
- https://review.opendev.org/c/openstack/neutron/+/785177: reorder the
"ebtables" rules and prevent execution error 4 with empty chains.
- https://review.opendev.org/c/openstack/neutron/+/785144: this patch, on
top of the other two, creates two new neutron-tempest-plugin CI jobs, based
on "linuxbridge" and "openvswitch-iptables_hybrid", to test the execution
with the new binaries.
- https://review.opendev.org/c/openstack/neutron/+/775413: this patch tests
what is implemented in the previous one but testing those jobs in the
"check" queue (it is a DNM patch just for testing).
About the third option, to support the native "nft" API, I don't know if
now we have the resources (time) and the need for that. This could be
discussed again in the next PTG and in this mail too.
Regards.
[1]https://review.opendev.org/c/openstack/neutron/+/759874
[2]
https://review.opendev.org/c/openstack/neutron/+/785137/3/doc/source/admin/deploy-lb.rst
[3]
https://review.opendev.org/c/openstack/neutron/+/775413/10/neutron/agent/linux/ipset_manager.py
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210409/2dddf538/attachment-0001.html>
More information about the openstack-discuss
mailing list