Re: [openstack-dev] [Neutron][IPv6][Security Group] BP: Support ICMP type filter by security group
Hi Akihiro, See inline for a question Š. Thanks, Robert On 3/7/14 2:02 PM, Akihiro Motoki amot...@gmail.com wrote: Hi Robert, Thanks for the clarification. I understand the motivation. I think the problem can be split into two categories: (a) user configurable rules vs infra enforced rule, and (b) DHCP/RA service exists inside or outside of Neutron Regarding (a), I believe DHCP or RA related rules is better to be handled by the infra side because it is required to ensure DHCP/RA works well. I don't think it is a good idea to delegate users to configure rule to allow them. It works as long as DHCP/RA service works inside OpenStack. This is the main motivation of my previous question. On the other hand, there is no way to cooperate with DHCP/RA services outside of OpenStack at now. This blocks the usecase in your mind. It is true that the current Neutron cannot works with dhcp server outside of neutron. I'd appreciate it if you can explain the above in more detail? I'd like to understand what has caused the limitation. thanks. I agree that adding a security group rule to allow RA is reasonable as a workaround. However, for a long time solution, it is better to explore a way to configure infra-required rules. Thanks, Akihiro On Sat, Mar 8, 2014 at 12:50 AM, Robert Li (baoli) ba...@cisco.com wrote: Hi Akihiro, In the case of IPv6 RA, its source IP is a Link Local Address from the router's RA advertising interface. This LLA address is automatically generated and not saved in the neutron port DB. We are exploring the idea of retrieving this LLA if a native openstack RA service is running on the subnet. Would SG be needed with a provider net in which the RA service is running external to openstack? In the case of IPv4 DHCP, the dhcp port is created by the dhcp service, and the dhcp server ip address is retrieved from this dhcp port. If the dhcp server is running outside of openstack, and if we'd only allow dhcp packets from this server, how is it done now? thanks, Robert On 3/7/14 12:00 AM, Akihiro Motoki amot...@gmail.com wrote: I wonder why RA needs to be exposed by security group API. Does a user need to configure security group to allow IPv6 RA? or should it be allowed in infra side? In the current implementation DHCP packets are allowed by provider rule (which is hardcoded in neutron code now). I think the role of IPv6 RA is similar to DHCP in IPv4. If so, we don't need to expose RA in security group API. Am I missing something? Thanks, Akihiro On Mon, Mar 3, 2014 at 10:39 PM, Xuhan Peng pengxu...@gmail.com wrote: I created a new blueprint [1] which is triggered by the requirement to allow IPv6 Router Advertisement security group rule on compute node in my on-going code review [2]. Currently, only security group rule direction, protocol, ethertype and port range are supported by neutron security group rule data structure. To allow Router Advertisement coming from network node or provider network to VM on compute node, we need to specify ICMP type to only allow RA from known hosts (network node dnsmasq binded IP or known provider gateway). To implement this and make the implementation extensible, maybe we can add an additional table name SecurityGroupRuleData with Key, Value and ID in it. For ICMP type RA filter, we can add key=icmp-type value=134, and security group rule to the table. When other ICMP type filters are needed, similar records can be stored. This table can also be used for other firewall rule key values. API change is also needed. Please let me know your comments about this blueprint. [1] https://blueprints.launchpad.net/neutron/+spec/security-group-icmp-type -f ilter [2] https://review.openstack.org/#/c/72252/ Thank you! Xuhan Peng ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron][IPv6][Security Group] BP: Support ICMP type filter by security group
Thanks all for your comments! Do you guys think we can have a summit session to discuss the next steps? I can prepare a spec if needed. Thanks, Xuhan — Xu Han Peng (xuhanp) On Sat, Mar 8, 2014 at 3:19 AM, Akihiro Motoki amot...@gmail.com wrote: Hi Robert, Thanks for the clarification. I understand the motivation. I think the problem can be split into two categories: (a) user configurable rules vs infra enforced rule, and (b) DHCP/RA service exists inside or outside of Neutron Regarding (a), I believe DHCP or RA related rules is better to be handled by the infra side because it is required to ensure DHCP/RA works well. I don't think it is a good idea to delegate users to configure rule to allow them. It works as long as DHCP/RA service works inside OpenStack. This is the main motivation of my previous question. On the other hand, there is no way to cooperate with DHCP/RA services outside of OpenStack at now. This blocks the usecase in your mind. It is true that the current Neutron cannot works with dhcp server outside of neutron. I agree that adding a security group rule to allow RA is reasonable as a workaround. However, for a long time solution, it is better to explore a way to configure infra-required rules. Thanks, Akihiro On Sat, Mar 8, 2014 at 12:50 AM, Robert Li (baoli) ba...@cisco.com wrote: Hi Akihiro, In the case of IPv6 RA, its source IP is a Link Local Address from the router's RA advertising interface. This LLA address is automatically generated and not saved in the neutron port DB. We are exploring the idea of retrieving this LLA if a native openstack RA service is running on the subnet. Would SG be needed with a provider net in which the RA service is running external to openstack? In the case of IPv4 DHCP, the dhcp port is created by the dhcp service, and the dhcp server ip address is retrieved from this dhcp port. If the dhcp server is running outside of openstack, and if we'd only allow dhcp packets from this server, how is it done now? thanks, Robert On 3/7/14 12:00 AM, Akihiro Motoki amot...@gmail.com wrote: I wonder why RA needs to be exposed by security group API. Does a user need to configure security group to allow IPv6 RA? or should it be allowed in infra side? In the current implementation DHCP packets are allowed by provider rule (which is hardcoded in neutron code now). I think the role of IPv6 RA is similar to DHCP in IPv4. If so, we don't need to expose RA in security group API. Am I missing something? Thanks, Akihiro On Mon, Mar 3, 2014 at 10:39 PM, Xuhan Peng pengxu...@gmail.com wrote: I created a new blueprint [1] which is triggered by the requirement to allow IPv6 Router Advertisement security group rule on compute node in my on-going code review [2]. Currently, only security group rule direction, protocol, ethertype and port range are supported by neutron security group rule data structure. To allow Router Advertisement coming from network node or provider network to VM on compute node, we need to specify ICMP type to only allow RA from known hosts (network node dnsmasq binded IP or known provider gateway). To implement this and make the implementation extensible, maybe we can add an additional table name SecurityGroupRuleData with Key, Value and ID in it. For ICMP type RA filter, we can add key=icmp-type value=134, and security group rule to the table. When other ICMP type filters are needed, similar records can be stored. This table can also be used for other firewall rule key values. API change is also needed. Please let me know your comments about this blueprint. [1] https://blueprints.launchpad.net/neutron/+spec/security-group-icmp-type-f ilter [2] https://review.openstack.org/#/c/72252/ Thank you! Xuhan Peng ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron][IPv6][Security Group] BP: Support ICMP type filter by security group
Hi Akihiro, In the case of IPv6 RA, its source IP is a Link Local Address from the router's RA advertising interface. This LLA address is automatically generated and not saved in the neutron port DB. We are exploring the idea of retrieving this LLA if a native openstack RA service is running on the subnet. Would SG be needed with a provider net in which the RA service is running external to openstack? In the case of IPv4 DHCP, the dhcp port is created by the dhcp service, and the dhcp server ip address is retrieved from this dhcp port. If the dhcp server is running outside of openstack, and if we'd only allow dhcp packets from this server, how is it done now? thanks, Robert On 3/7/14 12:00 AM, Akihiro Motoki amot...@gmail.com wrote: I wonder why RA needs to be exposed by security group API. Does a user need to configure security group to allow IPv6 RA? or should it be allowed in infra side? In the current implementation DHCP packets are allowed by provider rule (which is hardcoded in neutron code now). I think the role of IPv6 RA is similar to DHCP in IPv4. If so, we don't need to expose RA in security group API. Am I missing something? Thanks, Akihiro On Mon, Mar 3, 2014 at 10:39 PM, Xuhan Peng pengxu...@gmail.com wrote: I created a new blueprint [1] which is triggered by the requirement to allow IPv6 Router Advertisement security group rule on compute node in my on-going code review [2]. Currently, only security group rule direction, protocol, ethertype and port range are supported by neutron security group rule data structure. To allow Router Advertisement coming from network node or provider network to VM on compute node, we need to specify ICMP type to only allow RA from known hosts (network node dnsmasq binded IP or known provider gateway). To implement this and make the implementation extensible, maybe we can add an additional table name SecurityGroupRuleData with Key, Value and ID in it. For ICMP type RA filter, we can add key=icmp-type value=134, and security group rule to the table. When other ICMP type filters are needed, similar records can be stored. This table can also be used for other firewall rule key values. API change is also needed. Please let me know your comments about this blueprint. [1] https://blueprints.launchpad.net/neutron/+spec/security-group-icmp-type-f ilter [2] https://review.openstack.org/#/c/72252/ Thank you! Xuhan Peng ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron][IPv6][Security Group] BP: Support ICMP type filter by security group
Hi Robert, Thanks for the clarification. I understand the motivation. I think the problem can be split into two categories: (a) user configurable rules vs infra enforced rule, and (b) DHCP/RA service exists inside or outside of Neutron Regarding (a), I believe DHCP or RA related rules is better to be handled by the infra side because it is required to ensure DHCP/RA works well. I don't think it is a good idea to delegate users to configure rule to allow them. It works as long as DHCP/RA service works inside OpenStack. This is the main motivation of my previous question. On the other hand, there is no way to cooperate with DHCP/RA services outside of OpenStack at now. This blocks the usecase in your mind. It is true that the current Neutron cannot works with dhcp server outside of neutron. I agree that adding a security group rule to allow RA is reasonable as a workaround. However, for a long time solution, it is better to explore a way to configure infra-required rules. Thanks, Akihiro On Sat, Mar 8, 2014 at 12:50 AM, Robert Li (baoli) ba...@cisco.com wrote: Hi Akihiro, In the case of IPv6 RA, its source IP is a Link Local Address from the router's RA advertising interface. This LLA address is automatically generated and not saved in the neutron port DB. We are exploring the idea of retrieving this LLA if a native openstack RA service is running on the subnet. Would SG be needed with a provider net in which the RA service is running external to openstack? In the case of IPv4 DHCP, the dhcp port is created by the dhcp service, and the dhcp server ip address is retrieved from this dhcp port. If the dhcp server is running outside of openstack, and if we'd only allow dhcp packets from this server, how is it done now? thanks, Robert On 3/7/14 12:00 AM, Akihiro Motoki amot...@gmail.com wrote: I wonder why RA needs to be exposed by security group API. Does a user need to configure security group to allow IPv6 RA? or should it be allowed in infra side? In the current implementation DHCP packets are allowed by provider rule (which is hardcoded in neutron code now). I think the role of IPv6 RA is similar to DHCP in IPv4. If so, we don't need to expose RA in security group API. Am I missing something? Thanks, Akihiro On Mon, Mar 3, 2014 at 10:39 PM, Xuhan Peng pengxu...@gmail.com wrote: I created a new blueprint [1] which is triggered by the requirement to allow IPv6 Router Advertisement security group rule on compute node in my on-going code review [2]. Currently, only security group rule direction, protocol, ethertype and port range are supported by neutron security group rule data structure. To allow Router Advertisement coming from network node or provider network to VM on compute node, we need to specify ICMP type to only allow RA from known hosts (network node dnsmasq binded IP or known provider gateway). To implement this and make the implementation extensible, maybe we can add an additional table name SecurityGroupRuleData with Key, Value and ID in it. For ICMP type RA filter, we can add key=icmp-type value=134, and security group rule to the table. When other ICMP type filters are needed, similar records can be stored. This table can also be used for other firewall rule key values. API change is also needed. Please let me know your comments about this blueprint. [1] https://blueprints.launchpad.net/neutron/+spec/security-group-icmp-type-f ilter [2] https://review.openstack.org/#/c/72252/ Thank you! Xuhan Peng ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron][IPv6][Security Group] BP: Support ICMP type filter by security group
Sean, you are right. It doesn't work at all. So I think short term goal is to get that fixed for ICMP and long term goal is to write an extension as Amir pointed out? On Wed, Mar 5, 2014 at 1:55 AM, Collins, Sean sean_colli...@cable.comcast.com wrote: On Tue, Mar 04, 2014 at 12:01:00PM -0500, Brian Haley wrote: On 03/03/2014 11:18 AM, Collins, Sean wrote: On Mon, Mar 03, 2014 at 09:39:42PM +0800, Xuhan Peng wrote: Currently, only security group rule direction, protocol, ethertype and port range are supported by neutron security group rule data structure. To allow If I am not mistaken, I believe that when you use the ICMP protocol type, you can use the port range specs to limit the type. https://github.com/openstack/neutron/blob/master/neutron/db/securitygroups_db.py#L309 http://i.imgur.com/3n858Pf.png I assume we just have to check and see if it applies to ICMPv6? I tried using horizon to add an icmp type/code rule, and it didn't work. Before: -A neutron-linuxbri-i4533da4f-1 -p icmp -j RETURN After: -A neutron-linuxbri-i4533da4f-1 -p icmp -j RETURN -A neutron-linuxbri-i4533da4f-1 -p icmp -j RETURN I'd assume I'll have the same error with v6. I am curious what's actually being done under the hood here now... Looks like _port_arg just returns an empty array when hte protocol is ICMP? https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py#L328 Called by: https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py#L292 -- Sean M. Collins ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron][IPv6][Security Group] BP: Support ICMP type filter by security group
I opened a bug [1] and submitted a patch [2] to solve this short term (hopefully for Icehouse) [1] https://bugs.launchpad.net/neutron/+bug/1289088 [2] https://review.openstack.org/#/c/78835/ Xuhan On Thu, Mar 6, 2014 at 5:42 PM, Xuhan Peng pengxu...@gmail.com wrote: Sean, you are right. It doesn't work at all. So I think short term goal is to get that fixed for ICMP and long term goal is to write an extension as Amir pointed out? On Wed, Mar 5, 2014 at 1:55 AM, Collins, Sean sean_colli...@cable.comcast.com wrote: On Tue, Mar 04, 2014 at 12:01:00PM -0500, Brian Haley wrote: On 03/03/2014 11:18 AM, Collins, Sean wrote: On Mon, Mar 03, 2014 at 09:39:42PM +0800, Xuhan Peng wrote: Currently, only security group rule direction, protocol, ethertype and port range are supported by neutron security group rule data structure. To allow If I am not mistaken, I believe that when you use the ICMP protocol type, you can use the port range specs to limit the type. https://github.com/openstack/neutron/blob/master/neutron/db/securitygroups_db.py#L309 http://i.imgur.com/3n858Pf.png I assume we just have to check and see if it applies to ICMPv6? I tried using horizon to add an icmp type/code rule, and it didn't work. Before: -A neutron-linuxbri-i4533da4f-1 -p icmp -j RETURN After: -A neutron-linuxbri-i4533da4f-1 -p icmp -j RETURN -A neutron-linuxbri-i4533da4f-1 -p icmp -j RETURN I'd assume I'll have the same error with v6. I am curious what's actually being done under the hood here now... Looks like _port_arg just returns an empty array when hte protocol is ICMP? https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py#L328 Called by: https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py#L292 -- Sean M. Collins ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron][IPv6][Security Group] BP: Support ICMP type filter by security group
I wonder why RA needs to be exposed by security group API. Does a user need to configure security group to allow IPv6 RA? or should it be allowed in infra side? In the current implementation DHCP packets are allowed by provider rule (which is hardcoded in neutron code now). I think the role of IPv6 RA is similar to DHCP in IPv4. If so, we don't need to expose RA in security group API. Am I missing something? Thanks, Akihiro On Mon, Mar 3, 2014 at 10:39 PM, Xuhan Peng pengxu...@gmail.com wrote: I created a new blueprint [1] which is triggered by the requirement to allow IPv6 Router Advertisement security group rule on compute node in my on-going code review [2]. Currently, only security group rule direction, protocol, ethertype and port range are supported by neutron security group rule data structure. To allow Router Advertisement coming from network node or provider network to VM on compute node, we need to specify ICMP type to only allow RA from known hosts (network node dnsmasq binded IP or known provider gateway). To implement this and make the implementation extensible, maybe we can add an additional table name SecurityGroupRuleData with Key, Value and ID in it. For ICMP type RA filter, we can add key=icmp-type value=134, and security group rule to the table. When other ICMP type filters are needed, similar records can be stored. This table can also be used for other firewall rule key values. API change is also needed. Please let me know your comments about this blueprint. [1] https://blueprints.launchpad.net/neutron/+spec/security-group-icmp-type-filter [2] https://review.openstack.org/#/c/72252/ Thank you! Xuhan Peng ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron][IPv6][Security Group] BP: Support ICMP type filter by security group
On 03/03/2014 11:18 AM, Collins, Sean wrote: On Mon, Mar 03, 2014 at 09:39:42PM +0800, Xuhan Peng wrote: Currently, only security group rule direction, protocol, ethertype and port range are supported by neutron security group rule data structure. To allow If I am not mistaken, I believe that when you use the ICMP protocol type, you can use the port range specs to limit the type. https://github.com/openstack/neutron/blob/master/neutron/db/securitygroups_db.py#L309 http://i.imgur.com/3n858Pf.png I assume we just have to check and see if it applies to ICMPv6? I tried using horizon to add an icmp type/code rule, and it didn't work. Before: -A neutron-linuxbri-i4533da4f-1 -p icmp -j RETURN After: -A neutron-linuxbri-i4533da4f-1 -p icmp -j RETURN -A neutron-linuxbri-i4533da4f-1 -p icmp -j RETURN I'd assume I'll have the same error with v6. I am curious what's actually being done under the hood here now... -Brian ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron][IPv6][Security Group] BP: Support ICMP type filter by security group
On Tue, Mar 04, 2014 at 12:01:00PM -0500, Brian Haley wrote: On 03/03/2014 11:18 AM, Collins, Sean wrote: On Mon, Mar 03, 2014 at 09:39:42PM +0800, Xuhan Peng wrote: Currently, only security group rule direction, protocol, ethertype and port range are supported by neutron security group rule data structure. To allow If I am not mistaken, I believe that when you use the ICMP protocol type, you can use the port range specs to limit the type. https://github.com/openstack/neutron/blob/master/neutron/db/securitygroups_db.py#L309 http://i.imgur.com/3n858Pf.png I assume we just have to check and see if it applies to ICMPv6? I tried using horizon to add an icmp type/code rule, and it didn't work. Before: -A neutron-linuxbri-i4533da4f-1 -p icmp -j RETURN After: -A neutron-linuxbri-i4533da4f-1 -p icmp -j RETURN -A neutron-linuxbri-i4533da4f-1 -p icmp -j RETURN I'd assume I'll have the same error with v6. I am curious what's actually being done under the hood here now... Looks like _port_arg just returns an empty array when hte protocol is ICMP? https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py#L328 Called by: https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py#L292 -- Sean M. Collins ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Neutron][IPv6][Security Group] BP: Support ICMP type filter by security group
I created a new blueprint [1] which is triggered by the requirement to allow IPv6 Router Advertisement security group rule on compute node in my on-going code review [2]. Currently, only security group rule direction, protocol, ethertype and port range are supported by neutron security group rule data structure. To allow Router Advertisement coming from network node or provider network to VM on compute node, we need to specify ICMP type to only allow RA from known hosts (network node dnsmasq binded IP or known provider gateway). To implement this and make the implementation extensible, maybe we can add an additional table name SecurityGroupRuleData with Key, Value and ID in it. For ICMP type RA filter, we can add key=icmp-type value=134, and security group rule to the table. When other ICMP type filters are needed, similar records can be stored. This table can also be used for other firewall rule key values. API change is also needed. Please let me know your comments about this blueprint. [1] https://blueprints.launchpad.net/neutron/+spec/security-group-icmp-type-filter [2] https://review.openstack.org/#/c/72252/ Thank you! Xuhan Peng ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev