Add ipset to security group

https://blueprints.launchpad.net/neutron/+spec/add-ipset-to-security

Now neutron uses iptables to achieve security group functions, but iptables chain is linear storage and filtering, we can use ipset to improve security group’s performance.

Problem description

Now neutron uses iptables to achieve security group functions, but there are following problems.

Problem 1: When a security group has many rules between other security group, this would affect security group’s performance.

Problem 2: When a port is updated, the security group chain related to that port will be destroyed and rebuilt, this would affect L2 agent’s performance.

Proposed change

The proposal is to improve security group performance based on existing security group agent codes.

In L2 agent, it makes use of ipset to optimize the iptables rule chain. When a port is created, L2 agent will add a additional ipset chain to it’s iptables chain, if the security group that this port belongs to has rules between other security group, the member of that security group will add to ipset chain.

When a port is created in default security group, its corresponding iptables rules in L2 agent like these(old result): -A neutron-openvswi-i92605eaf-b -m state –state INVALID -j DROP -A neutron-openvswi-i92605eaf-b -m state –state RELATED,ESTABLISHED -j RETURN -A neutron-openvswi-i92605eaf-b -s 192.168.83.20/32 -j RETURN -A neutron-openvswi-i92605eaf-b -s 192.168.83.19/32 -j RETURN -A neutron-openvswi-i92605eaf-b -s 192.168.83.16/32 -j RETURN -A neutron-openvswi-i92605eaf-b -s 192.168.83.17/32 -j RETURN -A neutron-openvswi-i92605eaf-b -s 192.168.83.18/32 -j RETURN -A neutron-openvswi-i92605eaf-b -s 192.168.83.15/32 -j RETURN

The new iptables rules by using ‘iptables+ipset’ like these: -A neutron-openvswi-i92605eaf-b -m state –state INVALID -j DROP -A neutron-openvswi-i92605eaf-b -m state –state RELATED,ESTABLISHED -j RETURN -A neutron-openvswi-i92605eaf-b -m set –match-set ${ipset_name} src -j RETURN

The ipset chain like this: Name: ${ipset_name} Type: hash:ip Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16632 References: 1 Members: 192.168.83.16 192.168.83.17 192.168.83.15 192.168.83.18 192.168.83.19 192.168.83.20

Alternatives

None.

Data model impact

None.

REST API impact

None.

Security impact

None.

Notifications impact

None.

Other end user impact

None.

Performance Impact

1) iptables-save/iptables-load time will be greatly reduced, as we just need to modify one ipset per security group, and not all the bunch of duplicated rules per port.

2) With iptables, kernel has to linearly go evaluating after all iptables rules in chain order, while for an ipset in iptables, a lots of rules will become into a “hash” with much faster evaluation.

Other deployer impact

Considered a deployer doesn’t provide ipset in their system, using ‘iptables+ipset’ to enhance security group will be optional. A configuration flag will be added to L2 agent configuration file:

[securitygroup] enable_ipset_enhancement = False

Developer impact

None.

Implementation

Assignee(s)

Primary assignee:
https://launchpad.net/~shihanzhang
Other contributors:
https://launchpad.net/~mangelajo

Work Items

  • Improve ‘security_group_rules_for_devices’
  • Add ipset chain in ‘_add_rule_by_security_group’
  • Unit tests

Dependencies

None.

Testing

Unit tests should be enough, as this is to optimize already existing functionality which is already covered by tempest

Documentation Impact

None.