From f57b59a1791d5d5bf2b7a7d292fc36cfa1cec9c9 Mon Sep 17 00:00:00 2001 From: Slawek Kaplonski Date: Fri, 2 Oct 2020 13:26:27 +0200 Subject: [PATCH] [Doc] Add section about diffs between ovs and iptables fw drivers And add note about different handling of packets marked as INVALID by both those drivers. Change-Id: I3d436289073e95312e5f5077acabd136266b9e8a Closes-Bug: #1896587 --- doc/source/admin/config-ovsfwdriver.rst | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/doc/source/admin/config-ovsfwdriver.rst b/doc/source/admin/config-ovsfwdriver.rst index fa0e310f871..e52484f9272 100644 --- a/doc/source/admin/config-ovsfwdriver.rst +++ b/doc/source/admin/config-ovsfwdriver.rst @@ -67,3 +67,25 @@ kernel modules at boot time, for example, ``/etc/modules``. Check with your distribution for further information. This isn't necessary to use ``gre`` tunnel network type Neutron. + +Differences between OVS and iptables firewall drivers +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Both OVS and iptables firewall drivers should always behave in the same way if +the same rules are configured for the security group. But in some cases that is +not true and there may be slight differences between those drivers. + ++----------------------------------------+-----------------------+-----------------------+ +| Case | OVS | iptables | ++========================================+=======================+=======================+ +| Traffic marked as INVALID by conntrack | Blocked | Allowed because it | +| but matching some of the SG rules | | first matches SG rule,| +| (please check [1]_ and [2]_ | | never reaches rule to | +| for details) | | drop invalid packets | ++----------------------------------------+-----------------------+-----------------------+ + +References +~~~~~~~~~~ + +.. [1] https://bugs.launchpad.net/neutron/+bug/1460741 +.. [2] https://bugs.launchpad.net/neutron/+bug/1896587