Uploaded image for project: 'vpp'
  1. vpp
  2. VPP-428

VPP Reflexive ACLs (connection tracking)

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Open
    • Icon: Medium Medium
    • 17.04
    • None
    • Security Groups
    • None

      Enable stateful filtering (similar to reflexive ACLs) to support the following OpenStack use-case for security groups and FWaaS.

      Behaviour would be

      • By default all incoming traffic to a VM is denied
      • An ACL allows outbound traffic from a VM
      • For connections which are initiated by the VM, a pinhole is opened to allow the incoming return traffic (i.e. incoming traffic) back in (which makes the above outgoing ACL "reflexive")

      Stateful classifiers are to be supported on:

      • L2 / bridged interfaces (for security groups)
      • L3 / routed interfaces (for FWaaS)

      OpenStack refers to this feature as "connection tracking". From an implementation perspective, we could consider having a single set of code for connection tracking which could also be used for SNAT in the future (for now SNAT is stateless only).
      See also:

            ayourtch Andrew Yourtchenko
            brockners Frank Brockners
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: