commit f57b59a1791d5d5bf2b7a7d292fc36cfa1cec9c9 Author: Slawek Kaplonski Date: Fri Oct 2 13:26:27 2020 +0200 [Doc] Add section about diffs between ovs and iptables fw drivers And add note about different handling of packets marked as INVALID by both those drivers. Change-Id: I3d436289073e95312e5f5077acabd136266b9e8a Closes-Bug: #1896587 diff --git a/doc/source/admin/config-ovsfwdriver.rst b/doc/source/admin/config-ovsfwdriver.rst index fa0e310..e52484f 100644 --- a/doc/source/admin/config-ovsfwdriver.rst +++ b/doc/source/admin/config-ovsfwdriver.rst @@ -67,3 +67,25 @@ kernel modules at boot time, for example, ``/etc/modules``. Check with your distribution for further information. This isn't necessary to use ``gre`` tunnel network type Neutron. + +Differences between OVS and iptables firewall drivers +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Both OVS and iptables firewall drivers should always behave in the same way if +the same rules are configured for the security group. But in some cases that is +not true and there may be slight differences between those drivers. + ++----------------------------------------+-----------------------+-----------------------+ +| Case | OVS | iptables | ++========================================+=======================+=======================+ +| Traffic marked as INVALID by conntrack | Blocked | Allowed because it | +| but matching some of the SG rules | | first matches SG rule,| +| (please check [1]_ and [2]_ | | never reaches rule to | +| for details) | | drop invalid packets | ++----------------------------------------+-----------------------+-----------------------+ + +References +~~~~~~~~~~ + +.. [1] https://bugs.launchpad.net/neutron/+bug/1460741 +.. [2] https://bugs.launchpad.net/neutron/+bug/1896587