firewall semantics and connection tracking in Neutron

asked 2014-09-24 08:38:09 -0600

Sam Whitlock gravatar image

I'm trying to implement my own firewall (for a research project) to replace the IpTables firewall, and I'm not sure if about the semantics of the firewall interface.

My question is specifically this: does the firewall (agent.firewall.Firewall) require stateful (e.g., connection tracking) semantics?

The only example I can find, IpTables firewall and the OVS derivative, take advantage of the conntrack module for iptables (the INVALID and RELATED,ESTABLISHED rules in the neutron chains). This is more secure because it doesn't rely on the VMs to be trusted entities. As a counter example, a stateless firewall would (likely) allow packets through from an invalid TCP stream if 2 VMs have been subverted (e.g. by sending each other valid packets wrt port number and IP range, but without starting a SYN connection). The IpTables firewall does _not_ exhibit this behavior.

I couldn't find a lot of documentation on the architecture and the code seems a little ambiguous.

edit retag flag offensive close merge delete