In the reference architecture, the security group functionality relies on iptables to perform traffic filtering. Iptables is a firewall built into Linux that allows a system administrator to define tables containing chains of rules that determine how network packets should be treated. Packets are processed by sequentially traversing rules in chains within the following tables:
- Raw: This is a default table that filters packets before any other table. It is mainly used to configure exemptions from connection tracking and is not used by security groups or FWaaS.
- Filter: This is a default table to filter packets.
- NAT: This is a default table used for network address translation.
- Mangle: This is a default table used for specialized packet alteration and is not used by security groups or FWaaS.
A rule in a chain can cause a jump to another chain, which in turn can jump to another chain and so on. This behavior can be repeated to whatever level of nesting is desired. If the traffic does not match the rules of a subchain, the system recalls the point at which the jump occurred and returns to this point for further processing. When iptables is enabled, every network packet arriving at or leaving an interface traverses at least one chain.
There are five default chains, and the origin of the packet determines which chain will be initially traversed. The five default chains include:
PREROUTING: Packets will enter this chain before a routing decision is made. This chain is not used for security group rules but for the floating IP functionality within a router namespace. ThePREROUTINGchain is used by the raw, mangle, andNATtables.INPUT: This is used when a packet is to be locally delivered to the host machine. TheINPUTchain is used by the mangle and filter tables.FORWARD: All packets that are routed and not used for local delivery will traverse this chain. TheFORWARDchain is used by the mangle and filter tables.OUTPUT: Packets sent from the host machine itself will traverse this chain. TheOUTPUTchain is used by the raw, mangle,NAT, and filter tables.POSTROUTING: Packets will enter this chain when a routing decision has been made. This chain is not used for security group rules but for the floating IP functionality within a router namespace. ThePOSTROUTINGchain is used by the mangle andNATtables.
Each rule in a chain contains criteria that packets can be matched against. The rule may also contain a target, such as another chain or a verdict such as DROP or ACCEPT. As a packet traverses a chain, each rule is examined. If a rule does not match the packet, the packet is passed to the next rule. If a rule does match the packet, the rule takes the action indicated by the target or verdict.
Possible verdicts include:
ACCEPT: The packet is accepted and sent to the application for processingDROP: The packet is dropped silentlyREJECT: The packet is dropped and an error message is sent to the senderLOG: the packet details are loggedDNAT: This rewrites the destination IP of the packetSNAT: This rewrites the source IP of the packetRETURN: This returns the processing to the calling chain
The ACCEPT, DROP, and REJECT verdicts are often used by the filter table. Common rule criteria include:
-p <protocol>: This matches protocols such as TCP, UDP, ICMP, and more-s <ip_addr>: This matches the source IP address-d <ip_addr>: This matches the destination IP address--sport: This matches the source port--dport: This matches the destination port-i <interface>: This matches the interface from which the packet entered-o <interface>: This matches the interface from which the packet exits
The difference in the application of iptables rules between security groups and FWaaS can be seen in further detail later in this chapter and in Chapter 11, Firewall as a Service.
For more information on iptables, visit the following resources:
In past OpenStack releases, for every security group referenced in a rule that was created, an exponential number of iptables rules were created that corresponded to each source and destination pair of addresses and ports. This behavior resulted in poor L2 agent performance as well as race conditions, where virtual machine instances were connected to the virtual bridge but unable to successfully connect to the network.
Beginning with the Juno release, the ipset extension to iptables is utilized in an attempt to reduce the number of iptables rules required by creating groups of addresses and ports that are stored efficiently for a fast lookup.
Without ipset, iptables rules that allow connections on port 80 to a set of web instances may resemble the following:
iptables -A INPUT -p tcp -d 1.1.1.1 --dport 80 -j ACCEPT iptables -A INPUT -p tcp -d 2.2.2.2 --dport 80 -j ACCEPT iptables -A INPUT -p tcp -d 3.3.3.3 --dport 80 -j ACCEPT iptables -A INPUT -p tcp -d 4.4.4.4 --dport 80 -j ACCEPT
The preceding match syntax, –d x.x.x.x, means the ''match packets whose destination address is x.x.x.x''. To allow all four addresses, four separate iptables rules with four separate match specifications must be defined.
Alternatively, a combination of ipset and iptables commands can used to achieve the same result:
ipset -N webset iphash ipset -A webset 1.1.1.1 ipset -A webset 2.2.2.2 ipset -A webset 3.3.3.3 ipset -A webset 4.4.4.4 iptables -A INPUT -p tcp -m set --match-set webset dst --dport 80 -j ACCEPT
The ipset command creates a new set, webset, with four addresses. The iptables command references the set with --m set --match-set webset dst, which means ''match packets whose destination matches an entry within the set named webset''.
Using an ipset, only one rule is required to accomplish what took four rules before. The savings are small in this example, but as instances are added to security groups and security group rules are configured, the reduction in rules has a noticeable impact on performance and reliability.