In OpenStack releases prior to Juno, for every security group referenced in a rule that was created, an exponential number of iptables rules were created that corresponded to each source and destination pair of addresses and ports. This behavior resulted in poor L2 agent performance as well as race conditions where virtual machine instances were connected to the virtual bridge but were unable to successfully connect to the network.
Beginning with the Juno release, the ipset extension to iptables is utilized in an attempt to reduce the number of iptables rules required by creating groups of addresses and ports that are stored efficiently for fast lookup.
Without ipset, iptables rules that allow connections on port 80 to a set of web instances may resemble the following:
iptables -A INPUT -p tcp -d 1.1.1.1 --dport 80 -j RETURN
iptables -A INPUT -p tcp -d 2.2.2.2 --dport 80 -j RETURN
iptables -A INPUT -p tcp -d 3.3.3.3 --dport 80 -j RETURN
iptables -A INPUT -p tcp -d 4.4.4.4 --dport 80 -j RETURN
The match syntax -d x.x.x.x in the preceding code means "match packets whose destination address is x.x.x.x". To allow all four addresses, four separate iptables rules with four separate match specifications must be defined.
Alternatively, a combination of ipset and iptables commands can be used to achieve the same result:
ipset -N webset iphash
ipset -A webset 1.1.1.1
ipset -A webset 2.2.2.2
ipset -A webset 3.3.3.3
ipset -A webset 4.4.4.4
iptables -A INPUT -p tcp -m set --match-set webset dst --dport 80 -j RETURN
The ipset command creates a new set, a webset, with four addresses. The iptables command references the set with --m set --match-set webset dst, which means "match packets whose destination matches an entry within the set named webset".
By using an ipset, only one rule is required to accomplish what previously took four rules. The savings are small in this example, but as instances are added to security groups and security group rules are configured, the reduction in rules has a noticeable impact on performance and reliability.