Currently, FWaaS uses conntrack [1] to control network connections [2]. However, in a large scale system, which requires updating, adding or deleting up to thousands of firewall rules, it takes a long time to execute thousands of conntrack commands to delete conntrack entries. In a performance test, conntrack costs up to 458.40 seconds to apply 10.000 firewall rules [3]. That puts updating firewall – which directly related to system security into a significant threat.
We would like to introduce a new method to improve above problem: Using Netlink solution [4]. This patch saves time by developing a Netlink library to avoid running thousands of conntrack commands (which need to open a Python subprocess for each) from iptables_fwaas driver. The performance test [3] shows that our solution costs only 5.41 seconds (up to 98% time saving) to apply 10.000 firewall rules.
Our solution's been applied to FWaaS v1 in Ocata cycle, and it is beeing applied to FWaaS v2 and Neutron.
(Demo included)
- How FWaaS close network connection?
- Current problem when FWaaS apply a large number of firewall rules
- An approach to improve FWaaS performance
