Implement Nova compute instance traffic logging and rate limiting
In order to be compliant with some security requirements, I would like to implement a switch that when turned on , would add iptables logging parameters to each firewall rules and also introduce
iptables rate-limiting of packets that would be configurable on a global basis until some more
metadata are added to the data structures.
Blueprint information
- Status:
- Not started
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- David Hill
- Direction:
- Needs approval
- Assignee:
- David Hill
- Definition:
- New
- Series goal:
- Proposed for trunk
- Implementation:
-
Unknown
- Milestone target:
-
ongoing
- Started by
- Completed by
Whiteboard
- This blue print is based on bug #1316271 and OSSN-0018.
- This would need to be backported to grizzly, havana and icehouse but is aimed at trunk for the time being
- Implement rate limiting of logging in order to prevent DoS by logging
(-m limit - Require the rule to match only a limited number of times. Allows the use of the --limit option. Useful for limiting logging rules.
--limit - The maximum matching rate, given as a number followed by "/second", "/minute", "/hour", or "/day" depending on how often you want the rule to match. If this option is not used and -m limit is used, the default is "3/hour". )
- This would be useful for IDS of all kinds
Gerrit topic: https:/
Addressed by: https:/
Adding accepted traffic logging and ratelimiting
Addressed by: https:/
Adding firewall logging for instances.
