Those are the current best methods. I've been looking at using Linux's conntracker and then having the ability for OVS to match the connection state. I have a prototype working, but it's too early to know whether it's a viable approach (both from a technical and upstream-able perspective). If it works out, I think it will provide a good combination of speed and correctness. We should know more about its viability in the next few weeks.
--Justin On Dec 16, 2013, at 8:33 AM, Amir Sadoughi <[email protected]> wrote: > How many different ways are there to create firewalls with OVS? So far, I > know of: > > 1. reflexive learn actions > > 2. stateless ACLs with tcp_flags=ack > > Are there are any other (better?) ways I am missing? My motivation being > creating Open vSwitch-based security groups in OpenStack Neutron > <https://blueprints.launchpad.net/neutron/+spec/ovs-firewall-driver>. > > Thanks in advance, > > Amir Sadoughi > > > > > _______________________________________________ > discuss mailing list > [email protected] > http://openvswitch.org/mailman/listinfo/discuss _______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss
