+ Jakub. On Wed, Aug 10, 2016 at 9:54 AM, <kostiantyn.volenbovs...@swisscom.com> wrote: > Hi, >> [Mooney, Sean K] >> In ovs 2.5 only linux kernel conntrack was supported assuming you had a 4.x >> kernel that supported it. that means that the feature was not available on >> bsd,windows or with dpdk. > Yup, I also thought about something like that. > I think I was at-least-slightly misguided by > http://docs.openstack.org/draft/networking-guide/adv-config-ovsfwdriver.html > and there is currently a statement > "The native OVS firewall implementation requires kernel and user space > support for conntrack, thus requiring minimum versions of the Linux kernel > and Open vSwitch. All cases require Open vSwitch version 2.5 or newer."
I agree, that statement is misleading. > > Do you agree that this is something to change? I think it is not OK to state > OVS 2.6 without that being released, but in case I am not confusing then: > -OVS firewall driver with OVS that uses kernel datapath requires OVS 2.5 and > Linux kernel 4.3 > -OVS firewall driver with OVS that uses userspace datapath with DPDK (aka > ovs-dpdk aka DPDK vhost-user aka netdev datapath) doesn't have a Linux > kernel prerequisite > That is documented in table in " ### Q: Are all features available with all > datapaths?": > http://openvswitch.org/support/dist-docs/FAQ.md.txt > where currently 'Connection tracking' row says 'NO' for 'Userspace' - but > that's exactly what has been merged recently /to become feature of OVS 2.6 > > Also when it comes to performance I came across > http://openvswitch.org/pipermail/dev/2016-June/071982.html, but I would guess > that devil could be the exact flows/ct actions that will be present in > real-life scenario. > > > BR, > Konstantin > > >> -----Original Message----- >> From: Mooney, Sean K [mailto:sean.k.moo...@intel.com] >> Sent: Tuesday, August 09, 2016 2:29 PM >> To: Volenbovskyi Kostiantyn, INI-ON-FIT-CXD-ELC >> <kostiantyn.volenbovs...@swisscom.com>; openstack- >> d...@lists.openstack.org >> Subject: RE: [openstack-dev] [neutron][networking-ovs-dpdk] conntrack >> security >> group driver with ovs-dpdk >> >> >> > -----Original Message----- >> > From: kostiantyn.volenbovs...@swisscom.com >> > [mailto:kostiantyn.volenbovs...@swisscom.com] >> > Sent: Tuesday, August 9, 2016 12:58 PM >> > To: openstack-dev@lists.openstack.org; Mooney, Sean K >> > <sean.k.moo...@intel.com> >> > Subject: RE: [openstack-dev] [neutron][networking-ovs-dpdk] conntrack >> > security group driver with ovs-dpdk >> > >> > Hi, >> > (sorry for using incorrect threading) >> > >> > > > About 2 weeks ago I did some light testing with the conntrack >> > > > security group driver and the newly >> > > > >> > > > Merged upserspace conntrack support in ovs. >> > > > >> > By 'recently' - whether you mean patch v4 >> > http://openvswitch.org/pipermail/dev/2016-June/072700.html >> > or you used OVS 2.5 itself (which I think includes v2 of the same >> > patch series)? >> [Mooney, Sean K] I used http://openvswitch.org/pipermail/dev/2016- >> June/072700.html or specifically i used the following commit >> https://github.com/openvswitch/ovs/commit/0c87efe4b5017de4c5ae99e7b9c3 >> 6e8a6e846669 >> which is just after userspace conntrack was merged, >> > >> > So in general - I am a bit confused about conntrack support in OVS. >> > >> > OVS 2.5 release notes http://openvswitch.org/pipermail/announce/2016- >> > February/000081.html state: >> > "This release includes the highly anticipated support for connection >> > tracking in the Linux kernel. This feature makes it possible to >> > implement stateful firewalls and will be the basis for future stateful >> > features such as NAT and load-balancing. Work is underway to bring >> > connection tracking to the userspace datapath (used by DPDK) and the >> > port to Hyper-V." - in the way that 'work is underway' (=work is >> > ongoing) means that a time of OVS 2.5 release the feature was not >> > 'classified' as ready? >> [Mooney, Sean K] >> In ovs 2.5 only linux kernel conntrack was supported assuming you had a 4.x >> kernel that supported it. that means that the feature was not available on >> bsd,windows or with dpdk. >> >> In the upcoming ovs 2.6 release conntrack support has been added to the >> Netdev datapath which is used with dpdk and on bsd. As far as I am aware >> windows conntrack support is still Missing but I may be wrong. >> >> If you are interested the devstack local.conf I used to test that it >> functioned is >> available here http://paste.openstack.org/show/552434/ >> >> I used an OpenStack vm using the Ubuntu 16.04 and 2 e1000 interfaces to do >> the >> testing. >> >> >> > >> > >> > BR, >> > Konstantin >> > >> > >> > >> > > On Sat, Aug 6, 2016 at 8:16 PM, Mooney, Sean K >> > <sean.k.moo...@intel.com> >> > > wrote: >> > > > Hi just a quick fyi, >> > > > >> > > > About 2 weeks ago I did some light testing with the conntrack >> > security >> > > > group driver and the newly >> > > > >> > > > Merged upserspace conntrack support in ovs. >> > > > >> > > > >> > > > >> > > > I can confirm that at least form my initial smoke tests where I >> > > > >> > > > Uses netcat ping and ssh to try and establish connections between >> > two >> > > > vms the >> > > > >> > > > Conntrack security group driver appears to function correctly with >> > the >> > > > userspace connection tracker. >> > > > >> > > > >> > > > >> > > > We have not looked at any of the performance yet but assuming it >> > > > is >> > at >> > > > an acceptable level I am planning to >> > > > >> > > > Deprecate the learn action based driver in networking-ovs-dpdk and >> > > > remove it once we have cut the stable newton >> > > > >> > > > Branch. >> > > > >> > > > >> > > > >> > > > We hope to do some rfc 2544 throughput testing to evaluate the >> > > > performance sometime mid-September. >> > > > >> > > > Assuming all goes well I plan on enabling the conntrack based >> > security >> > > > group driver by default when the >> > > > >> > > > Networking-ovs-dpdk devstack plugin is loaded. We will also >> > evaluate >> > > > enabling the security group tests >> > > > >> > > > In our third party ci to ensure it continues to function correctly >> > > > with ovs-dpdk. >> > > > >> > > > >> > > > >> > > > Regards >> > > > >> > > > Seán >> > > > >> > > > >> > > > >> > > > >> > > > >> > > >> _________________________________________________________________ >> > > _____ >> > > > ____ OpenStack Development Mailing List (not for usage questions) >> > > > Unsubscribe: >> > > > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> > > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > > >> > > >> > > >> _________________________________________________________________ >> > > _________ >> > > OpenStack Development Mailing List (not for usage questions) >> > > Unsubscribe: OpenStack-dev- >> > requ...@lists.openstack.org?subject:unsubscribe >> > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev