Re: [openstack-dev] [Neutron] Security Groups OVS conntrack support

Thanks! I got it now: OpenStack already allows all "related" connections, and you need connection tracking for that. This was not very clear to me from the documentation... -Tapio On Mon, Nov 23, 2015 at 10:14 PM Russell Bryant wrote: > On 11/23/2015 02:16 PM, Kevin Benton

Re: [openstack-dev] [Neutron] Security Groups OVS conntrack support

Security groups already use connection tracking. It's just done via a linux bridge right now because the versions of OVS shipped with most distros have no native conntrack support. On Mon, Nov 23, 2015 at 2:55 AM, Tapio Tallgren wrote: > Hi, > > Sorry for the stupid

Re: [openstack-dev] [Neutron] Security Groups OVS conntrack support

On 11/23/2015 02:16 PM, Kevin Benton wrote: > Security groups already use connection tracking. It's just done via a > linux bridge right now because the versions of OVS shipped with most > distros have no native conntrack support. This post discusses it in the context of OVN, but gets down to

Re: [openstack-dev] [Neutron] Security Groups OVS conntrack support

On Mon, Nov 23, 2015 at 3:08 PM, Jakub Libosvar wrote: > On 11/22/2015 07:28 PM, Gal Sagie wrote: > > Hi Fawad, > > > > From what i could understand from Miguel Angel Ajo, someone is working > > on this integration and it > > is suppose to be delivered as part of Mitaka. > >

Re: [openstack-dev] [Neutron] Security Groups OVS conntrack support

Hi, Sorry for the stupid question, but how will I use the connection tracking in security groups? Is there an extension to the Neutron API call "add security group rule" that allows for connection tracking, or this for FWaaS only? -Tapio On Mon, Nov 23, 2015 at 12:39 PM Fawad Khaliq

Re: [openstack-dev] [Neutron] Security Groups OVS conntrack support

Hi Tapio, This is an improvement in the lower implementation layer where to support security groups, previously, we needed to have both OVS and linux bridges. With an improvement in OVS, this can be avoided and we will only need OVS bridge. This does not affect the user interface to security

Re: [openstack-dev] [Neutron] Security Groups OVS conntrack support

On 11/22/2015 07:28 PM, Gal Sagie wrote: > Hi Fawad, > > From what i could understand from Miguel Angel Ajo, someone is working > on this integration and it > is suppose to be delivered as part of Mitaka. > I don't remember the person name, Miguel will sure update shortly. > > Gal. Hi Fawad,

Re: [openstack-dev] [Neutron] Security Groups OVS conntrack support

Hi Gal, On Sun, Nov 22, 2015 at 11:28 PM, Gal Sagie wrote: > Hi Fawad, > > From what i could understand from Miguel Angel Ajo, someone is working on > this integration and it > is suppose to be delivered as part of Mitaka. > I don't remember the person name, Miguel will

Re: [openstack-dev] [Neutron] Security Groups OVS conntrack support

Hi Fawad, >From what i could understand from Miguel Angel Ajo, someone is working on this integration and it is suppose to be delivered as part of Mitaka. I don't remember the person name, Miguel will sure update shortly. Gal. On Sun, Nov 22, 2015 at 7:05 PM, Fawad Khaliq

[openstack-dev] [Neutron] Security Groups OVS conntrack support

Folks, Is there a plan to add conntrack support to the security groups for the OVS driver in Mitaka cycle? My understanding is that it is being actively worked on for networking-ovn but no concrete plan for support in the OVS Neutron driver yet. Thanks, Fawad Khaliq