Paul,
Beyond explicit configuration for the cloud operator, documentation and API
validation for the end user, is there anything specific you would like to see
as a “warning label”? Does iptables do TCP sequence number validation? Where we
can, we should strive to match iptables behavior.
Rega
Carl,
You are correct in both distinctions. Like I mentioned to Paul, beyond explicit
configuration for the cloud operator, documentation and API validation for the
end user, is there anything specific you would like to see as a “warning label”?
Amir
On Jun 3, 2014, at 9:01 AM, Carl Baldwin
m
Salvatore,
The 80% distinction came from a discussion I had at summit, representing that
the majority of features described by the current security groups could be
implemented today with OVS without connection tracking. It’s not based on any
mathematical calculation… more of a pseudo-applicatio
How does ovs handle tcp flows? Does it include stateful tracking of tcp --
as your wording below implies -- or does it do stateless inspection of
returning tcp packets? It appears it is the latter. This isn't the same
as providing a stateful ESTABLISHED feature. Many users may not fully
underst
Amir Sadoughi wrote:
>Specifically, OVS lacks connection tracking so it won't have a RELATED feature
>or stateful rules
>for non-TCP flows. (OVS connection tracking is currently under development, to
>be released by 2015
It definitely needs a big obvious warning label on this. A stateless fire
I would like to understand how did we get to this 80%/20% distinction.
In other terms, it seems conntrack's RELATED features won't be supported
for non-tcp traffic. What about the ESTABLISHED feature? The blueprint
specs refers to tcp_flags=ack.
Or will that be supported through the source port mat
Hi all,
In the Neutron weekly meeting today[0], we discussed the ovs-firewall-driver
blueprint[1]. Moving forward, OVS features today will give us "80%" of the
iptables security groups behavior. Specifically, OVS lacks connection tracking
so it won’t have a RELATED feature or stateful rules for