Open Stack

> -----Original Message-----
> From: Kostiantyn.Volenbovskyi at swisscom.com
> [mailto:Kostiantyn.Volenbovskyi at swisscom.com]
> Sent: Tuesday, August 9, 2016 12:58 PM
> To: openstack-dev at lists.openstack.org; Mooney, Sean K
> <sean.k.mooney at intel.com>
> Subject: RE: [openstack-dev] [neutron][networking-ovs-dpdk] conntrack
> security group driver with ovs-dpdk
> 
> Hi,
> (sorry for using incorrect threading)
> 
> > > About 2 weeks ago I did some light testing with the conntrack
> > > security group driver and the newly
> > >
> > > Merged upserspace conntrack support in ovs.
> > >
> By 'recently' - whether you mean patch v4
> http://openvswitch.org/pipermail/dev/2016-June/072700.html
> or you used OVS 2.5 itself (which I think includes v2 of the same patch
> series)?
[Mooney, Sean K] I used http://openvswitch.org/pipermail/dev/2016-June/072700.html or specifically
i used the following commit https://github.com/openvswitch/ovs/commit/0c87efe4b5017de4c5ae99e7b9c36e8a6e846669
which is just after userspace conntrack was merged,
> 
> So in general - I am a bit confused about conntrack support in OVS.
> 
> OVS 2.5 release notes http://openvswitch.org/pipermail/announce/2016-
> February/000081.html state:
> "This release includes the highly anticipated support for connection
> tracking in the Linux kernel.  This feature makes it possible to
> implement stateful firewalls and will be the basis for future stateful
> features such as NAT and load-balancing.  Work is underway to bring
> connection tracking to the userspace datapath (used by DPDK) and the
> port to Hyper-V."  - in the way that 'work is underway' (=work is
> ongoing) means that a time of OVS 2.5 release the feature was not
> 'classified' as ready?
[Mooney, Sean K] 
In ovs 2.5 only linux kernel conntrack was supported assuming you had a
4.x kernel that supported it. that means that the feature was not available on bsd,windows or with dpdk.

In the upcoming ovs 2.6 release conntrack support has been added to the 
Netdev datapath which is used with dpdk and on bsd. As far as I am aware windows conntrack support is still
Missing but I may be wrong.

If you are interested the devstack local.conf I used to test that it functioned is available here
http://paste.openstack.org/show/552434/

I used an OpenStack vm using the Ubuntu 16.04 and 2 e1000 interfaces to do the testing.


> 
> 
> BR,
> Konstantin
> 
> 
> 
> > On Sat, Aug 6, 2016 at 8:16 PM, Mooney, Sean K
> <sean.k.mooney at intel.com>
> > wrote:
> > > Hi just a quick fyi,
> > >
> > > About 2 weeks ago I did some light testing with the conntrack
> security
> > > group driver and the newly
> > >
> > > Merged upserspace conntrack support in ovs.
> > >
> > >
> > >
> > > I can confirm that at least form my initial smoke tests where I
> > >
> > > Uses netcat ping and ssh to try and establish connections between
> two
> > > vms the
> > >
> > > Conntrack security group driver appears to function correctly with
> the
> > > userspace connection tracker.
> > >
> > >
> > >
> > > We have not looked at any of the performance yet but assuming it is
> at
> > > an acceptable level I am planning to
> > >
> > > Deprecate the learn action based driver in networking-ovs-dpdk and
> > > remove it once  we have cut the stable newton
> > >
> > > Branch.
> > >
> > >
> > >
> > > We hope to do some rfc 2544 throughput testing to evaluate the
> > > performance sometime mid-September.
> > >
> > > Assuming all goes well I plan on enabling the conntrack based
> security
> > > group driver by default when the
> > >
> > > Networking-ovs-dpdk devstack plugin is loaded. We will also
> evaluate
> > > enabling the security group tests
> > >
> > > In our third party ci to ensure it continues to function correctly
> > > with ovs-dpdk.
> > >
> > >
> > >
> > > Regards
> > >
> > > Seán
> > >
> > >
> > >
> > >
> > >
> > _________________________________________________________________
> > _____
> > > ____ OpenStack Development Mailing List (not for usage questions)
> > > Unsubscribe:
> > > OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> > >
> >
> > _________________________________________________________________
> > _________
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe: OpenStack-dev-
> request at lists.openstack.org?subject:unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev