<div dir="ltr">I don't think we can implement a <span style="font-family:arial,sans-serif;font-size:12.727272033691406px">stateful firewall[1] now.</span><div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif"><div>

Once connection tracking capability[2] is added to the Linux OVS, we</div><div>could start to implement the ovs-firewall-driver blueprint.</div><div><br></div></font><div><span style="font-family:arial,sans-serif;font-size:12.727272033691406px">[1] </span><a href="http://en.wikipedia.org/wiki/Stateful_firewall">http://en.wikipedia.org/wiki/Stateful_firewall</a></div>

</div><div>[2] <a href="http://wiki.xenproject.org/wiki/Xen_Development_Projects#Add_connection_tracking_capability_to_the_Linux_OVS">http://wiki.xenproject.org/wiki/Xen_Development_Projects#Add_connection_tracking_capability_to_the_Linux_OVS</a></div>

</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Nov 26, 2013 at 2:23 AM, Mike Wilson <span dir="ltr"><<a href="mailto:geekinutah@gmail.com" target="_blank">geekinutah@gmail.com</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Adding Jun to this thread since gmail is failing him.</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra">

<br><br><div class="gmail_quote">On Tue, Nov 19, 2013 at 10:44 AM, Amir Sadoughi <span dir="ltr"><<a href="mailto:amir.sadoughi@rackspace.com" target="_blank">amir.sadoughi@rackspace.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">



<div style="word-wrap:break-word">
Yes, my work has been on ML2 with neutron-openvswitch-agent.  I’m interested to see what Jun Park has. I might have something ready before he is available again, but would like to collaborate regardless.
<span><font color="#888888"><div><br>
</div>
</font></span><div><span><font color="#888888">Amir</font></span><div><div><br>
<div><br>
</div>
<div><br>
<div>
<div>On Nov 19, 2013, at 3:31 AM, Kanthi P <<a href="mailto:pavuluri.kanthi@gmail.com" target="_blank">pavuluri.kanthi@gmail.com</a>> wrote:</div>
<br>
<blockquote type="cite">
<div dir="ltr">Hi All,
<div><br>
</div>
<div>Thanks for the response!</div>
<div>Amir,Mike: Is your implementation being done according to ML2 plugin</div>
<div><br>
</div>
<div>Regards,</div>
<div>Kanthi</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, Nov 19, 2013 at 1:43 AM, Mike Wilson <span dir="ltr">
<<a href="mailto:geekinutah@gmail.com" target="_blank">geekinutah@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hi Kanthi,
<div><br>
</div>
<div>Just to reiterate what Kyle said, we do have an internal implementation using flows that looks very similar to security groups. Jun Park was the guy that wrote this and is looking to get it upstreamed. I think he'll be back in the office late next week.
 I'll point him to this thread when he's back.</div>
<span><font color="#888888">
<div><br>
</div>
<div>-Mike</div>
</font></span></div>
<div>
<div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Mon, Nov 18, 2013 at 3:39 PM, Kyle Mestery (kmestery)
<span dir="ltr"><<a href="mailto:kmestery@cisco.com" target="_blank">kmestery@cisco.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>On Nov 18, 2013, at 4:26 PM, Kanthi P <<a href="mailto:pavuluri.kanthi@gmail.com" target="_blank">pavuluri.kanthi@gmail.com</a>> wrote:<br>
</div>
<div>> Hi All,<br>
><br>
> We are planning to implement quantum security groups using openflows for ovs plugin instead of iptables which is the case now.<br>
><br>
> Doing so we can avoid the extra linux bridge which is connected between the vnet device and the ovs bridge, which is given as a work around since ovs bridge is not compatible with iptables.<br>
><br>
> We are planning to create a blueprint and work on it. Could you please share your views on this<br>
><br>
</div>
Hi Kanthi:<br>
<br>
Overall, this idea is interesting and removing those extra bridges would certainly be nice. Some people at Bluehost gave a talk at the Summit [1] in which they explained they have done something similar, you may want to reach out to them since they have code
 for this internally already.<br>
<br>
The OVS plugin is in feature freeze during Icehouse, and will be deprecated in favor of ML2 [2] at the end of Icehouse. I would advise you to retarget your work at ML2 when running with the OVS agent instead. The Neutron team will not accept new features into
 the OVS plugin anymore.<br>
<br>
Thanks,<br>
Kyle<br>
<br>
[1] <a href="http://www.openstack.org/summit/openstack-summit-hong-kong-2013/session-videos/presentation/towards-truly-open-and-commoditized-software-defined-networks-in-openstack" target="_blank">
http://www.openstack.org/summit/openstack-summit-hong-kong-2013/session-videos/presentation/towards-truly-open-and-commoditized-software-defined-networks-in-openstack</a><br>
[2] <a href="https://wiki.openstack.org/wiki/Neutron/ML2" target="_blank">https://wiki.openstack.org/wiki/Neutron/ML2</a><br>
<div><br>
> Thanks,<br>
> Kanthi<br>
> _______________________________________________<br>
> OpenStack-dev mailing list<br>
> <a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
<br>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
</div>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote>
</div>
<br>
</div>
</div></div></div>
</div>

<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">Cheers,<div>Jian</div></div>
</div>