
<div dir="ltr"><div>On Sat, Nov 30, 2013 at 6:32 PM, Édouard Thuleau <span dir="ltr"><<a href="mailto:thuleau@gmail.com" target="_blank">thuleau@gmail.com</a>></span> wrote:<br></div><div class="gmail_extra"><div class="gmail_quote">


<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">And what do you think about the performance issue I talked ?<br>


Do you have any thought to improve wildcarding to use megaflow feature ?<span class=""><font color="#888888"><br></font></span></blockquote><div><br></div><div>I have invested a little further, here is my environment<div>


<br></div><div>X1 (10.0.5.1) <---> OVS BR <---> X2 (10.0.5.2)</div><div><br></div><div>I have set up several flows to make port 5000 open on X2:</div><div><br></div><div><div>$ sudo ovs-ofctl dump-flows br</div>


<div>NXST_FLOW reply (xid=0x4):</div></div><div><div> cookie=0x0, duration=49.672s, table=0, n_packets=7, n_bytes=496, idle_age=6, priority=256,tcp,nw_src=10.0.5.2,tp_src=5000 actions=NORMAL</div><div> cookie=0x0, duration=29.854s, table=0, n_packets=8, n_bytes=562, idle_age=6, priority=256,tcp,nw_dst=10.0.5.2,tp_dst=5000 actions=NORMAL</div>


<div> cookie=0x0, duration=2014.523s, table=0, n_packets=96, n_bytes=4032, idle_age=35, priority=512,arp actions=NORMAL</div><div> cookie=0x0, duration=2006.462s, table=0, n_packets=51, n_bytes=4283, idle_age=40, priority=0 actions=drop</div>


</div><div><br></div><div>and here is the kernel flows after 2 connections created:</div><div><br></div><div><div>$ sudo ovs-dpctl dump-flows</div><div><div><div>skb_priority(0),in_port(8),eth(src=2e:19:44:50:9d:17,dst=ae:7f:28:4f:14:ec),eth_type(0x0800),ipv4(src=<a href="http://10.0.5.1/255.255.255.255,dst=10.0.5.2/255.255.255.255,proto=6/0xff,tos=0/0,ttl=64/0,frag=no/0xff">10.0.5.1/255.255.255.255,dst=10.0.5.2/255.255.255.255,proto=6/0xff,tos=0/0,ttl=64/0,frag=no/0xff</a>),tcp(src=35789,dst=5000), packets:1, bytes:66, used:2.892s, flags:., actions:10</div>


<div>skb_priority(0),in_port(8),eth(src=2e:19:44:50:9d:17,dst=ae:7f:28:4f:14:ec),eth_type(0x0800),ipv4(src=<a href="http://10.0.5.1/255.255.255.255,dst=10.0.5.2/255.255.255.255,proto=6/0xff,tos=0/0,ttl=64/0,frag=no/0xff">10.0.5.1/255.255.255.255,dst=10.0.5.2/255.255.255.255,proto=6/0xff,tos=0/0,ttl=64/0,frag=no/0xff</a>),tcp(src=35775,dst=5000), packets:0, bytes:0, used:never, actions:10</div>


<div>skb_priority(0),in_port(10),eth(src=ae:7f:28:4f:14:ec,dst=2e:19:44:50:9d:17),eth_type(0x0800),ipv4(src=<a href="http://10.0.5.2/255.255.255.255,dst=10.0.5.1/0.0.0.0,proto=6/0xff,tos=0/0,ttl=64/0,frag=no/0xff">10.0.5.2/255.255.255.255,dst=10.0.5.1/0.0.0.0,proto=6/0xff,tos=0/0,ttl=64/0,frag=no/0xff</a>),tcp(src=5000/0xffff,dst=35789/0), packets:1, bytes:78, used:1.344s, flags:P., actions:8</div>


</div></div></div><div><br></div><div>conclusion:</div><div>mac-src,mac-dst can't be wildcard, because they are used by l2 bridging and mac learning.</div><div>ip-src and port-src can't be wildcard</div><div>only ip-dst and port-dst can be wildcard</div>


<div><br></div><div>I don't know why ip-src and port-src can't be wildcard, maybe I just hit an ovs bug.</div><div> <br></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">


<span class=""><font color="#888888">

Édouard.<br>

</font></span><div class=""><div class="h5"><br>

On Fri, Nov 29, 2013 at 1:11 PM, Zang MingJie <<a href="mailto:zealot0630@gmail.com">zealot0630@gmail.com</a>> wrote:<br>

> On Fri, Nov 29, 2013 at 2:25 PM, Jian Wen <<a href="mailto:jian.wen@canonical.com">jian.wen@canonical.com</a>> wrote:<br>

>> I don't think we can implement a stateful firewall[1] now.<br>

><br>

> I don't think we need a stateful firewall, a stateless one should work<br>

> well. If the stateful conntrack is completed in the future, we can<br>

> also take benefit from it.<br>

><br>

>><br>

>> Once connection tracking capability[2] is added to the Linux OVS, we<br>

>> could start to implement the ovs-firewall-driver blueprint.<br>

>><br>

>> [1] <a href="http://en.wikipedia.org/wiki/Stateful_firewall" target="_blank">http://en.wikipedia.org/wiki/Stateful_firewall</a><br>

>> [2]<br>

>> <a href="http://wiki.xenproject.org/wiki/Xen_Development_Projects#Add_connection_tracking_capability_to_the_Linux_OVS" target="_blank">http://wiki.xenproject.org/wiki/Xen_Development_Projects#Add_connection_tracking_capability_to_the_Linux_OVS</a><br>


>><br>

>><br>

>> On Tue, Nov 26, 2013 at 2:23 AM, Mike Wilson <<a href="mailto:geekinutah@gmail.com">geekinutah@gmail.com</a>> wrote:<br>

>>><br>

>>> Adding Jun to this thread since gmail is failing him.<br>

>>><br>

>>><br>

>>> On Tue, Nov 19, 2013 at 10:44 AM, Amir Sadoughi<br>

>>> <<a href="mailto:amir.sadoughi@rackspace.com">amir.sadoughi@rackspace.com</a>> wrote:<br>

>>>><br>

>>>> Yes, my work has been on ML2 with neutron-openvswitch-agent.  I’m<br>

>>>> interested to see what Jun Park has. I might have something ready before he<br>

>>>> is available again, but would like to collaborate regardless.<br>

>>>><br>

>>>> Amir<br>

>>>><br>

>>>><br>

>>>><br>

>>>> On Nov 19, 2013, at 3:31 AM, Kanthi P <<a href="mailto:pavuluri.kanthi@gmail.com">pavuluri.kanthi@gmail.com</a>> wrote:<br>

>>>><br>

>>>> Hi All,<br>

>>>><br>

>>>> Thanks for the response!<br>

>>>> Amir,Mike: Is your implementation being done according to ML2 plugin<br>

>>>><br>

>>>> Regards,<br>

>>>> Kanthi<br>

>>>><br>

>>>><br>

>>>> On Tue, Nov 19, 2013 at 1:43 AM, Mike Wilson <<a href="mailto:geekinutah@gmail.com">geekinutah@gmail.com</a>><br>

>>>> wrote:<br>

>>>>><br>

>>>>> Hi Kanthi,<br>

>>>>><br>

>>>>> Just to reiterate what Kyle said, we do have an internal implementation<br>

>>>>> using flows that looks very similar to security groups. Jun Park was the guy<br>

>>>>> that wrote this and is looking to get it upstreamed. I think he'll be back<br>

>>>>> in the office late next week. I'll point him to this thread when he's back.<br>

>>>>><br>

>>>>> -Mike<br>

>>>>><br>

>>>>><br>

>>>>> On Mon, Nov 18, 2013 at 3:39 PM, Kyle Mestery (kmestery)<br>

>>>>> <<a href="mailto:kmestery@cisco.com">kmestery@cisco.com</a>> wrote:<br>

>>>>>><br>

>>>>>> On Nov 18, 2013, at 4:26 PM, Kanthi P <<a href="mailto:pavuluri.kanthi@gmail.com">pavuluri.kanthi@gmail.com</a>><br>

>>>>>> wrote:<br>

>>>>>> > Hi All,<br>

>>>>>> ><br>

>>>>>> > We are planning to implement quantum security groups using openflows<br>

>>>>>> > for ovs plugin instead of iptables which is the case now.<br>

>>>>>> ><br>

>>>>>> > Doing so we can avoid the extra linux bridge which is connected<br>

>>>>>> > between the vnet device and the ovs bridge, which is given as a work around<br>

>>>>>> > since ovs bridge is not compatible with iptables.<br>

>>>>>> ><br>

>>>>>> > We are planning to create a blueprint and work on it. Could you<br>

>>>>>> > please share your views on this<br>

>>>>>> ><br>

>>>>>> Hi Kanthi:<br>

>>>>>><br>

>>>>>> Overall, this idea is interesting and removing those extra bridges<br>

>>>>>> would certainly be nice. Some people at Bluehost gave a talk at the Summit<br>

>>>>>> [1] in which they explained they have done something similar, you may want<br>

>>>>>> to reach out to them since they have code for this internally already.<br>

>>>>>><br>

>>>>>> The OVS plugin is in feature freeze during Icehouse, and will be<br>

>>>>>> deprecated in favor of ML2 [2] at the end of Icehouse. I would advise you to<br>

>>>>>> retarget your work at ML2 when running with the OVS agent instead. The<br>

>>>>>> Neutron team will not accept new features into the OVS plugin anymore.<br>

>>>>>><br>

>>>>>> Thanks,<br>

>>>>>> Kyle<br>

>>>>>><br>

>>>>>> [1]<br>

>>>>>> <a href="http://www.openstack.org/summit/openstack-summit-hong-kong-2013/session-videos/presentation/towards-truly-open-and-commoditized-software-defined-networks-in-openstack" target="_blank">http://www.openstack.org/summit/openstack-summit-hong-kong-2013/session-videos/presentation/towards-truly-open-and-commoditized-software-defined-networks-in-openstack</a><br>


>>>>>> [2] <a href="https://wiki.openstack.org/wiki/Neutron/ML2" target="_blank">https://wiki.openstack.org/wiki/Neutron/ML2</a><br>

>>>>>><br>

>>>>>> > Thanks,<br>

>>>>>> > Kanthi<br>

>>>>>> > _______________________________________________<br>

>>>>>> > OpenStack-dev mailing list<br>

>>>>>> > <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>

>>>>>> > <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

>>>>>><br>

>>>>>><br>

>>>>>><br>

>>>>>> _______________________________________________<br>

>>>>>> OpenStack-dev mailing list<br>

>>>>>> <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>

>>>>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

>>>>><br>

>>>>><br>

>>>>><br>

>>>>> _______________________________________________<br>

>>>>> OpenStack-dev mailing list<br>

>>>>> <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>

>>>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

>>>>><br>

>>>><br>

>>>> _______________________________________________<br>

>>>> OpenStack-dev mailing list<br>

>>>> <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>

>>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

>>>><br>

>>>><br>

>>>><br>

>>>> _______________________________________________<br>

>>>> OpenStack-dev mailing list<br>

>>>> <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>

>>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

>>>><br>

>>><br>

>>><br>

>>> _______________________________________________<br>

>>> OpenStack-dev mailing list<br>

>>> <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>

>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

>>><br>

>><br>

>><br>

>><br>

>> --<br>

>> Cheers,<br>

>> Jian<br>

>><br>

>> _______________________________________________<br>

>> OpenStack-dev mailing list<br>

>> <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>

>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

>><br>

><br>

> _______________________________________________<br>

> OpenStack-dev mailing list<br>

> <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>

> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

<br>

_______________________________________________<br>

OpenStack-dev mailing list<br>

<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

</div></div></blockquote></div><br></div></div>