<div dir="ltr">As I remember, <span><span id="3f1cf898-8fbf-4175-b7f5-f403adfe0a17" class="GINGER_SOFTWARE_mark">ovs</span></span> does not support binding-on <span><span id="355d33b9-d456-4825-b97d-a8781fd632e1" class="GINGER_SOFTWARE_mark">veth</span></span> <span><span id="36400a9a-a048-4bd6-a134-58a2b3e93c38" class="GINGER_SOFTWARE_mark">rules</span></span>.<div><div>Hence now we might need tools like iptables.</div><div>However, this might change in future.</div></div><div><br></div><div>As to the l3 part, should be handled in more efficient way, e.g., NFV.</div><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Nov 4, 2014 at 2:29 PM, <span id="84437d9a-3cc9-4465-a324-5278f18c4e5a" class="GINGER_SOFTWARE_mark">loy</span> <span id="c960e47a-436c-429a-897a-37e959d41d50" class="GINGER_SOFTWARE_mark">wolfe</span> <span dir="ltr"><<a href="mailto:loywolfe@gmail.com" target="_blank">loywolfe@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span id="88712626-9df8-431e-8078-48d14acb7441" class="GINGER_SOFTWARE_mark">maybe</span> two reasons: performance caused by flow miss; feature parity<br>
<br>
L3+ flow table <span id="b37de6f0-c6ee-488b-b6af-39199f4d28c0" class="GINGER_SOFTWARE_mark">destroy</span> the <span id="007c4a8b-dc14-41e7-ade7-482b0ebb5ef4" class="GINGER_SOFTWARE_mark">megaflow</span> aggregation, so if your app has<br>
<span id="7bbb320a-5122-4f89-b36f-cc228829abf7" class="GINGER_SOFTWARE_mark">many</span> concurrent sessions like web server, flow miss <span id="1bd8ab29-3152-4155-9419-b7d3e7a89535" class="GINGER_SOFTWARE_mark">upcall</span> would make<br>
<span id="d5318e8f-f8b4-436d-8f4f-5b1c1d726a00" class="GINGER_SOFTWARE_mark">vswitchd</span> corrupted.<br>
<br>
<span id="8b147e65-030b-4f30-91e0-38bb54f8e8b6" class="GINGER_SOFTWARE_mark">iptable</span> is already there, migrating it to <span id="791f2d78-23b4-4b5c-bd25-7356fd4ed777" class="GINGER_SOFTWARE_mark">ovs flow table</span> needs a lot<br>
<span id="44a9745a-50ae-4a84-870f-ccf97c2ee912" class="GINGER_SOFTWARE_mark">of</span> extra development, not to say that some advanced features is lost<br>
(<span id="44d91065-3fbe-444f-8e2a-df39726a9406" class="GINGER_SOFTWARE_mark">for</span> example, stateful firewall). However <span id="715a82d3-a358-4a41-8be6-eeba2f700c24" class="GINGER_SOFTWARE_mark">ovs</span> <span id="d276863d-4a78-4d9d-9e83-574c31353e82" class="GINGER_SOFTWARE_mark">is considering</span> <span id="9f856841-1089-4e96-a7e2-480083d32f33" class="GINGER_SOFTWARE_mark">to add</span><br>
<span id="d553519a-197b-4cf1-a444-ac86f65b3de7" class="GINGER_SOFTWARE_mark">some</span> hook to <span id="03f755cb-84d3-4447-93a3-dfbf36d878ae" class="GINGER_SOFTWARE_mark">iptable</span>, but in the very early stage yet. Even with that,<br>
<span id="91ab69a6-3f00-4e4f-8bd1-4a2f1d766e2a" class="GINGER_SOFTWARE_mark">it</span> is not implemented by <span id="9944af7c-d707-4d8e-af1f-523cbab774ee" class="GINGER_SOFTWARE_mark">ovs</span> <span id="6c2da2de-498d-4b1f-9219-46c37508fb03" class="GINGER_SOFTWARE_mark">datapath</span> <span id="cfdc31a7-ba51-46c9-a3c6-ed5e5f97b81e" class="GINGER_SOFTWARE_mark">flowtable</span>, but by <span id="b1507085-fd15-4c03-b191-593b17e15098" class="GINGER_SOFTWARE_mark">iptable</span>.<br>
<div><div><br>
On Tue, Nov 4, 2014 at 1:07 PM, Li Tianqing <<a href="mailto:jazeltq@163.com" target="_blank">jazeltq@163.com</a>> wrote:<br>
> <span id="dc4db332-a29c-4824-b1ba-65334b05efa1" class="GINGER_SOFTWARE_mark">ovs</span> <span id="77a3af0c-a088-4bb1-9121-070f37da88b2" class="GINGER_SOFTWARE_mark">is implemented</span> open flow, in <span id="7d9e4339-db36-4ac7-b295-0303e266b115" class="GINGER_SOFTWARE_mark">ovs</span>, it can see the l3, why do not use <span id="31926338-7896-4150-a642-1a22f2f00699" class="GINGER_SOFTWARE_mark">ovs</span>?<br>
><br>
> --<br>
> Best<br>
>     Li Tianqing<br>
><br>
> At 2014-11-04 11:55:46, "Damon Wang" <<a href="mailto:damon.devops@gmail.com" target="_blank">damon.devops@gmail.com</a>> wrote:<br>
><br>
> Hi,<br>
><br>
> OVS mainly focus on <span id="868b9f26-b91d-4dc4-9f7f-ce5594163681" class="GINGER_SOFTWARE_mark">l2 which</span> iptables mainly focus on l3 or higher.<br>
><br>
> Damon Wang<br>
><br>
> 2014-11-04 11:12 GMT+08:00 Li Tianqing <<a href="mailto:jazeltq@163.com" target="_blank">jazeltq@163.com</a>>:<br>
>><br>
>><br>
>><br>
>><br>
>><br>
>><br>
>> --<br>
>> Best<br>
>>     Li Tianqing<br>
>><br>
>><br>
>><br>
>> _______________________________________________<br>
>> <span id="1a480c1a-6ce3-4199-b83c-238b7b990c90" class="GINGER_SOFTWARE_mark">OpenStack</span>-dev mailing list<br>
>> <a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
>><br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
> <span id="330cf2dd-5784-4d58-aad8-a9eb0e44b90c" class="GINGER_SOFTWARE_mark">OpenStack</span>-dev mailing list<br>
> <a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
><br>
<br>
_______________________________________________<br>
<span id="550c503c-7695-48c9-80bf-db1682407dc1" class="GINGER_SOFTWARE_mark">OpenStack</span>-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div><font color="#999999">Best wishes!<br><span id="9df0fc95-0f47-4ff5-aa14-492650261673" class="GINGER_SOFTWARE_mark">Baohua</span><br></font></div>
</div></div>