
<div dir="ltr">Thanks! I got it now: OpenStack already allows all "related" connections, and you need connection tracking for that. This was not very clear to me from the documentation...<div dir="ltr"><div><br></div><div>-Tapio</div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Nov 23, 2015 at 10:14 PM Russell Bryant <<a href="mailto:rbryant@redhat.com" target="_blank">rbryant@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 11/23/2015 02:16 PM, Kevin Benton wrote:<br>

> Security groups already use connection tracking. It's just done via a<br>

> linux bridge right now because the versions of OVS shipped with most<br>

> distros have no native conntrack support.<br>

<br>

This post discusses it in the context of OVN, but gets down to showing<br>

what the flows look like.  It also includes a link to a presentation<br>

about ovs+conntrack given at the OpenStack Summit in Vancouver.<br>

<br>

<a href="http://blog.russellbryant.net/2015/10/22/openstack-security-groups-using-ovn-acls/" rel="noreferrer" target="_blank">http://blog.russellbryant.net/2015/10/22/openstack-security-groups-using-ovn-acls/</a><br>

<br>

The most recent talk on this topic was "The State of Stateful Services"<br>

at the OVS Conference last week:<br>

<br>

<a href="http://openvswitch.org/support/ovscon2015/16/1620-stringer.pdf" rel="noreferrer" target="_blank">http://openvswitch.org/support/ovscon2015/16/1620-stringer.pdf</a><br>

<a href="https://www.youtube.com/watch?v=PV2rxxb6lwQ" rel="noreferrer" target="_blank">https://www.youtube.com/watch?v=PV2rxxb6lwQ</a><br>

<br>

--<br>

Russell Bryant<br>

<br>

__________________________________________________________________________<br>

OpenStack Development Mailing List (not for usage questions)<br>

Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

</blockquote></div></div>