<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 22, 2017 at 1:53 PM, Thomas Morin <span dir="ltr"><<a href="mailto:thomas.morin@orange.com" target="_blank">thomas.morin@orange.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="m_399603466460834192moz-cite-prefix">Wed Feb 22 2017 11:13:18 GMT-0500
(EST), Anil Venkata:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><span></span><br>
<span></span>
While relevant, I think this is not possible until br-int allows
to match the network a packet belongs to (the ovsdb port tags
don't let you do that until the packet leaves br-int with a
NORMAL action).<br>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Ajo has told me yesterday that the OVS firewall driver
uses registers precisely to do that. Making this generic
(and not specific to the OVS firewall driver) would be a
prerequisite before you can add ARP responder rules in
br-int.<br>
<br>
</blockquote>
<div> </div>
<div>[...] Spoke to Ajo on this. He said we can follow above
suggestion i.e do the same what firewall driver is doing
in br-int, or wait till OVS flow extension is
implemented(but this will take time as lack of resources)</div>
</div>
</div>
</div>
</blockquote>
<br>
I think using registers instead of ovsdb port tags should be seen as
a common pre-requisite for both ARP responder in br-int and doing
the OVS flow extension work.<br>
So waiting for resource on the later should not be seen as the
problem.. although you still need some resource to use register in
br-int...<span class="HOEnZb"><font color="#888888"><br>
<br></font></span></div></blockquote><div><br></div><div>Those port/net tagging parts were designed as some of the fixed stages of the openflow pipeline. If we wanted to pursue this I feel we may need to wait for the pipeline to eventually be ready.</div><div><br></div><div>An alternative option would be moving the port/net tagging to a common place for ovs firewall and hybrid firewall. But I'm not sure how complex that could be.</div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><span class="HOEnZb"><font color="#888888">
-Thomas<br>
</font></span></div>
<br>______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
<br></blockquote></div><br></div></div>