<div dir="ltr"><div dir="ltr"><div>Hi,</div><div>Akihiro, thanks for you summary.</div><div><br></div><div>We use the linuxbridge driver because its simplicity and the match with the old nova-network schema (yes, are we still migrating).</div><div><br></div><div>The functionality gap between ovs driver and linuxbridge is a good think in my view.</div><div>It allows operators to chose the best solution considering their deployment use case and scale. </div><div><br></div><div>Slawek, Miguel please keep us in the discussions.</div><div><br></div><div>Belmiro</div><div>CERN</div><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Nov 13, 2019 at 7:22 PM Sean Mooney <<a href="mailto:smooney@redhat.com">smooney@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">On Tue, 2019-11-12 at 14:53 +0100, Slawek Kaplonski wrote:<br>
> Stateless security groups<br>
> =========================<br>
> <br>
> Old RFE [21] was approved for neutron-fwaas project but we all agreed that this<br>
> should be now implemented for security groups in core Neutron.<br>
> People from Nuage are interested in work on this in upstream.<br>
> We should probably also explore how easy/hard it will be to implement it in<br>
> networking-ovn backend.<br>
<br>
for what its worth we implemented this 4 years ago and it was breifly used in production trial deployment<br>
in a telco deployment but i dont think it ever went to full production as they went wtih sriov instead <br>
<a href="https://review.opendev.org/#/c/264131/" rel="noreferrer" target="_blank">https://review.opendev.org/#/c/264131/</a> as part of this RFE <a href="https://bugs.launchpad.net/neutron/+bug/1531205" rel="noreferrer" target="_blank">https://bugs.launchpad.net/neutron/+bug/1531205</a> which was<br>
closed as wont fix <a href="https://bugs.launchpad.net/neutron/+bug/1531205/comments/14" rel="noreferrer" target="_blank">https://bugs.launchpad.net/neutron/+bug/1531205/comments/14</a><br>
as it was view that this was not the correct long term direction for the community.<br>
this is the summit presentation for austin for anyone that does not rememebr this effort<br>
<br>
<a href="https://www.openstack.org/videos/summits/austin-2016/tired-of-iptables-based-security-groups-heres-how-to-gain-tremendous-speed-with-open-vswitch-instead" rel="noreferrer" target="_blank">https://www.openstack.org/videos/summits/austin-2016/tired-of-iptables-based-security-groups-heres-how-to-gain-tremendous-speed-with-open-vswitch-instead</a><br>
<br>
im not sure how the new proposal differeres form our previous proposal for the same<br>
feautre but the main pushback we got was that the securtiy group api is assumed to be stateful<br>
and that is why this was rejected. form our mesurments at the time we expected the stateless approch<br>
to scale better then contrack driver so it woudl be nice to see a stateless approch avialable.<br>
i never got around to deleteing our implemenation form networking-ovs-dpdk <br>
<a href="https://opendev.org/x/networking-ovs-dpdk/src/branch/master/networking_ovs_dpdk/agent/ovs_dpdk_firewall.py" rel="noreferrer" target="_blank">https://opendev.org/x/networking-ovs-dpdk/src/branch/master/networking_ovs_dpdk/agent/ovs_dpdk_firewall.py</a><br>
but i has not been tested our updated really for the last 2 years but it could be used as a basis of this effort<br>
if nuage does not have a poc already.<br>
<br>
<br>
<br>
</blockquote></div>