Hi, Akihiro, thanks for you summary. We use the linuxbridge driver because its simplicity and the match with the old nova-network schema (yes, are we still migrating). The functionality gap between ovs driver and linuxbridge is a good think in my view. It allows operators to chose the best solution considering their deployment use case and scale. Slawek, Miguel please keep us in the discussions. Belmiro CERN On Wed, Nov 13, 2019 at 7:22 PM Sean Mooney <smooney@redhat.com> wrote:
Stateless security groups =========================
Old RFE [21] was approved for neutron-fwaas project but we all agreed
On Tue, 2019-11-12 at 14:53 +0100, Slawek Kaplonski wrote: that this
should be now implemented for security groups in core Neutron. People from Nuage are interested in work on this in upstream. We should probably also explore how easy/hard it will be to implement it in networking-ovn backend.
for what its worth we implemented this 4 years ago and it was breifly used in production trial deployment in a telco deployment but i dont think it ever went to full production as they went wtih sriov instead https://review.opendev.org/#/c/264131/ as part of this RFE https://bugs.launchpad.net/neutron/+bug/1531205 which was closed as wont fix https://bugs.launchpad.net/neutron/+bug/1531205/comments/14 as it was view that this was not the correct long term direction for the community. this is the summit presentation for austin for anyone that does not rememebr this effort
https://www.openstack.org/videos/summits/austin-2016/tired-of-iptables-based...
im not sure how the new proposal differeres form our previous proposal for the same feautre but the main pushback we got was that the securtiy group api is assumed to be stateful and that is why this was rejected. form our mesurments at the time we expected the stateless approch to scale better then contrack driver so it woudl be nice to see a stateless approch avialable. i never got around to deleteing our implemenation form networking-ovs-dpdk
https://opendev.org/x/networking-ovs-dpdk/src/branch/master/networking_ovs_d... but i has not been tested our updated really for the last 2 years but it could be used as a basis of this effort if nuage does not have a poc already.