[openstack-dev] [ovs-dev] [neutron] moving openvswitch ports between namespaces considered harmful

Thomas Graf tgraf at noironetworks.com
Mon Feb 16 19:27:41 UTC 2015


On 02/15/15 at 05:00pm, Kevin Benton wrote:
> What is the status of the conntrack integration with respect to
> availability in distributions? The lack of state tracking has blocked the
> ability for us to get rid of namespaces for the L3 agent (because of SNAT)
> and the filtering bridge between the VM and OVS (stateful firewall for
> security groups).
> 
> It has been known for a long time that these are suboptimal, but our hands
> are sort of tied because we don't want to require kernel code changes to
> use Neutron.

> Are Ubuntu 1404 or CentOS 7 shipping openvswitch kernel modules with
> conntrack integration? If not, I don't see a feasible way of eliminating
> any of these problems with a pure OVS solution. (faking a stateful firewall
> with flag matching doesn't count)

As soon as conntrack is merged in the upstream kernel it can be
backported. We can definitely provide support through the openvswitch.ko
in the git tree which will give you conntack on >= 2.6.32 but that might
not answer your question as you probably want to use the openvswitch.ko
that is shipped with your distribution. Given the interest in this it
sounds like it makes sense to approach common distributions which do not
rebase kernels frequently to backport this feature.



More information about the OpenStack-dev mailing list