[openstack-dev] [Neutron] Security Groups OVS conntrack support

Kevin Benton blak111 at gmail.com
Mon Nov 23 19:16:41 UTC 2015


Security groups already use connection tracking. It's just done via a linux
bridge right now because the versions of OVS shipped with most distros have
no native conntrack support.

On Mon, Nov 23, 2015 at 2:55 AM, Tapio Tallgren <tapiotallgren at gmail.com>
wrote:

> Hi,
>
> Sorry for the stupid question, but how will I use the connection tracking
> in security groups? Is there an extension to the Neutron API call "add
> security group rule" that allows for connection tracking, or this for FWaaS
> only?
>
> -Tapio
>
> On Mon, Nov 23, 2015 at 12:39 PM Fawad Khaliq <fawad at plumgrid.com> wrote:
>
>> On Mon, Nov 23, 2015 at 3:08 PM, Jakub Libosvar <jlibosva at redhat.com>
>> wrote:
>>
>>> On 11/22/2015 07:28 PM, Gal Sagie wrote:
>>> > Hi Fawad,
>>> >
>>> > From what i could understand from Miguel Angel Ajo, someone is working
>>> > on this integration and it
>>> > is suppose to be delivered as part of Mitaka.
>>> > I don't remember the person name, Miguel will sure update shortly.
>>> >
>>> > Gal.
>>>
>>> Hi Fawad, Gal,
>>>
>>> I'm the person working on ovs firewall. There is reported an rfe bug [1]
>>> to tracking it.
>>>
>>
>> Hi Kuba,
>>
>> Great. We (Kuryr team) wanted insight into the plans for this support.
>> Thanks for the note and link to the bug. I think we are all set to take the
>> discussions further.
>>
>> Fawad
>>
>>
>>> Kuba
>>>
>>> [1] https://bugs.launchpad.net/neutron/+bug/1461000
>>> >
>>> > On Sun, Nov 22, 2015 at 7:05 PM, Fawad Khaliq <fawad at plumgrid.com
>>> > <mailto:fawad at plumgrid.com>> wrote:
>>> >
>>> >     Folks,
>>> >
>>> >     Is there a plan to add conntrack support to the security groups for
>>> >     the OVS driver in Mitaka cycle?
>>> >
>>> >     My understanding is that it is being actively worked on for
>>> >     networking-ovn but no concrete plan for support in the OVS Neutron
>>> >     driver yet.
>>> >
>>> >     Thanks,
>>> >     Fawad Khaliq
>>> >
>>> >
>>> >
>>>  __________________________________________________________________________
>>> >     OpenStack Development Mailing List (not for usage questions)
>>> >     Unsubscribe:
>>> >     OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> >     <
>>> http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>>> >     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > Best Regards ,
>>> >
>>> > The G.
>>> >
>>> >
>>> >
>>> __________________________________________________________________________
>>> > OpenStack Development Mailing List (not for usage questions)
>>> > Unsubscribe:
>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>> >
>>>
>>>
>>>
>>> __________________________________________________________________________
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe:
>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Kevin Benton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151123/35a26e9e/attachment.html>


More information about the OpenStack-dev mailing list