On 11/23/2015 02:16 PM, Kevin Benton wrote: > Security groups already use connection tracking. It's just done via a > linux bridge right now because the versions of OVS shipped with most > distros have no native conntrack support. This post discusses it in the context of OVN, but gets down to showing what the flows look like. It also includes a link to a presentation about ovs+conntrack given at the OpenStack Summit in Vancouver. http://blog.russellbryant.net/2015/10/22/openstack-security-groups-using-ovn-acls/ The most recent talk on this topic was "The State of Stateful Services" at the OVS Conference last week: http://openvswitch.org/support/ovscon2015/16/1620-stringer.pdf https://www.youtube.com/watch?v=PV2rxxb6lwQ -- Russell Bryant