Thanks! I got it now: OpenStack already allows all "related" connections, and you need connection tracking for that. This was not very clear to me from the documentation... -Tapio On Mon, Nov 23, 2015 at 10:14 PM Russell Bryant <rbryant at redhat.com> wrote: > On 11/23/2015 02:16 PM, Kevin Benton wrote: > > Security groups already use connection tracking. It's just done via a > > linux bridge right now because the versions of OVS shipped with most > > distros have no native conntrack support. > > This post discusses it in the context of OVN, but gets down to showing > what the flows look like. It also includes a link to a presentation > about ovs+conntrack given at the OpenStack Summit in Vancouver. > > > http://blog.russellbryant.net/2015/10/22/openstack-security-groups-using-ovn-acls/ > > The most recent talk on this topic was "The State of Stateful Services" > at the OVS Conference last week: > > http://openvswitch.org/support/ovscon2015/16/1620-stringer.pdf > https://www.youtube.com/watch?v=PV2rxxb6lwQ > > -- > Russell Bryant > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151124/08d87115/attachment.html>