[ptg][neutron] Ussuri PTG summary

Sean Mooney smooney at redhat.com
Wed Nov 13 18:12:51 UTC 2019


On Tue, 2019-11-12 at 14:53 +0100, Slawek Kaplonski wrote:
> Stateless security groups
> =========================
> 
> Old RFE [21] was approved for neutron-fwaas project but we all agreed that this
> should be now implemented for security groups in core Neutron.
> People from Nuage are interested in work on this in upstream.
> We should probably also explore how easy/hard it will be to implement it in
> networking-ovn backend.

for what its worth we implemented this 4 years ago and it was breifly used in production trial deployment
in a telco deployment but i dont think it ever went to full production as they went wtih sriov instead 
https://review.opendev.org/#/c/264131/ as part of this RFE https://bugs.launchpad.net/neutron/+bug/1531205 which was
closed as wont fix https://bugs.launchpad.net/neutron/+bug/1531205/comments/14
as it was view that this was not the correct long term direction for the community.
this is the summit presentation for austin for anyone that does not rememebr this effort

https://www.openstack.org/videos/summits/austin-2016/tired-of-iptables-based-security-groups-heres-how-to-gain-tremendous-speed-with-open-vswitch-instead

im not sure how the new proposal differeres form our previous proposal for the same
feautre but the main pushback we got was that the securtiy group api is assumed to be stateful
and that is why this was rejected. form our mesurments at the time we expected the stateless approch
to scale better then contrack driver so it woudl be nice to see a stateless approch avialable.
i never got around to deleteing our implemenation form networking-ovs-dpdk 
https://opendev.org/x/networking-ovs-dpdk/src/branch/master/networking_ovs_dpdk/agent/ovs_dpdk_firewall.py
but i has not been tested our updated really for the last 2 years but it could be used as a basis of this effort
if nuage does not have a poc already.





More information about the openstack-discuss mailing list