Hi, Akihiro, thanks for you summary. We use the linuxbridge driver because its simplicity and the match with the old nova-network schema (yes, are we still migrating). The functionality gap between ovs driver and linuxbridge is a good think in my view. It allows operators to chose the best solution considering their deployment use case and scale. Slawek, Miguel please keep us in the discussions. Belmiro CERN On Wed, Nov 13, 2019 at 7:22 PM Sean Mooney <smooney at redhat.com> wrote: > On Tue, 2019-11-12 at 14:53 +0100, Slawek Kaplonski wrote: > > Stateless security groups > > ========================= > > > > Old RFE [21] was approved for neutron-fwaas project but we all agreed > that this > > should be now implemented for security groups in core Neutron. > > People from Nuage are interested in work on this in upstream. > > We should probably also explore how easy/hard it will be to implement it > in > > networking-ovn backend. > > for what its worth we implemented this 4 years ago and it was breifly used > in production trial deployment > in a telco deployment but i dont think it ever went to full production as > they went wtih sriov instead > https://review.opendev.org/#/c/264131/ as part of this RFE > https://bugs.launchpad.net/neutron/+bug/1531205 which was > closed as wont fix > https://bugs.launchpad.net/neutron/+bug/1531205/comments/14 > as it was view that this was not the correct long term direction for the > community. > this is the summit presentation for austin for anyone that does not > rememebr this effort > > > https://www.openstack.org/videos/summits/austin-2016/tired-of-iptables-based-security-groups-heres-how-to-gain-tremendous-speed-with-open-vswitch-instead > > im not sure how the new proposal differeres form our previous proposal for > the same > feautre but the main pushback we got was that the securtiy group api is > assumed to be stateful > and that is why this was rejected. form our mesurments at the time we > expected the stateless approch > to scale better then contrack driver so it woudl be nice to see a > stateless approch avialable. > i never got around to deleteing our implemenation form networking-ovs-dpdk > > https://opendev.org/x/networking-ovs-dpdk/src/branch/master/networking_ovs_dpdk/agent/ovs_dpdk_firewall.py > but i has not been tested our updated really for the last 2 years but it > could be used as a basis of this effort > if nuage does not have a poc already. > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20191114/2a99a2a8/attachment.html>