Correct. OVS is definitely a stateless packet filter at the moment. I agree it could be "augmented" with connection tracking processes, but this sounds cumbersome. As security groups are, in my view, "quasi-stateful", could we try and see exactly what kind of state we need to maintain, and then understand whether this is a show-stopper at the moment for security groups implemented as OVS flow table entries? I certainly see the need for keeping established connection even after security groups change. Removing the related OVS flow entries would drop the connection.
Salvatore > -----Original Message----- > From: Chiradeep Vittal [mailto:[email protected]] > Sent: 19 June 2012 21:30 > To: CloudStack DeveloperList > Subject: Re: Open vSwitch tunnel manager - how to improve it > > Hi Salvatore, > > It hit me that there is an additional problem with implementing security > groups using OVS: security groups are stateful firewalls, but there seems to > be no obvious way to program a stateful firewall into OVS (unless you write a > conntrack process that maintains the state with additional rules). > > -- > Chiradeep > > On 6/19/12 7:52 PM, "Salvatore Orlando" <[email protected]> > wrote: > > >Hi, > > > >I've put together - actually I'm still finishing it - a potential list > >of improvements for the Open vSwitch tunnel manager. > >It is available on the cloudstack wiki at [1]. > >Your feedback, as usual, is more than welcome! Please feel free to add > >more items to the list! > > > >Regards, > >Salvatore > > > >[1] > >http://wiki.cloudstack.org/display/RelOps/Open+vSwitch+tunnel+manager > +i > >mpr > >ovements
