On Fri, Nov 29, 2013 at 2:25 PM, Jian Wen <[email protected]> wrote: > I don't think we can implement a stateful firewall[1] now.
I don't think we need a stateful firewall, a stateless one should work well. If the stateful conntrack is completed in the future, we can also take benefit from it. > > Once connection tracking capability[2] is added to the Linux OVS, we > could start to implement the ovs-firewall-driver blueprint. > > [1] http://en.wikipedia.org/wiki/Stateful_firewall > [2] > http://wiki.xenproject.org/wiki/Xen_Development_Projects#Add_connection_tracking_capability_to_the_Linux_OVS > > > On Tue, Nov 26, 2013 at 2:23 AM, Mike Wilson <[email protected]> wrote: >> >> Adding Jun to this thread since gmail is failing him. >> >> >> On Tue, Nov 19, 2013 at 10:44 AM, Amir Sadoughi >> <[email protected]> wrote: >>> >>> Yes, my work has been on ML2 with neutron-openvswitch-agent. I’m >>> interested to see what Jun Park has. I might have something ready before he >>> is available again, but would like to collaborate regardless. >>> >>> Amir >>> >>> >>> >>> On Nov 19, 2013, at 3:31 AM, Kanthi P <[email protected]> wrote: >>> >>> Hi All, >>> >>> Thanks for the response! >>> Amir,Mike: Is your implementation being done according to ML2 plugin >>> >>> Regards, >>> Kanthi >>> >>> >>> On Tue, Nov 19, 2013 at 1:43 AM, Mike Wilson <[email protected]> >>> wrote: >>>> >>>> Hi Kanthi, >>>> >>>> Just to reiterate what Kyle said, we do have an internal implementation >>>> using flows that looks very similar to security groups. Jun Park was the >>>> guy >>>> that wrote this and is looking to get it upstreamed. I think he'll be back >>>> in the office late next week. I'll point him to this thread when he's back. >>>> >>>> -Mike >>>> >>>> >>>> On Mon, Nov 18, 2013 at 3:39 PM, Kyle Mestery (kmestery) >>>> <[email protected]> wrote: >>>>> >>>>> On Nov 18, 2013, at 4:26 PM, Kanthi P <[email protected]> >>>>> wrote: >>>>> > Hi All, >>>>> > >>>>> > We are planning to implement quantum security groups using openflows >>>>> > for ovs plugin instead of iptables which is the case now. >>>>> > >>>>> > Doing so we can avoid the extra linux bridge which is connected >>>>> > between the vnet device and the ovs bridge, which is given as a work >>>>> > around >>>>> > since ovs bridge is not compatible with iptables. >>>>> > >>>>> > We are planning to create a blueprint and work on it. Could you >>>>> > please share your views on this >>>>> > >>>>> Hi Kanthi: >>>>> >>>>> Overall, this idea is interesting and removing those extra bridges >>>>> would certainly be nice. Some people at Bluehost gave a talk at the Summit >>>>> [1] in which they explained they have done something similar, you may want >>>>> to reach out to them since they have code for this internally already. >>>>> >>>>> The OVS plugin is in feature freeze during Icehouse, and will be >>>>> deprecated in favor of ML2 [2] at the end of Icehouse. I would advise you >>>>> to >>>>> retarget your work at ML2 when running with the OVS agent instead. The >>>>> Neutron team will not accept new features into the OVS plugin anymore. >>>>> >>>>> Thanks, >>>>> Kyle >>>>> >>>>> [1] >>>>> http://www.openstack.org/summit/openstack-summit-hong-kong-2013/session-videos/presentation/towards-truly-open-and-commoditized-software-defined-networks-in-openstack >>>>> [2] https://wiki.openstack.org/wiki/Neutron/ML2 >>>>> >>>>> > Thanks, >>>>> > Kanthi >>>>> > _______________________________________________ >>>>> > OpenStack-dev mailing list >>>>> > [email protected] >>>>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> OpenStack-dev mailing list >>>>> [email protected] >>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>> >>>> >>>> >>>> _______________________________________________ >>>> OpenStack-dev mailing list >>>> [email protected] >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>> >>> >>> _______________________________________________ >>> OpenStack-dev mailing list >>> [email protected] >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >>> >>> >>> _______________________________________________ >>> OpenStack-dev mailing list >>> [email protected] >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >> >> >> _______________________________________________ >> OpenStack-dev mailing list >> [email protected] >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > > > -- > Cheers, > Jian > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
