On 02/15/15 at 05:00pm, Kevin Benton wrote: > What is the status of the conntrack integration with respect to > availability in distributions? The lack of state tracking has blocked the > ability for us to get rid of namespaces for the L3 agent (because of SNAT) > and the filtering bridge between the VM and OVS (stateful firewall for > security groups). > > It has been known for a long time that these are suboptimal, but our hands > are sort of tied because we don't want to require kernel code changes to > use Neutron.
> Are Ubuntu 1404 or CentOS 7 shipping openvswitch kernel modules with > conntrack integration? If not, I don't see a feasible way of eliminating > any of these problems with a pure OVS solution. (faking a stateful firewall > with flag matching doesn't count) As soon as conntrack is merged in the upstream kernel it can be backported. We can definitely provide support through the openvswitch.ko in the git tree which will give you conntack on >= 2.6.32 but that might not answer your question as you probably want to use the openvswitch.ko that is shipped with your distribution. Given the interest in this it sounds like it makes sense to approach common distributions which do not rebase kernels frequently to backport this feature. __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev