subject:"\[ovs\-discuss\] OVN disable conntrack for UDP ACL"

Re: [ovs-discuss] OVN disable conntrack for UDP ACL

2021-09-13 Thread Satish Patel

I am running wallaby and thinking I can just upgrade my neutron to
Xena if possible to test out my code or should i have to forklift the
whole stack to Xena including openvswitch 21.06

On Sat, Sep 11, 2021 at 2:31 AM Ammad Syed  wrote:
>
> Refer the xena release notes of neutron here.
>
> https://docs.openstack.org/releasenotes/neutron/unreleased.html
>
> Ammad
> On Sat, Sep 11, 2021 at 7:45 AM Satish Patel  wrote:
>>
>> Thank you for reply,
>>
>> That does make sense, if xena has support then i can wait for it, I
>> believe it's about to release.
>>
>> On Fri, Sep 10, 2021 at 10:29 PM Ammad Syed  wrote:
>> >
>> > I think stateless acl with ovn backend is currently not supported in 
>> > openstack. The feature is planned and will be available in next openstack 
>> > release i.e xena.
>> >
>> > Ammad
>> > On Sat, Sep 11, 2021 at 1:23 AM Satish Patel  wrote:
>> >>
>> >> Thank you, i am trying the following but look like it doesn't like it,
>> >> Openstack Doc saying it should work. (i am running latest openstack)
>> >>
>> >> # openstack security group create --stateless foo_sg
>> >> Error while executing command: BadRequestException: 400, Unrecognized
>> >> attribute(s) 'stateful'
>> >>
>> >> On Fri, Sep 10, 2021 at 4:05 PM Odintsov Vladislav  
>> >> wrote:
>> >> >
>> >> > I’m not an openstack user, so leave this question to somebody
>> >> > from openstack guys.
>> >> >
>> >> > Regards,
>> >> > Vladislav Odintsov
>> >> >
>> >> > On 10 Sep 2021, at 23:00, Satish Patel  wrote:
>> >> >
>> >> > Thank you for your reply,
>> >> >
>> >> > Glad to know there is a workaround, i am little noob to OVN, could you
>> >> > explain how to set higher priority ACL using "openstack security group
>> >> > rule" command, because most of my users using terrafrom to deploy vms
>> >> > and play with security-group and how do i tell allow-stateless when
>> >> > create group using openstack clients?
>> >> >
>> >> > On Fri, Sep 10, 2021 at 3:54 PM Odintsov Vladislav  
>> >> > wrote:
>> >> >
>> >> >
>> >> > Hi,
>> >> >
>> >> > with OVN 21.06+ you can create overriding ACLs with higher priority
>> >> > than you currently have, with special "allow-stateless" verb, which 
>> >> > ensures
>> >> > packets bypassing conntrack.
>> >> >
>> >> > Regards,
>> >> > Vladislav Odintsov
>> >> >
>> >> > On 10 Sep 2021, at 22:49, Satish Patel  wrote:
>> >> >
>> >> > Folk,
>> >> >
>> >> > We are a large shop of UDP applications so trying to find a way to
>> >> > disable the conntrack for the entire UDP protocol stack, I did google
>> >> > and dig into some ovn documentation but did not find any workaround
>> >> > which allows disabling a conntrack on UDP protocol.
>> >> >
>> >> > Or another option i was thinking of is to disable ACL in OVS entirely
>> >> > and then i will use iptables on vm because that way i can disable
>> >> > conntrack using iptables.
>> >> >
>> >> > Anyone have any idea what to do if possible?
>> >> > ___
>> >> > discuss mailing list
>> >> > disc...@openvswitch.org
>> >> > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>> >> >
>> >> >
>> >> >
>> >> ___
>> >> discuss mailing list
>> >> disc...@openvswitch.org
>> >> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>> >
>> > --
>> > Regards,
>> >
>> >
>> > Syed Ammad Ali
>
> --
> Regards,
>
>
> Syed Ammad Ali
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

Re: [ovs-discuss] OVN disable conntrack for UDP ACL

2021-09-11 Thread Ammad Syed

Refer the xena release notes of neutron here.

https://docs.openstack.org/releasenotes/neutron/unreleased.html

Ammad
On Sat, Sep 11, 2021 at 7:45 AM Satish Patel  wrote:

> Thank you for reply,
>
> That does make sense, if xena has support then i can wait for it, I
> believe it's about to release.
>
> On Fri, Sep 10, 2021 at 10:29 PM Ammad Syed  wrote:
> >
> > I think stateless acl with ovn backend is currently not supported in
> openstack. The feature is planned and will be available in next openstack
> release i.e xena.
> >
> > Ammad
> > On Sat, Sep 11, 2021 at 1:23 AM Satish Patel 
> wrote:
> >>
> >> Thank you, i am trying the following but look like it doesn't like it,
> >> Openstack Doc saying it should work. (i am running latest openstack)
> >>
> >> # openstack security group create --stateless foo_sg
> >> Error while executing command: BadRequestException: 400, Unrecognized
> >> attribute(s) 'stateful'
> >>
> >> On Fri, Sep 10, 2021 at 4:05 PM Odintsov Vladislav 
> wrote:
> >> >
> >> > I’m not an openstack user, so leave this question to somebody
> >> > from openstack guys.
> >> >
> >> > Regards,
> >> > Vladislav Odintsov
> >> >
> >> > On 10 Sep 2021, at 23:00, Satish Patel  wrote:
> >> >
> >> > Thank you for your reply,
> >> >
> >> > Glad to know there is a workaround, i am little noob to OVN, could you
> >> > explain how to set higher priority ACL using "openstack security group
> >> > rule" command, because most of my users using terrafrom to deploy vms
> >> > and play with security-group and how do i tell allow-stateless when
> >> > create group using openstack clients?
> >> >
> >> > On Fri, Sep 10, 2021 at 3:54 PM Odintsov Vladislav <
> vlodint...@croc.ru> wrote:
> >> >
> >> >
> >> > Hi,
> >> >
> >> > with OVN 21.06+ you can create overriding ACLs with higher priority
> >> > than you currently have, with special "allow-stateless" verb, which
> ensures
> >> > packets bypassing conntrack.
> >> >
> >> > Regards,
> >> > Vladislav Odintsov
> >> >
> >> > On 10 Sep 2021, at 22:49, Satish Patel  wrote:
> >> >
> >> > Folk,
> >> >
> >> > We are a large shop of UDP applications so trying to find a way to
> >> > disable the conntrack for the entire UDP protocol stack, I did google
> >> > and dig into some ovn documentation but did not find any workaround
> >> > which allows disabling a conntrack on UDP protocol.
> >> >
> >> > Or another option i was thinking of is to disable ACL in OVS entirely
> >> > and then i will use iptables on vm because that way i can disable
> >> > conntrack using iptables.
> >> >
> >> > Anyone have any idea what to do if possible?
> >> > ___
> >> > discuss mailing list
> >> > disc...@openvswitch.org
> >> > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
> >> >
> >> >
> >> >
> >> ___
> >> discuss mailing list
> >> disc...@openvswitch.org
> >> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
> >
> > --
> > Regards,
> >
> >
> > Syed Ammad Ali
>
-- 
Regards,


Syed Ammad Ali
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

Re: [ovs-discuss] OVN disable conntrack for UDP ACL

2021-09-10 Thread Satish Patel

Thank you for reply,

That does make sense, if xena has support then i can wait for it, I
believe it's about to release.

On Fri, Sep 10, 2021 at 10:29 PM Ammad Syed  wrote:
>
> I think stateless acl with ovn backend is currently not supported in 
> openstack. The feature is planned and will be available in next openstack 
> release i.e xena.
>
> Ammad
> On Sat, Sep 11, 2021 at 1:23 AM Satish Patel  wrote:
>>
>> Thank you, i am trying the following but look like it doesn't like it,
>> Openstack Doc saying it should work. (i am running latest openstack)
>>
>> # openstack security group create --stateless foo_sg
>> Error while executing command: BadRequestException: 400, Unrecognized
>> attribute(s) 'stateful'
>>
>> On Fri, Sep 10, 2021 at 4:05 PM Odintsov Vladislav  
>> wrote:
>> >
>> > I’m not an openstack user, so leave this question to somebody
>> > from openstack guys.
>> >
>> > Regards,
>> > Vladislav Odintsov
>> >
>> > On 10 Sep 2021, at 23:00, Satish Patel  wrote:
>> >
>> > Thank you for your reply,
>> >
>> > Glad to know there is a workaround, i am little noob to OVN, could you
>> > explain how to set higher priority ACL using "openstack security group
>> > rule" command, because most of my users using terrafrom to deploy vms
>> > and play with security-group and how do i tell allow-stateless when
>> > create group using openstack clients?
>> >
>> > On Fri, Sep 10, 2021 at 3:54 PM Odintsov Vladislav  
>> > wrote:
>> >
>> >
>> > Hi,
>> >
>> > with OVN 21.06+ you can create overriding ACLs with higher priority
>> > than you currently have, with special "allow-stateless" verb, which ensures
>> > packets bypassing conntrack.
>> >
>> > Regards,
>> > Vladislav Odintsov
>> >
>> > On 10 Sep 2021, at 22:49, Satish Patel  wrote:
>> >
>> > Folk,
>> >
>> > We are a large shop of UDP applications so trying to find a way to
>> > disable the conntrack for the entire UDP protocol stack, I did google
>> > and dig into some ovn documentation but did not find any workaround
>> > which allows disabling a conntrack on UDP protocol.
>> >
>> > Or another option i was thinking of is to disable ACL in OVS entirely
>> > and then i will use iptables on vm because that way i can disable
>> > conntrack using iptables.
>> >
>> > Anyone have any idea what to do if possible?
>> > ___
>> > discuss mailing list
>> > disc...@openvswitch.org
>> > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>> >
>> >
>> >
>> ___
>> discuss mailing list
>> disc...@openvswitch.org
>> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>
> --
> Regards,
>
>
> Syed Ammad Ali
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

Re: [ovs-discuss] OVN disable conntrack for UDP ACL

2021-09-10 Thread Ammad Syed

I think stateless acl with ovn backend is currently not supported in
openstack. The feature is planned and will be available in next openstack
release i.e xena.

Ammad
On Sat, Sep 11, 2021 at 1:23 AM Satish Patel  wrote:

> Thank you, i am trying the following but look like it doesn't like it,
> Openstack Doc saying it should work. (i am running latest openstack)
>
> # openstack security group create --stateless foo_sg
> Error while executing command: BadRequestException: 400, Unrecognized
> attribute(s) 'stateful'
>
> On Fri, Sep 10, 2021 at 4:05 PM Odintsov Vladislav 
> wrote:
> >
> > I’m not an openstack user, so leave this question to somebody
> > from openstack guys.
> >
> > Regards,
> > Vladislav Odintsov
> >
> > On 10 Sep 2021, at 23:00, Satish Patel  wrote:
> >
> > Thank you for your reply,
> >
> > Glad to know there is a workaround, i am little noob to OVN, could you
> > explain how to set higher priority ACL using "openstack security group
> > rule" command, because most of my users using terrafrom to deploy vms
> > and play with security-group and how do i tell allow-stateless when
> > create group using openstack clients?
> >
> > On Fri, Sep 10, 2021 at 3:54 PM Odintsov Vladislav 
> wrote:
> >
> >
> > Hi,
> >
> > with OVN 21.06+ you can create overriding ACLs with higher priority
> > than you currently have, with special "allow-stateless" verb, which
> ensures
> > packets bypassing conntrack.
> >
> > Regards,
> > Vladislav Odintsov
> >
> > On 10 Sep 2021, at 22:49, Satish Patel  wrote:
> >
> > Folk,
> >
> > We are a large shop of UDP applications so trying to find a way to
> > disable the conntrack for the entire UDP protocol stack, I did google
> > and dig into some ovn documentation but did not find any workaround
> > which allows disabling a conntrack on UDP protocol.
> >
> > Or another option i was thinking of is to disable ACL in OVS entirely
> > and then i will use iptables on vm because that way i can disable
> > conntrack using iptables.
> >
> > Anyone have any idea what to do if possible?
> > ___
> > discuss mailing list
> > disc...@openvswitch.org
> > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
> >
> >
> >
> ___
> discuss mailing list
> disc...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>
-- 
Regards,


Syed Ammad Ali
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

Re: [ovs-discuss] OVN disable conntrack for UDP ACL

2021-09-10 Thread Satish Patel

Thank you, i am trying the following but look like it doesn't like it,
Openstack Doc saying it should work. (i am running latest openstack)

# openstack security group create --stateless foo_sg
Error while executing command: BadRequestException: 400, Unrecognized
attribute(s) 'stateful'

On Fri, Sep 10, 2021 at 4:05 PM Odintsov Vladislav  wrote:
>
> I’m not an openstack user, so leave this question to somebody
> from openstack guys.
>
> Regards,
> Vladislav Odintsov
>
> On 10 Sep 2021, at 23:00, Satish Patel  wrote:
>
> Thank you for your reply,
>
> Glad to know there is a workaround, i am little noob to OVN, could you
> explain how to set higher priority ACL using "openstack security group
> rule" command, because most of my users using terrafrom to deploy vms
> and play with security-group and how do i tell allow-stateless when
> create group using openstack clients?
>
> On Fri, Sep 10, 2021 at 3:54 PM Odintsov Vladislav  wrote:
>
>
> Hi,
>
> with OVN 21.06+ you can create overriding ACLs with higher priority
> than you currently have, with special "allow-stateless" verb, which ensures
> packets bypassing conntrack.
>
> Regards,
> Vladislav Odintsov
>
> On 10 Sep 2021, at 22:49, Satish Patel  wrote:
>
> Folk,
>
> We are a large shop of UDP applications so trying to find a way to
> disable the conntrack for the entire UDP protocol stack, I did google
> and dig into some ovn documentation but did not find any workaround
> which allows disabling a conntrack on UDP protocol.
>
> Or another option i was thinking of is to disable ACL in OVS entirely
> and then i will use iptables on vm because that way i can disable
> conntrack using iptables.
>
> Anyone have any idea what to do if possible?
> ___
> discuss mailing list
> disc...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>
>
>
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

Re: [ovs-discuss] OVN disable conntrack for UDP ACL

2021-09-10 Thread Odintsov Vladislav

I’m not an openstack user, so leave this question to somebody
from openstack guys.

Regards,
Vladislav Odintsov

On 10 Sep 2021, at 23:00, Satish Patel 
mailto:satish@gmail.com>> wrote:

Thank you for your reply,

Glad to know there is a workaround, i am little noob to OVN, could you
explain how to set higher priority ACL using "openstack security group
rule" command, because most of my users using terrafrom to deploy vms
and play with security-group and how do i tell allow-stateless when
create group using openstack clients?

On Fri, Sep 10, 2021 at 3:54 PM Odintsov Vladislav 
mailto:vlodint...@croc.ru>> wrote:

Hi,

with OVN 21.06+ you can create overriding ACLs with higher priority
than you currently have, with special "allow-stateless" verb, which ensures
packets bypassing conntrack.

Regards,
Vladislav Odintsov

On 10 Sep 2021, at 22:49, Satish Patel 
mailto:satish@gmail.com>> wrote:

Folk,

We are a large shop of UDP applications so trying to find a way to
disable the conntrack for the entire UDP protocol stack, I did google
and dig into some ovn documentation but did not find any workaround
which allows disabling a conntrack on UDP protocol.

Or another option i was thinking of is to disable ACL in OVS entirely
and then i will use iptables on vm because that way i can disable
conntrack using iptables.

Anyone have any idea what to do if possible?
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss



___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

Re: [ovs-discuss] OVN disable conntrack for UDP ACL

2021-09-10 Thread Satish Patel

Thank you for your reply,

Glad to know there is a workaround, i am little noob to OVN, could you
explain how to set higher priority ACL using "openstack security group
rule" command, because most of my users using terrafrom to deploy vms
and play with security-group and how do i tell allow-stateless when
create group using openstack clients?

On Fri, Sep 10, 2021 at 3:54 PM Odintsov Vladislav  wrote:
>
> Hi,
>
> with OVN 21.06+ you can create overriding ACLs with higher priority
> than you currently have, with special "allow-stateless" verb, which ensures
> packets bypassing conntrack.
>
> Regards,
> Vladislav Odintsov
>
> On 10 Sep 2021, at 22:49, Satish Patel  wrote:
>
> Folk,
>
> We are a large shop of UDP applications so trying to find a way to
> disable the conntrack for the entire UDP protocol stack, I did google
> and dig into some ovn documentation but did not find any workaround
> which allows disabling a conntrack on UDP protocol.
>
> Or another option i was thinking of is to disable ACL in OVS entirely
> and then i will use iptables on vm because that way i can disable
> conntrack using iptables.
>
> Anyone have any idea what to do if possible?
> ___
> discuss mailing list
> disc...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>
>
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

Re: [ovs-discuss] OVN disable conntrack for UDP ACL

2021-09-10 Thread Odintsov Vladislav

Hi,

with OVN 21.06+ you can create overriding ACLs with higher priority
than you currently have, with special "allow-stateless" verb, which ensures
packets bypassing conntrack.

Regards,
Vladislav Odintsov

On 10 Sep 2021, at 22:49, Satish Patel 
mailto:satish@gmail.com>> wrote:

Folk,

We are a large shop of UDP applications so trying to find a way to
disable the conntrack for the entire UDP protocol stack, I did google
and dig into some ovn documentation but did not find any workaround
which allows disabling a conntrack on UDP protocol.

Or another option i was thinking of is to disable ACL in OVS entirely
and then i will use iptables on vm because that way i can disable
conntrack using iptables.

Anyone have any idea what to do if possible?
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

[ovs-discuss] OVN disable conntrack for UDP ACL

2021-09-10 Thread Satish Patel

Folk,

We are a large shop of UDP applications so trying to find a way to
disable the conntrack for the entire UDP protocol stack, I did google
and dig into some ovn documentation but did not find any workaround
which allows disabling a conntrack on UDP protocol.

Or another option i was thinking of is to disable ACL in OVS entirely
and then i will use iptables on vm because that way i can disable
conntrack using iptables.

Anyone have any idea what to do if possible?
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

Re: [ovs-discuss] OVN disable conntrack for UDP ACL

Re: [ovs-discuss] OVN disable conntrack for UDP ACL

Re: [ovs-discuss] OVN disable conntrack for UDP ACL

Re: [ovs-discuss] OVN disable conntrack for UDP ACL

Re: [ovs-discuss] OVN disable conntrack for UDP ACL

Re: [ovs-discuss] OVN disable conntrack for UDP ACL

Re: [ovs-discuss] OVN disable conntrack for UDP ACL

Re: [ovs-discuss] OVN disable conntrack for UDP ACL

[ovs-discuss] OVN disable conntrack for UDP ACL

9 matches

Site Navigation

Mail list logo

Footer information