Re: [openstack-dev] Reg : Security groups implementation using openflows in quantum ovs plugin

2013-12-03 Thread Zang MingJie
On Sat, Nov 30, 2013 at 6:32 PM, Édouard Thuleau wrote: > And what do you think about the performance issue I talked ? > Do you have any thought to improve wildcarding to use megaflow feature ? > I have invested a little further, here is my environment X1 (10.0.5.1) <---> OVS BR <---> X2 (10.0.

Re: [openstack-dev] Reg : Security groups implementation using openflows in quantum ovs plugin

2013-11-30 Thread Édouard Thuleau
And what do you think about the performance issue I talked ? Do you have any thought to improve wildcarding to use megaflow feature ? Édouard. On Fri, Nov 29, 2013 at 1:11 PM, Zang MingJie wrote: > On Fri, Nov 29, 2013 at 2:25 PM, Jian Wen wrote: >> I don't think we can implement a stateful fir

Re: [openstack-dev] Reg : Security groups implementation using openflows in quantum ovs plugin

2013-11-29 Thread Zang MingJie
On Fri, Nov 29, 2013 at 2:25 PM, Jian Wen wrote: > I don't think we can implement a stateful firewall[1] now. I don't think we need a stateful firewall, a stateless one should work well. If the stateful conntrack is completed in the future, we can also take benefit from it. > > Once connection t

Re: [openstack-dev] Reg : Security groups implementation using openflows in quantum ovs plugin

2013-11-28 Thread Jian Wen
I don't think we can implement a stateful firewall[1] now. Once connection tracking capability[2] is added to the Linux OVS, we could start to implement the ovs-firewall-driver blueprint. [1] http://en.wikipedia.org/wiki/Stateful_firewall [2] http://wiki.xenproject.org/wiki/Xen_Development_Projec

Re: [openstack-dev] Reg : Security groups implementation using openflows in quantum ovs plugin

2013-11-25 Thread Mike Wilson
Adding Jun to this thread since gmail is failing him. On Tue, Nov 19, 2013 at 10:44 AM, Amir Sadoughi wrote: > Yes, my work has been on ML2 with neutron-openvswitch-agent. I’m > interested to see what Jun Park has. I might have something ready before he > is available again, but would like to

Re: [openstack-dev] Reg : Security groups implementation using openflows in quantum ovs plugin

2013-11-19 Thread Amir Sadoughi
Yes, my work has been on ML2 with neutron-openvswitch-agent. I’m interested to see what Jun Park has. I might have something ready before he is available again, but would like to collaborate regardless. Amir On Nov 19, 2013, at 3:31 AM, Kanthi P mailto:pavuluri.kan...@gmail.com>> wrote: Hi

Re: [openstack-dev] Reg : Security groups implementation using openflows in quantum ovs plugin

2013-11-19 Thread Mike Wilson
The current implementation is fairly generic, the plan is to get it into the ML2 plugin. -Mike On Tue, Nov 19, 2013 at 2:31 AM, Kanthi P wrote: > Hi All, > > Thanks for the response! > Amir,Mike: Is your implementation being done according to ML2 plugin > > Regards, > Kanthi > > > On Tue, Nov

Re: [openstack-dev] Reg : Security groups implementation using openflows in quantum ovs plugin

2013-11-19 Thread Édouard Thuleau
Hi, It's an interesting feature. But just to understand, what do you blame to the actual implementation with iptables and linux bridge? The OVS release 1.11.0 implements a new feature calls 'megaflows' which reduce the number of kernel/usespace crossings. Actually, OVS neutron agent uses simple d

Re: [openstack-dev] Reg : Security groups implementation using openflows in quantum ovs plugin

2013-11-19 Thread Kanthi P
Hi All, Thanks for the response! Amir,Mike: Is your implementation being done according to ML2 plugin Regards, Kanthi On Tue, Nov 19, 2013 at 1:43 AM, Mike Wilson wrote: > Hi Kanthi, > > Just to reiterate what Kyle said, we do have an internal implementation > using flows that looks very simi

Re: [openstack-dev] Reg : Security groups implementation using openflows in quantum ovs plugin

2013-11-18 Thread Mike Wilson
Hi Kanthi, Just to reiterate what Kyle said, we do have an internal implementation using flows that looks very similar to security groups. Jun Park was the guy that wrote this and is looking to get it upstreamed. I think he'll be back in the office late next week. I'll point him to this thread whe

Re: [openstack-dev] Reg : Security groups implementation using openflows in quantum ovs plugin

2013-11-18 Thread Yongsheng Gong
Is the open flow rule stateful? On Tue, Nov 19, 2013 at 6:26 AM, Kanthi P wrote: > Hi All, > > We are planning to implement quantum security groups using openflows for > ovs plugin instead of iptables which is the case now. > > Doing so we can avoid the extra linux bridge which is connected bet

Re: [openstack-dev] Reg : Security groups implementation using openflows in quantum ovs plugin

2013-11-18 Thread Amir Sadoughi
Hi Kanthi, I’ve already started the implementation (prototype phase) of such a blueprint, ovs-firewall-driver . Amir On Nov 18, 2013, at 4:26 PM, Kanthi P mailto:pavuluri.kan...@gmail.com>> wrote: Hi All, We are planning to

Re: [openstack-dev] Reg : Security groups implementation using openflows in quantum ovs plugin

2013-11-18 Thread Kyle Mestery (kmestery)
On Nov 18, 2013, at 4:26 PM, Kanthi P wrote: > Hi All, > > We are planning to implement quantum security groups using openflows for ovs > plugin instead of iptables which is the case now. > > Doing so we can avoid the extra linux bridge which is connected between the > vnet device and the ovs