1) it's better to support connmark: save__mark & restore__mark, this is very useful.
2) besides conntrack callback as an action, can we support other netfilter chain hook callback(PREROUTING-raw, FORWARDING-filter...), also as an action in the OVS flow table? This is not same as linuxbridge iptable hook, which is a monolithic flow path and can not be controlled at a per-flow basis. this is useful for some feature like transparent NAT, and also make sense in typical multi-tenant cloud system if we want to remove linux bridge,using just OVS for security group. for example in openstack, a tenant set SG with src ip and src port field will cause other tenant's web server receiving huge concurrent http connections producing huge amount of flow miss, as the megaflow has a single flat table in kernal fast path. On 05/22/14 at 01:39pm, Justin Pettit wrote: >* Below, is a first cut of the design document I wrote for integrating with >the connection tracker. As I mentioned at my OpenStack presentation, I have a >prototype that (largely) implements this, but it's not ready to be shared yet. > The goal is to have it in a released version of OVS by the end of the year. >If there are any conntrack experts, please let me know if you think I've >missed anything. (And, since this is very early, it is all subject to change.) * _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
