We had a bug filed against the OpenStack+OVN integration (networking-ovn) that Neutron security group changes are not applied to existing connections. The existing OVS integration in Neutron does this by deleting conntrack state entries by running the conntrack tool from a Python agent running on every hypervisor. The OVN integration is expected to provide the same behavior.
https://bugs.launchpad.net/networking-ovn/+bug/1536080 I've been thinking about this a bit and trying to think of how to deal with it. I don't have any great answers, so I wanted to put out a call for ideas. I started playing a bit today and tweaked the logical flows to get a bit closer, but I don't have a complete solution. Has anyone else thought about this? -- Russell Bryant _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
