On Fri, Oct 28, 2016 at 12:13:44PM -0700, Han Zhou wrote:
> The exiting explanation didn't tell user the conntrack capability
> and user may be unaware of the stateful feature of OVS.
>
> Signed-off-by: Han Zhou <zhou...@gmail.com>
Good idea, I rebased this to the new FAQ.rst and rephrased it, so that
what I committed was the following:
--8<--------------------------cut here-------------------------->8--
From: Han Zhou <zhou...@gmail.com>
Date: Fri, 28 Oct 2016 12:13:44 -0700
Subject: [PATCH] FAQ: Mention conntrack capability for packet filtering.
The existing explanation didn't tell user the conntrack capability
and user may be unaware of the stateful feature of OVS.
Signed-off-by: Han Zhou <zhou...@gmail.com>
Signed-off-by: Ben Pfaff <b...@ovn.org>
---
FAQ.rst | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/FAQ.rst b/FAQ.rst
index de7aaf7..4ee4c2b 100644
--- a/FAQ.rst
+++ b/FAQ.rst
@@ -886,7 +886,9 @@ Q: Open vSwitch does not seem to obey my packet filter
rules.
would add an IP address, as discussed elsewhere in the FAQ.)
For simple filtering rules, it might be possible to achieve similar results
- by installing appropriate OpenFlow flows instead.
+ by installing appropriate OpenFlow flows instead. The OVS conntrack
+ feature (see the "ct" action in ovs-ofctl(8)) can implement a stateful
+ firewall.
If the use of a particular packet filter setup is essential, Open vSwitch
might not be the best choice for you. On Linux, you might want to consider
--
2.1.3
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
