Thanks, Justin. How would you describe the tradeoffs between the two choices? Is it accurate to say reflexive learning is not as performant as it cuts into how many flows a megaflow can wildcard, e.g. the less that can be wildcarded, the more OVS will have to hit userspace for flows?
Amir On Mon, Dec 16, 2013 at 10:48 AM, Justin Pettit <jpet...@nicira.com> wrote: > Those are the current best methods. I've been looking at using Linux's > conntracker and then having the ability for OVS to match the connection > state. I have a prototype working, but it's too early to know whether it's > a viable approach (both from a technical and upstream-able perspective). > If it works out, I think it will provide a good combination of speed and > correctness. We should know more about its viability in the next few weeks. > > --Justin > > > On Dec 16, 2013, at 8:33 AM, Amir Sadoughi <amir.sadou...@gmail.com> > wrote: > > > How many different ways are there to create firewalls with OVS? So far, > I know of: > > > > 1. reflexive learn actions > > > > 2. stateless ACLs with tcp_flags=ack > > > > Are there are any other (better?) ways I am missing? My motivation being > creating Open vSwitch-based security groups in OpenStack Neutron < > https://blueprints.launchpad.net/neutron/+spec/ovs-firewall-driver>. > > > > Thanks in advance, > > > > Amir Sadoughi > > > > > > > > > > _______________________________________________ > > discuss mailing list > > discuss@openvswitch.org > > http://openvswitch.org/mailman/listinfo/discuss > >
_______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
