Background Today openstack use linux bridge to do security control, but more and more people are interested in native OVS flowtable based firewall, and there is already some BP.
However, exist solution has several drawbacks: 1) must rewrite all existing iptable rule with ovs flowtable, all iptable experience can't be reused; 2) difficult to provide advanced firewall feature like alg with iptable; 3) L4 OVS rules destroyed megaflow wildcard, cause serve performance problem when large concurrent session setup is meet. If we want to borrow the rich linux stack function, either a ugly linux bridge is bumped in the wire, or by complex flow redirection to and from stack with extra internal port. The basic idea is that since OVS begin to implement some hook flow action (etc. linux conntrack), we can add more flow action, such as the iptable chain hook, the routing lookup hook, and so on. We are planning to implement some of these hook, but first want to know if anyone else is interested in it.
_______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
