[ovs-dev] Testing OpenStack security groups with OVN ACLs
Russell Bryant
rbryant at redhat.com
Wed Sep 23 21:35:54 UTC 2015
On 09/22/2015 01:00 PM, Russell Bryant wrote:
>>> Thanks for the explanation! I'll dig into the CT support to see if I
>>> can figure out what might need to change. I'm guessing it's something
>>> like clearing existing CT state, or ignoring state from a different zone?
>>
>> Roughly, yeah. The translation should be similar for conntrack matching
>> when transitioning from the from-lport to to-lport pipeline stages; at
>> this point, conntrack fields are present from the from-lport pipeline
>> but we wish to ignore it. Similarly, I'd expect us to ignore conntrack
>> fields for packets coming immediately from a port(from-lport pipeline).
>> Hope that makes some sense.
>>
>
> It does make sense, though I'm having trouble finding anything in the
> current flows that does that in between the from-lport and to-lport
> stages in the flows for a packet that stays on the same host.
I just wanted to update the status of this back on the list.
Joe and I discussed this some on IRC. He replicated the key parts of my
test in his environment and it seemed to behave correctly. My test is
also against a slightly older version of the ovs conntrack code, which
*could* behave differently in some way. Since the userspace patches
seem so close to being merged, we decided I'd just revisit this test
once the userspace support is merged and the rest can be rebased on
that. It seemed like a better use of time to just put it off a bit and
all use the same code.
Until then I've got several other things I can be working on.
--
Russell Bryant
More information about the dev
mailing list