[ovs-dev] [OVN] Applying ACL changes to existing connections
Russell Bryant
russell at ovn.org
Mon Feb 1 21:07:51 UTC 2016
We had a bug filed against the OpenStack+OVN integration
(networking-ovn) that Neutron security group changes are not applied to
existing connections. The existing OVS integration in Neutron does this
by deleting conntrack state entries by running the conntrack tool from a
Python agent running on every hypervisor. The OVN integration is
expected to provide the same behavior.
https://bugs.launchpad.net/networking-ovn/+bug/1536080
I've been thinking about this a bit and trying to think of how to deal
with it. I don't have any great answers, so I wanted to put out a call
for ideas.
I started playing a bit today and tweaked the logical flows to get a bit
closer, but I don't have a complete solution.
Has anyone else thought about this?
--
Russell Bryant
More information about the dev
mailing list