[ovs-dev] [OVN] Applying ACL changes to existing connections

Russell Bryant russell at ovn.org
Mon Feb 1 21:07:51 UTC 2016


We had a bug filed against the OpenStack+OVN integration
(networking-ovn) that Neutron security group changes are not applied to
existing connections.  The existing OVS integration in Neutron does this
by deleting conntrack state entries by running the conntrack tool from a
Python agent running on every hypervisor.  The OVN integration is
expected to provide the same behavior.

https://bugs.launchpad.net/networking-ovn/+bug/1536080

I've been thinking about this a bit and trying to think of how to deal
with it.  I don't have any great answers, so I wanted to put out a call
for ideas.

I started playing a bit today and tweaked the logical flows to get a bit
closer, but I don't have a complete solution.

Has anyone else thought about this?

-- 
Russell Bryant



More information about the dev mailing list