[ovs-dev] [PATCH] FAQ: Mention conntrack capability for packet filtering.

Ben Pfaff blp at ovn.org
Mon Oct 31 20:39:41 UTC 2016


On Fri, Oct 28, 2016 at 12:13:44PM -0700, Han Zhou wrote:
> The exiting explanation didn't tell user the conntrack capability
> and user may be unaware of the stateful feature of OVS.
> 
> Signed-off-by: Han Zhou <zhouhan at gmail.com>

Good idea, I rebased this to the new FAQ.rst and rephrased it, so that
what I committed was the following:

--8<--------------------------cut here-------------------------->8--

From: Han Zhou <zhouhan at gmail.com>
Date: Fri, 28 Oct 2016 12:13:44 -0700
Subject: [PATCH] FAQ: Mention conntrack capability for packet filtering.

The existing explanation didn't tell user the conntrack capability
and user may be unaware of the stateful feature of OVS.

Signed-off-by: Han Zhou <zhouhan at gmail.com>
Signed-off-by: Ben Pfaff <blp at ovn.org>
---
 FAQ.rst | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/FAQ.rst b/FAQ.rst
index de7aaf7..4ee4c2b 100644
--- a/FAQ.rst
+++ b/FAQ.rst
@@ -886,7 +886,9 @@ Q: Open vSwitch does not seem to obey my packet filter rules.
     would add an IP address, as discussed elsewhere in the FAQ.)
 
     For simple filtering rules, it might be possible to achieve similar results
-    by installing appropriate OpenFlow flows instead.
+    by installing appropriate OpenFlow flows instead.  The OVS conntrack
+    feature (see the "ct" action in ovs-ofctl(8)) can implement a stateful
+    firewall.
 
     If the use of a particular packet filter setup is essential, Open vSwitch
     might not be the best choice for you.  On Linux, you might want to consider
-- 
2.1.3




More information about the dev mailing list