[ovs-discuss] OVN disable conntrack for UDP ACL

[Satish Patel]

Thank you, i am trying the following but look like it doesn't like it,
Openstack Doc saying it should work. (i am running latest openstack)

# openstack security group create --stateless foo_sg
Error while executing command: BadRequestException: 400, Unrecognized
attribute(s) 'stateful'

On Fri, Sep 10, 2021 at 4:05 PM Odintsov Vladislav <VlOdintsov at croc.ru> wrote:
>
> I’m not an openstack user, so leave this question to somebody
> from openstack guys.
>
> Regards,
> Vladislav Odintsov
>
> On 10 Sep 2021, at 23:00, Satish Patel <satish.txt at gmail.com> wrote:
>
> Thank you for your reply,
>
> Glad to know there is a workaround, i am little noob to OVN, could you
> explain how to set higher priority ACL using "openstack security group
> rule" command, because most of my users using terrafrom to deploy vms
> and play with security-group and how do i tell allow-stateless when
> create group using openstack clients?
>
> On Fri, Sep 10, 2021 at 3:54 PM Odintsov Vladislav <VlOdintsov at croc.ru> wrote:
>
>
> Hi,
>
> with OVN 21.06+ you can create overriding ACLs with higher priority
> than you currently have, with special "allow-stateless" verb, which ensures
> packets bypassing conntrack.
>
> Regards,
> Vladislav Odintsov
>
> On 10 Sep 2021, at 22:49, Satish Patel <satish.txt at gmail.com> wrote:
>
> Folk,
>
> We are a large shop of UDP applications so trying to find a way to
> disable the conntrack for the entire UDP protocol stack, I did google
> and dig into some ovn documentation but did not find any workaround
> which allows disabling a conntrack on UDP protocol.
>
> Or another option i was thinking of is to disable ACL in OVS entirely
> and then i will use iptables on vm because that way i can disable
> conntrack using iptables.
>
> Anyone have any idea what to do if possible?
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>
>
>