[ovs-discuss] OVN disable conntrack for UDP ACL

Ammad Syed syedammad83 at gmail.com
Sat Sep 11 02:29:27 UTC 2021


I think stateless acl with ovn backend is currently not supported in
openstack. The feature is planned and will be available in next openstack
release i.e xena.

Ammad
On Sat, Sep 11, 2021 at 1:23 AM Satish Patel <satish.txt at gmail.com> wrote:

> Thank you, i am trying the following but look like it doesn't like it,
> Openstack Doc saying it should work. (i am running latest openstack)
>
> # openstack security group create --stateless foo_sg
> Error while executing command: BadRequestException: 400, Unrecognized
> attribute(s) 'stateful'
>
> On Fri, Sep 10, 2021 at 4:05 PM Odintsov Vladislav <VlOdintsov at croc.ru>
> wrote:
> >
> > I’m not an openstack user, so leave this question to somebody
> > from openstack guys.
> >
> > Regards,
> > Vladislav Odintsov
> >
> > On 10 Sep 2021, at 23:00, Satish Patel <satish.txt at gmail.com> wrote:
> >
> > Thank you for your reply,
> >
> > Glad to know there is a workaround, i am little noob to OVN, could you
> > explain how to set higher priority ACL using "openstack security group
> > rule" command, because most of my users using terrafrom to deploy vms
> > and play with security-group and how do i tell allow-stateless when
> > create group using openstack clients?
> >
> > On Fri, Sep 10, 2021 at 3:54 PM Odintsov Vladislav <VlOdintsov at croc.ru>
> wrote:
> >
> >
> > Hi,
> >
> > with OVN 21.06+ you can create overriding ACLs with higher priority
> > than you currently have, with special "allow-stateless" verb, which
> ensures
> > packets bypassing conntrack.
> >
> > Regards,
> > Vladislav Odintsov
> >
> > On 10 Sep 2021, at 22:49, Satish Patel <satish.txt at gmail.com> wrote:
> >
> > Folk,
> >
> > We are a large shop of UDP applications so trying to find a way to
> > disable the conntrack for the entire UDP protocol stack, I did google
> > and dig into some ovn documentation but did not find any workaround
> > which allows disabling a conntrack on UDP protocol.
> >
> > Or another option i was thinking of is to disable ACL in OVS entirely
> > and then i will use iptables on vm because that way i can disable
> > conntrack using iptables.
> >
> > Anyone have any idea what to do if possible?
> > _______________________________________________
> > discuss mailing list
> > discuss at openvswitch.org
> > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
> >
> >
> >
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>
-- 
Regards,


Syed Ammad Ali
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20210911/506adecc/attachment-0001.html>


More information about the discuss mailing list