[ovs-discuss] OVN disable conntrack for UDP ACL
Ammad Syed
syedammad83 at gmail.com
Sat Sep 11 06:31:37 UTC 2021
Refer the xena release notes of neutron here.
https://docs.openstack.org/releasenotes/neutron/unreleased.html
Ammad
On Sat, Sep 11, 2021 at 7:45 AM Satish Patel <satish.txt at gmail.com> wrote:
> Thank you for reply,
>
> That does make sense, if xena has support then i can wait for it, I
> believe it's about to release.
>
> On Fri, Sep 10, 2021 at 10:29 PM Ammad Syed <syedammad83 at gmail.com> wrote:
> >
> > I think stateless acl with ovn backend is currently not supported in
> openstack. The feature is planned and will be available in next openstack
> release i.e xena.
> >
> > Ammad
> > On Sat, Sep 11, 2021 at 1:23 AM Satish Patel <satish.txt at gmail.com>
> wrote:
> >>
> >> Thank you, i am trying the following but look like it doesn't like it,
> >> Openstack Doc saying it should work. (i am running latest openstack)
> >>
> >> # openstack security group create --stateless foo_sg
> >> Error while executing command: BadRequestException: 400, Unrecognized
> >> attribute(s) 'stateful'
> >>
> >> On Fri, Sep 10, 2021 at 4:05 PM Odintsov Vladislav <VlOdintsov at croc.ru>
> wrote:
> >> >
> >> > I’m not an openstack user, so leave this question to somebody
> >> > from openstack guys.
> >> >
> >> > Regards,
> >> > Vladislav Odintsov
> >> >
> >> > On 10 Sep 2021, at 23:00, Satish Patel <satish.txt at gmail.com> wrote:
> >> >
> >> > Thank you for your reply,
> >> >
> >> > Glad to know there is a workaround, i am little noob to OVN, could you
> >> > explain how to set higher priority ACL using "openstack security group
> >> > rule" command, because most of my users using terrafrom to deploy vms
> >> > and play with security-group and how do i tell allow-stateless when
> >> > create group using openstack clients?
> >> >
> >> > On Fri, Sep 10, 2021 at 3:54 PM Odintsov Vladislav <
> VlOdintsov at croc.ru> wrote:
> >> >
> >> >
> >> > Hi,
> >> >
> >> > with OVN 21.06+ you can create overriding ACLs with higher priority
> >> > than you currently have, with special "allow-stateless" verb, which
> ensures
> >> > packets bypassing conntrack.
> >> >
> >> > Regards,
> >> > Vladislav Odintsov
> >> >
> >> > On 10 Sep 2021, at 22:49, Satish Patel <satish.txt at gmail.com> wrote:
> >> >
> >> > Folk,
> >> >
> >> > We are a large shop of UDP applications so trying to find a way to
> >> > disable the conntrack for the entire UDP protocol stack, I did google
> >> > and dig into some ovn documentation but did not find any workaround
> >> > which allows disabling a conntrack on UDP protocol.
> >> >
> >> > Or another option i was thinking of is to disable ACL in OVS entirely
> >> > and then i will use iptables on vm because that way i can disable
> >> > conntrack using iptables.
> >> >
> >> > Anyone have any idea what to do if possible?
> >> > _______________________________________________
> >> > discuss mailing list
> >> > discuss at openvswitch.org
> >> > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
> >> >
> >> >
> >> >
> >> _______________________________________________
> >> discuss mailing list
> >> discuss at openvswitch.org
> >> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
> >
> > --
> > Regards,
> >
> >
> > Syed Ammad Ali
>
--
Regards,
Syed Ammad Ali
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20210911/29e5cca9/attachment.html>
More information about the discuss
mailing list