Bug 1325685

Summary: [RFE] [Neutron] Open vSwitch (conntrack) firewall driver for OVS-DPDK
Product: Red Hat OpenStack Reporter: Nir Yechiel <nyechiel>
Component: openstack-neutronAssignee: Assaf Muller <amuller>
Status: CLOSED NOTABUG QA Contact: Toni Freger <tfreger>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 10.0 (Newton)CC: amuller, chrisw, djuran, hjensas, jniu, nyechiel, oblaut, rkhan, smerrow, srevivo, weiyongjun
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-18 06:54:57 UTC Type: Feature Request
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1367678    
Bug Blocks: 1419948, 1465537, 1500557    

Description Nir Yechiel 2016-04-10 16:19:09 UTC 
Description of problem:

OpenStack security-groups are currently not available for customers using the DPDK accelerated Open vSwitch (OVS+DPDK). This is due to the fact that our current Neutron firewall driver is based on iptables and relying on kernel functionality which is not available when using the DPDK datapath.

This RFE adds support for an alternative firewall driver which utilizes the conntrack feature on OVS. It should provide a working solution for OVS+DPDK starting with OVS 2.5, where the ct() action was implemented for the dpif-netdev datapath.
Comment 3 Nir Yechiel 2016-05-17 11:54:35 UTC 
Neutron side is ready, as the conntrack-based firewall driver should work with both OVS and OVS+DPDK without special changes. That said, conntrack support for OVS+DPDK is not merged yet in upstream OVS and currently targeted to OVS 2.6.
Comment 8 Assaf Muller 2016-06-15 13:36:51 UTC 
*** Bug 1346865 has been marked as a duplicate of this bug. ***
Comment 9 Nir Yechiel 2016-10-16 10:08:57 UTC 
Pushing this one out of RHOSP 11. This feature requires OVS 2.6.
Comment 11 Assaf Muller 2017-10-11 14:05:50 UTC 
*** Bug 1500563 has been marked as a duplicate of this bug. ***