1325685 – [RFE] [Neutron] Open vSwitch (conntrack) firewall driver for OVS-DPDK

Bug 1325685 - [RFE] [Neutron] Open vSwitch (conntrack) firewall driver for OVS-DPDK

Summary: [RFE] [Neutron] Open vSwitch (conntrack) firewall driver for OVS-DPDK

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-neutron
Sub Component:
Version:	10.0 (Newton)
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Assaf Muller
QA Contact:	Toni Freger
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	1346865 1500563 (view as bug list)
Depends On:	1367678
Blocks:	1419948 1465537 1500557
TreeView+	depends on / blocked

Reported:	2016-04-10 16:19 UTC by Nir Yechiel
Modified:	2017-10-18 06:54 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-10-18 06:54:57 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Launchpad	1461000	0	None	None	None	2016-04-10 16:19:09 UTC
OpenStack gerrit	249337	0	None	MERGED	Open vSwitch conntrack based firewall driver	2020-11-18 06:23:54 UTC

Description Nir Yechiel 2016-04-10 16:19:09 UTC

Description of problem:

OpenStack security-groups are currently not available for customers using the DPDK accelerated Open vSwitch (OVS+DPDK). This is due to the fact that our current Neutron firewall driver is based on iptables and relying on kernel functionality which is not available when using the DPDK datapath.

This RFE adds support for an alternative firewall driver which utilizes the conntrack feature on OVS. It should provide a working solution for OVS+DPDK starting with OVS 2.5, where the ct() action was implemented for the dpif-netdev datapath.

Comment 3 Nir Yechiel 2016-05-17 11:54:35 UTC

Neutron side is ready, as the conntrack-based firewall driver should work with both OVS and OVS+DPDK without special changes. That said, conntrack support for OVS+DPDK is not merged yet in upstream OVS and currently targeted to OVS 2.6.

Comment 8 Assaf Muller 2016-06-15 13:36:51 UTC

*** Bug 1346865 has been marked as a duplicate of this bug. ***

Comment 9 Nir Yechiel 2016-10-16 10:08:57 UTC

Pushing this one out of RHOSP 11. This feature requires OVS 2.6.

Comment 11 Assaf Muller 2017-10-11 14:05:50 UTC

*** Bug 1500563 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.