[pve-devel] openflow firewall
Alexandre DERUMIER
aderumier at odiso.com
Sun Dec 29 14:16:59 CET 2013
>>I have done some research now, and it seem the we can only implement
>>a stateless firewall with openflow.
Yes, I see also that. That why I would like to see performance.
But it seem that only first packet of a flow is going to the controller.
(But I don't known what is the size of a flow ? how many packets ?)
>>Some recent OVS addition allows at least
>>to match tcp_flags, but this is not comparable with real (iptables) connection
>>tracking. I will do further tests.
Yes, this is also discussed here :
https://wiki.openstack.org/wiki/Neutron/blueprint_ovs-firewall-driver
"My preferred implementation is 'stateless ACLs with tcp_flags=ack' to emulate stateful behavior (at least in TCP) because reflexive learning is not as performant."
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER (aderumier at odiso.com)" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Samedi 28 Décembre 2013 16:12:09
Objet: openflow firewall
I have done some research now, and it seem the we can only implement
a stateless firewall with openflow. Some recent OVS addition allows at least
to match tcp_flags, but this is not comparable with real (iptables) connection
tracking. I will do further tests.
More information about the pve-devel
mailing list