[pve-devel] openflow firewall
Dietmar Maurer
dietmar at proxmox.com
Sun Dec 29 14:55:07 CET 2013
> Yes, I see also that. That why I would like to see performance.
> But it seem that only first packet of a flow is going to the controller.
>
> (But I don't known what is the size of a flow ? how many packets ?)
AFAIK we do not need to use a controller - we just setup flow table statically
using ovs-ofctl.
> >>Some recent OVS addition allows at least to match tcp_flags, but this
> >>is not comparable with real (iptables) connection tracking. I will do
> >>further tests.
>
> Yes, this is also discussed here :
> https://wiki.openstack.org/wiki/Neutron/blueprint_ovs-firewall-driver
>
> "My preferred implementation is 'stateless ACLs with tcp_flags=ack' to emulate
> stateful behavior (at least in TCP) because reflexive learning is not as
> performant."
I will try to setup a test script for that.
More information about the pve-devel
mailing list