settingsLogin | Registersettings

[openstack-dev] [neutron][networking-ovs-dpdk] conntrack security group driver with ovs-dpdk

0 votes

Hi just a quick fyi,
About 2 weeks ago I did some light testing with the conntrack security group driver and the newly
Merged upserspace conntrack support in ovs.

I can confirm that at least form my initial smoke tests where I
Uses netcat ping and ssh to try and establish connections between two vms the
Conntrack security group driver appears to function correctly with the userspace connection tracker.

We have not looked at any of the performance yet but assuming it is at an acceptable level I am planning to
Deprecate the learn action based driver in networking-ovs-dpdk and remove it once we have cut the stable newton
Branch.

We hope to do some rfc 2544 throughput testing to evaluate the performance sometime mid-September.
Assuming all goes well I plan on enabling the conntrack based security group driver by default when the
Networking-ovs-dpdk devstack plugin is loaded. We will also evaluate enabling the security group tests
In our third party ci to ensure it continues to function correctly with ovs-dpdk.

Regards
Seán


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
asked Aug 6, 2016 in openstack-dev by Mooney,_Sean_K (3,580 points)   4 9
retagged Jan 26, 2017 by admin

6 Responses

0 votes

Awesome Sean!,

Keep us posted!! :)

On Sat, Aug 6, 2016 at 8:16 PM, Mooney, Sean K sean.k.mooney@intel.com wrote:
Hi just a quick fyi,

About 2 weeks ago I did some light testing with the conntrack security group
driver and the newly

Merged upserspace conntrack support in ovs.

I can confirm that at least form my initial smoke tests where I

Uses netcat ping and ssh to try and establish connections between two vms
the

Conntrack security group driver appears to function correctly with the
userspace connection tracker.

We have not looked at any of the performance yet but assuming it is at an
acceptable level I am planning to

Deprecate the learn action based driver in networking-ovs-dpdk and remove it
once we have cut the stable newton

Branch.

We hope to do some rfc 2544 throughput testing to evaluate the performance
sometime mid-September.

Assuming all goes well I plan on enabling the conntrack based security group
driver by default when the

Networking-ovs-dpdk devstack plugin is loaded. We will also evaluate
enabling the security group tests

In our third party ci to ensure it continues to function correctly with
ovs-dpdk.

Regards

Seán


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Aug 8, 2016 by Miguel_Ángel_Ajo (6,980 points)   1 4 7
0 votes

Hi,
(sorry for using incorrect threading)

About 2 weeks ago I did some light testing with the conntrack security
group driver and the newly

Merged upserspace conntrack support in ovs.

By 'recently' - whether you mean patch v4 http://openvswitch.org/pipermail/dev/2016-June/072700.html
or you used OVS 2.5 itself (which I think includes v2 of the same patch series)?

So in general - I am a bit confused about conntrack support in OVS.

OVS 2.5 release notes http://openvswitch.org/pipermail/announce/2016-February/000081.html state:
"This release includes the highly anticipated support for connection tracking in the Linux kernel. This feature makes it possible to implement stateful firewalls and will be the basis for future stateful features such as NAT and load-balancing. Work is underway to bring connection tracking to the userspace datapath (used by DPDK) and the port to Hyper-V." - in the way that 'work is underway' (=work is ongoing) means that a time of OVS 2.5 release the feature was not 'classified' as ready?

BR,
Konstantin

On Sat, Aug 6, 2016 at 8:16 PM, Mooney, Sean K sean.k.mooney@intel.com
wrote:

Hi just a quick fyi,

About 2 weeks ago I did some light testing with the conntrack security
group driver and the newly

Merged upserspace conntrack support in ovs.

I can confirm that at least form my initial smoke tests where I

Uses netcat ping and ssh to try and establish connections between two
vms the

Conntrack security group driver appears to function correctly with the
userspace connection tracker.

We have not looked at any of the performance yet but assuming it is at
an acceptable level I am planning to

Deprecate the learn action based driver in networking-ovs-dpdk and
remove it once we have cut the stable newton

Branch.

We hope to do some rfc 2544 throughput testing to evaluate the
performance sometime mid-September.

Assuming all goes well I plan on enabling the conntrack based security
group driver by default when the

Networking-ovs-dpdk devstack plugin is loaded. We will also evaluate
enabling the security group tests

In our third party ci to ensure it continues to function correctly
with ovs-dpdk.

Regards

Seán



____ OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Aug 9, 2016 by Kostiantyn.Volenbovs (940 points)  
0 votes

-----Original Message-----
From: Kostiantyn.Volenbovskyi@swisscom.com
[mailto:Kostiantyn.Volenbovskyi@swisscom.com]
Sent: Tuesday, August 9, 2016 12:58 PM
To: openstack-dev@lists.openstack.org; Mooney, Sean K
sean.k.mooney@intel.com
Subject: RE: [openstack-dev] [neutron][networking-ovs-dpdk] conntrack
security group driver with ovs-dpdk

Hi,
(sorry for using incorrect threading)

About 2 weeks ago I did some light testing with the conntrack
security group driver and the newly

Merged upserspace conntrack support in ovs.

By 'recently' - whether you mean patch v4
http://openvswitch.org/pipermail/dev/2016-June/072700.html
or you used OVS 2.5 itself (which I think includes v2 of the same patch
series)?
[Mooney, Sean K] I used http://openvswitch.org/pipermail/dev/2016-June/072700.html or specifically
i used the following commit https://github.com/openvswitch/ovs/commit/0c87efe4b5017de4c5ae99e7b9c36e8a6e846669
which is just after userspace conntrack was merged,

So in general - I am a bit confused about conntrack support in OVS.

OVS 2.5 release notes http://openvswitch.org/pipermail/announce/2016-
February/000081.html state:
"This release includes the highly anticipated support for connection
tracking in the Linux kernel. This feature makes it possible to
implement stateful firewalls and will be the basis for future stateful
features such as NAT and load-balancing. Work is underway to bring
connection tracking to the userspace datapath (used by DPDK) and the
port to Hyper-V." - in the way that 'work is underway' (=work is
ongoing) means that a time of OVS 2.5 release the feature was not
'classified' as ready?
[Mooney, Sean K]
In ovs 2.5 only linux kernel conntrack was supported assuming you had a
4.x kernel that supported it. that means that the feature was not available on bsd,windows or with dpdk.

In the upcoming ovs 2.6 release conntrack support has been added to the
Netdev datapath which is used with dpdk and on bsd. As far as I am aware windows conntrack support is still
Missing but I may be wrong.

If you are interested the devstack local.conf I used to test that it functioned is available here
http://paste.openstack.org/show/552434/

I used an OpenStack vm using the Ubuntu 16.04 and 2 e1000 interfaces to do the testing.

BR,
Konstantin

On Sat, Aug 6, 2016 at 8:16 PM, Mooney, Sean K
sean.k.mooney@intel.com
wrote:

Hi just a quick fyi,

About 2 weeks ago I did some light testing with the conntrack
security
group driver and the newly

Merged upserspace conntrack support in ovs.

I can confirm that at least form my initial smoke tests where I

Uses netcat ping and ssh to try and establish connections between
two
vms the

Conntrack security group driver appears to function correctly with
the
userspace connection tracker.

We have not looked at any of the performance yet but assuming it is
at
an acceptable level I am planning to

Deprecate the learn action based driver in networking-ovs-dpdk and
remove it once we have cut the stable newton

Branch.

We hope to do some rfc 2544 throughput testing to evaluate the
performance sometime mid-September.

Assuming all goes well I plan on enabling the conntrack based
security
group driver by default when the

Networking-ovs-dpdk devstack plugin is loaded. We will also
evaluate
enabling the security group tests

In our third party ci to ensure it continues to function correctly
with ovs-dpdk.

Regards

Seán



____ OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-
request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Aug 9, 2016 by Mooney,_Sean_K (3,580 points)   4 9
0 votes

Hi,

[Mooney, Sean K]
In ovs 2.5 only linux kernel conntrack was supported assuming you had a 4.x
kernel that supported it. that means that the feature was not available on
bsd,windows or with dpdk.
Yup, I also thought about something like that.
I think I was at-least-slightly misguided by
http://docs.openstack.org/draft/networking-guide/adv-config-ovsfwdriver.html
and there is currently a statement
"The native OVS firewall implementation requires kernel and user space support for conntrack, thus requiring minimum versions of the Linux kernel and Open vSwitch. All cases require Open vSwitch version 2.5 or newer."

Do you agree that this is something to change? I think it is not OK to state OVS 2.6 without that being released, but in case I am not confusing then:
-OVS firewall driver with OVS that uses kernel datapath requires OVS 2.5 and Linux kernel 4.3
-OVS firewall driver with OVS that uses userspace datapath with DPDK (aka ovs-dpdk aka DPDK vhost-user aka netdev datapath) doesn't have a Linux kernel prerequisite
That is documented in table in " ### Q: Are all features available with all datapaths?":
http://openvswitch.org/support/dist-docs/FAQ.md.txt
where currently 'Connection tracking' row says 'NO' for 'Userspace' - but that's exactly what has been merged recently /to become feature of OVS 2.6

Also when it comes to performance I came across
http://openvswitch.org/pipermail/dev/2016-June/071982.html, but I would guess that devil could be the exact flows/ct actions that will be present in real-life scenario.

BR,
Konstantin

-----Original Message-----
From: Mooney, Sean K [mailto:sean.k.mooney@intel.com]
Sent: Tuesday, August 09, 2016 2:29 PM
To: Volenbovskyi Kostiantyn, INI-ON-FIT-CXD-ELC
Kostiantyn.Volenbovskyi@swisscom.com; openstack-
dev@lists.openstack.org
Subject: RE: [openstack-dev] [neutron][networking-ovs-dpdk] conntrack security
group driver with ovs-dpdk

-----Original Message-----
From: Kostiantyn.Volenbovskyi@swisscom.com
[mailto:Kostiantyn.Volenbovskyi@swisscom.com]
Sent: Tuesday, August 9, 2016 12:58 PM
To: openstack-dev@lists.openstack.org; Mooney, Sean K
sean.k.mooney@intel.com
Subject: RE: [openstack-dev] [neutron][networking-ovs-dpdk] conntrack
security group driver with ovs-dpdk

Hi,
(sorry for using incorrect threading)

About 2 weeks ago I did some light testing with the conntrack
security group driver and the newly

Merged upserspace conntrack support in ovs.

By 'recently' - whether you mean patch v4
http://openvswitch.org/pipermail/dev/2016-June/072700.html
or you used OVS 2.5 itself (which I think includes v2 of the same
patch series)?
[Mooney, Sean K] I used http://openvswitch.org/pipermail/dev/2016-
June/072700.html or specifically i used the following commit
https://github.com/openvswitch/ovs/commit/0c87efe4b5017de4c5ae99e7b9c3
6e8a6e846669
which is just after userspace conntrack was merged,

So in general - I am a bit confused about conntrack support in OVS.

OVS 2.5 release notes http://openvswitch.org/pipermail/announce/2016-
February/000081.html state:
"This release includes the highly anticipated support for connection
tracking in the Linux kernel. This feature makes it possible to
implement stateful firewalls and will be the basis for future stateful
features such as NAT and load-balancing. Work is underway to bring
connection tracking to the userspace datapath (used by DPDK) and the
port to Hyper-V." - in the way that 'work is underway' (=work is
ongoing) means that a time of OVS 2.5 release the feature was not
'classified' as ready?
[Mooney, Sean K]
In ovs 2.5 only linux kernel conntrack was supported assuming you had a 4.x
kernel that supported it. that means that the feature was not available on
bsd,windows or with dpdk.

In the upcoming ovs 2.6 release conntrack support has been added to the
Netdev datapath which is used with dpdk and on bsd. As far as I am aware
windows conntrack support is still Missing but I may be wrong.

If you are interested the devstack local.conf I used to test that it functioned is
available here http://paste.openstack.org/show/552434/

I used an OpenStack vm using the Ubuntu 16.04 and 2 e1000 interfaces to do the
testing.

BR,
Konstantin

On Sat, Aug 6, 2016 at 8:16 PM, Mooney, Sean K
sean.k.mooney@intel.com
wrote:

Hi just a quick fyi,

About 2 weeks ago I did some light testing with the conntrack
security
group driver and the newly

Merged upserspace conntrack support in ovs.

I can confirm that at least form my initial smoke tests where I

Uses netcat ping and ssh to try and establish connections between
two
vms the

Conntrack security group driver appears to function correctly with
the
userspace connection tracker.

We have not looked at any of the performance yet but assuming it
is
at
an acceptable level I am planning to

Deprecate the learn action based driver in networking-ovs-dpdk and
remove it once we have cut the stable newton

Branch.

We hope to do some rfc 2544 throughput testing to evaluate the
performance sometime mid-September.

Assuming all goes well I plan on enabling the conntrack based
security
group driver by default when the

Networking-ovs-dpdk devstack plugin is loaded. We will also
evaluate
enabling the security group tests

In our third party ci to ensure it continues to function correctly
with ovs-dpdk.

Regards

Seán



____ OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-
request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Aug 10, 2016 by Kostiantyn.Volenbovs (940 points)  
0 votes
  • Jakub.

On Wed, Aug 10, 2016 at 9:54 AM, Kostiantyn.Volenbovskyi@swisscom.com wrote:
Hi,

[Mooney, Sean K]
In ovs 2.5 only linux kernel conntrack was supported assuming you had a 4.x
kernel that supported it. that means that the feature was not available on
bsd,windows or with dpdk.
Yup, I also thought about something like that.
I think I was at-least-slightly misguided by
http://docs.openstack.org/draft/networking-guide/adv-config-ovsfwdriver.html
and there is currently a statement
"The native OVS firewall implementation requires kernel and user space support for conntrack, thus requiring minimum versions of the Linux kernel and Open vSwitch. All cases require Open vSwitch version 2.5 or newer."

I agree, that statement is misleading.

Do you agree that this is something to change? I think it is not OK to state OVS 2.6 without that being released, but in case I am not confusing then:
-OVS firewall driver with OVS that uses kernel datapath requires OVS 2.5 and Linux kernel 4.3
-OVS firewall driver with OVS that uses userspace datapath with DPDK (aka ovs-dpdk aka DPDK vhost-user aka netdev datapath) doesn't have a Linux kernel prerequisite
That is documented in table in " ### Q: Are all features available with all datapaths?":
http://openvswitch.org/support/dist-docs/FAQ.md.txt
where currently 'Connection tracking' row says 'NO' for 'Userspace' - but that's exactly what has been merged recently /to become feature of OVS 2.6

Also when it comes to performance I came across
http://openvswitch.org/pipermail/dev/2016-June/071982.html, but I would guess that devil could be the exact flows/ct actions that will be present in real-life scenario.

BR,
Konstantin

-----Original Message-----
From: Mooney, Sean K [mailto:sean.k.mooney@intel.com]
Sent: Tuesday, August 09, 2016 2:29 PM
To: Volenbovskyi Kostiantyn, INI-ON-FIT-CXD-ELC
Kostiantyn.Volenbovskyi@swisscom.com; openstack-
dev@lists.openstack.org
Subject: RE: [openstack-dev] [neutron][networking-ovs-dpdk] conntrack security
group driver with ovs-dpdk

-----Original Message-----
From: Kostiantyn.Volenbovskyi@swisscom.com
[mailto:Kostiantyn.Volenbovskyi@swisscom.com]
Sent: Tuesday, August 9, 2016 12:58 PM
To: openstack-dev@lists.openstack.org; Mooney, Sean K
sean.k.mooney@intel.com
Subject: RE: [openstack-dev] [neutron][networking-ovs-dpdk] conntrack
security group driver with ovs-dpdk

Hi,
(sorry for using incorrect threading)

About 2 weeks ago I did some light testing with the conntrack
security group driver and the newly

Merged upserspace conntrack support in ovs.

By 'recently' - whether you mean patch v4
http://openvswitch.org/pipermail/dev/2016-June/072700.html
or you used OVS 2.5 itself (which I think includes v2 of the same
patch series)?
[Mooney, Sean K] I used http://openvswitch.org/pipermail/dev/2016-
June/072700.html or specifically i used the following commit
https://github.com/openvswitch/ovs/commit/0c87efe4b5017de4c5ae99e7b9c3
6e8a6e846669
which is just after userspace conntrack was merged,

So in general - I am a bit confused about conntrack support in OVS.

OVS 2.5 release notes http://openvswitch.org/pipermail/announce/2016-
February/000081.html state:
"This release includes the highly anticipated support for connection
tracking in the Linux kernel. This feature makes it possible to
implement stateful firewalls and will be the basis for future stateful
features such as NAT and load-balancing. Work is underway to bring
connection tracking to the userspace datapath (used by DPDK) and the
port to Hyper-V." - in the way that 'work is underway' (=work is
ongoing) means that a time of OVS 2.5 release the feature was not
'classified' as ready?
[Mooney, Sean K]
In ovs 2.5 only linux kernel conntrack was supported assuming you had a 4.x
kernel that supported it. that means that the feature was not available on
bsd,windows or with dpdk.

In the upcoming ovs 2.6 release conntrack support has been added to the
Netdev datapath which is used with dpdk and on bsd. As far as I am aware
windows conntrack support is still Missing but I may be wrong.

If you are interested the devstack local.conf I used to test that it functioned is
available here http://paste.openstack.org/show/552434/

I used an OpenStack vm using the Ubuntu 16.04 and 2 e1000 interfaces to do the
testing.

BR,
Konstantin

On Sat, Aug 6, 2016 at 8:16 PM, Mooney, Sean K
sean.k.mooney@intel.com
wrote:

Hi just a quick fyi,

About 2 weeks ago I did some light testing with the conntrack
security
group driver and the newly

Merged upserspace conntrack support in ovs.

I can confirm that at least form my initial smoke tests where I

Uses netcat ping and ssh to try and establish connections between
two
vms the

Conntrack security group driver appears to function correctly with
the
userspace connection tracker.

We have not looked at any of the performance yet but assuming it
is
at
an acceptable level I am planning to

Deprecate the learn action based driver in networking-ovs-dpdk and
remove it once we have cut the stable newton

Branch.

We hope to do some rfc 2544 throughput testing to evaluate the
performance sometime mid-September.

Assuming all goes well I plan on enabling the conntrack based
security
group driver by default when the

Networking-ovs-dpdk devstack plugin is loaded. We will also
evaluate
enabling the security group tests

In our third party ci to ensure it continues to function correctly
with ovs-dpdk.

Regards

Seán



____ OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-
request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Aug 15, 2016 by assaf_at_redhat.com (2,500 points)   1 1
0 votes

-----Original Message-----
From: Assaf Muller [mailto:assaf@redhat.com]
Sent: Monday, August 15, 2016 2:50 PM
To: OpenStack Development Mailing List (not for usage questions)
openstack-dev@lists.openstack.org
Cc: Mooney, Sean K sean.k.mooney@intel.com
Subject: Re: [openstack-dev] [neutron][networking-ovs-dpdk] conntrack
security group driver with ovs-dpdk

  • Jakub.

On Wed, Aug 10, 2016 at 9:54 AM,
Kostiantyn.Volenbovskyi@swisscom.com wrote:

Hi,

[Mooney, Sean K]
In ovs 2.5 only linux kernel conntrack was supported assuming you
had
a 4.x kernel that supported it. that means that the feature was not
available on bsd,windows or with dpdk.
Yup, I also thought about something like that.
I think I was at-least-slightly misguided by
http://docs.openstack.org/draft/networking-guide/adv-config-
ovsfwdrive
r.html
and there is currently a statement
"The native OVS firewall implementation requires kernel and user
space support for conntrack, thus requiring minimum versions of the
Linux kernel and Open vSwitch. All cases require Open vSwitch version
2.5 or newer."

I agree, that statement is misleading.
[Mooney, Sean K] the 2.6 branch now exists so it is probably ok to refer to
2.6 now. https://github.com/openvswitch/ovs/commits/branch-2.6
The release should be made ~ September 15th
https://github.com/openvswitch/ovs/blob/797dad21566fecc60de3ce6f93c81ad55a61fe86/Documentation/release-process.md#release-scheduling
which will be before then next openstack release.
if you would like I can update the networking guide to refect the change in ovs.

Do you agree that this is something to change? I think it is not OK
to state OVS 2.6 without that being released, but in case I am not
confusing then:
-OVS firewall driver with OVS that uses kernel datapath requires OVS
2.5 and Linux kernel 4.3 -OVS firewall driver with OVS that uses
userspace datapath with DPDK (aka ovs-dpdk aka DPDK vhost-user aka
netdev datapath) doesn't have a Linux kernel prerequisite That is
documented in table in " ### Q: Are all features available with all
datapaths?":
http://openvswitch.org/support/dist-docs/FAQ.md.txt
where currently 'Connection tracking' row says 'NO' for 'Userspace' -
but that's exactly what has been merged recently /to become feature
of
OVS 2.6

Also when it comes to performance I came across
http://openvswitch.org/pipermail/dev/2016-June/071982.html, but I
would guess that devil could be the exact flows/ct actions that will be
present in real-life scenario.

BR,
Konstantin

-----Original Message-----
From: Mooney, Sean K [mailto:sean.k.mooney@intel.com]
Sent: Tuesday, August 09, 2016 2:29 PM
To: Volenbovskyi Kostiantyn, INI-ON-FIT-CXD-ELC
Kostiantyn.Volenbovskyi@swisscom.com; openstack-
dev@lists.openstack.org
Subject: RE: [openstack-dev] [neutron][networking-ovs-dpdk]
conntrack
security group driver with ovs-dpdk

-----Original Message-----
From: Kostiantyn.Volenbovskyi@swisscom.com
[mailto:Kostiantyn.Volenbovskyi@swisscom.com]
Sent: Tuesday, August 9, 2016 12:58 PM
To: openstack-dev@lists.openstack.org; Mooney, Sean K
sean.k.mooney@intel.com
Subject: RE: [openstack-dev] [neutron][networking-ovs-dpdk]
conntrack security group driver with ovs-dpdk

Hi,
(sorry for using incorrect threading)

About 2 weeks ago I did some light testing with the conntrack
security group driver and the newly

Merged upserspace conntrack support in ovs.

By 'recently' - whether you mean patch v4
http://openvswitch.org/pipermail/dev/2016-June/072700.html
or you used OVS 2.5 itself (which I think includes v2 of the same
patch series)?
[Mooney, Sean K] I used http://openvswitch.org/pipermail/dev/2016-
June/072700.html or specifically i used the following commit

https://github.com/openvswitch/ovs/commit/0c87efe4b5017de4c5ae99e7b9c

3
6e8a6e846669
which is just after userspace conntrack was merged,

So in general - I am a bit confused about conntrack support in
OVS.

OVS 2.5 release notes
http://openvswitch.org/pipermail/announce/2016-
February/000081.html state:
"This release includes the highly anticipated support for
connection tracking in the Linux kernel. This feature makes it
possible to implement stateful firewalls and will be the basis for
future stateful features such as NAT and load-balancing. Work is
underway to bring connection tracking to the userspace datapath
(used by DPDK) and the port to Hyper-V." - in the way that 'work
is underway' (=work is
ongoing) means that a time of OVS 2.5 release the feature was not
'classified' as ready?
[Mooney, Sean K]
In ovs 2.5 only linux kernel conntrack was supported assuming you
had
a 4.x kernel that supported it. that means that the feature was not
available on bsd,windows or with dpdk.

In the upcoming ovs 2.6 release conntrack support has been added to
the Netdev datapath which is used with dpdk and on bsd. As far as I
am aware windows conntrack support is still Missing but I may be
wrong.

If you are interested the devstack local.conf I used to test that it
functioned is available here http://paste.openstack.org/show/552434/

I used an OpenStack vm using the Ubuntu 16.04 and 2 e1000 interfaces
to do the testing.

BR,
Konstantin

On Sat, Aug 6, 2016 at 8:16 PM, Mooney, Sean K
sean.k.mooney@intel.com
wrote:

Hi just a quick fyi,

About 2 weeks ago I did some light testing with the conntrack
security
group driver and the newly

Merged upserspace conntrack support in ovs.

I can confirm that at least form my initial smoke tests where
I

Uses netcat ping and ssh to try and establish connections
between
two
vms the

Conntrack security group driver appears to function correctly
with
the
userspace connection tracker.

We have not looked at any of the performance yet but assuming
it is
at
an acceptable level I am planning to

Deprecate the learn action based driver in networking-ovs-dpdk
and remove it once we have cut the stable newton

Branch.

We hope to do some rfc 2544 throughput testing to evaluate the
performance sometime mid-September.

Assuming all goes well I plan on enabling the conntrack based
security
group driver by default when the

Networking-ovs-dpdk devstack plugin is loaded. We will also
evaluate
enabling the security group tests

In our third party ci to ensure it continues to function
correctly with ovs-dpdk.

Regards

Seán



____ OpenStack Development Mailing List (not for usage
questions)
Unsubscribe:
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-
d
ev



OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-
request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-
dev

____ OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Aug 16, 2016 by Mooney,_Sean_K (3,580 points)   4 9
...