Just reading this post: http://openvswitch.org/slides/OpenStack-131107.pdf and slide 13 caught my eye.
(edit: figured out how to link directly to a page in a pdf, should work in chrome and adobe reader: http://openvswitch.org/slides/OpenStack-131107.pdf#page=13)
I'm interested if this kernel caching could be hijacked at all from a security standpoint to send further packets that appear to be part of that netflow to bypass userland Open vSwitch logic checks by continuing to ride as if they were part of the cached entry.
Should look into the logic that decides if the flow is the same as the previous. I don't expect that it could be used to route packets improperly, but should be fun to dig in to and is a good reason to learn more about Open vSwitch. Will update this at that point.
Made it to page 17: http://openvswitch.org/slides/OpenStack-131107.pdf#page=17 this as a bit more info on how the user-logic vs cached logic is applied:
"Header fields are hashed and used as an index into a set of large hash tables"
"if entry found, actions applied to packet and counters are updated."
If not: packet is sent to userspace for processing
This seems like a smart way of doing things, still need to dig into even nittier gritty.
