On Thu, Jul 6, 2017 at 2:15 PM, Han Zhou <zhou...@gmail.com> wrote: > Despite the original motivation of this change, I found the patch valuable > for data-plane performance. > > When localnet port is used for communication between 2 ports of same > lswitch (basic provider network scenario), without the patch, each flow is > tracked in conntrack table twice. With the patch, it improve the > performance in 2 ways: > > 1) It reduces 50% of conntrack operations > > 2) It reduces 50% number of entries in conntrack table, which also helps > reducing conntrack cost > > I had some tests for TCP_CRR, it improves performance for 5 - 10%. > Discussed in today's ovn meeting and we agreed it is valid optimization > because localnet port is used as transport, not the real end-point to > protect. > > @Qianyu, would it be good to revise the patch on the commit message to put > it as an optimization for conntrack performance? The current commit message > is not true because it is not a supported scenario for now, and the "fix" > is not complete, either. The new scenaro would worth a separate discussion. > What do you think?
While the localnet port is not an endpoint, it did seem useful to me to be able to define security policy there as that is the first place traffic enters from "outside" of OVN. We could potentially drop traffic sooner, before sending it over to the final endpoint on another chassis. Based on a quick review of the discussion, it does seem like dropping it is the better choice for now. If the security aspect is desired later, perhaps we could solve it another way by supporting ACLs associated with the L3 gateway sitting between an OVN logical network and a physical network (localnet network). -- Russell Bryant _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev