On Wed, Jul 7, 2021 at 3:39 PM Ben Pfaff <b...@ovn.org> wrote: > > Hi, I've been talking to Shay Vargaftik (CC'd), also a researcher at > VMware, about some work he's done on optimizing load balancers. What > he's come up with is a technique that in many cases avoids putting > connections into the connection-tracking table, because it can achieve > per-connection consistency without needing to do that. This improves > performance by reducing the size of the connection-tracking table, which > is therefore more likely to fit inside a CPU cache and cheaper to > search. > > I'm trying to determine whether this technique would apply to OVN's load > balancer. There would be challenges in any case, but one fundamental > question I have is: is the OVN load balancer also supposed to be a > firewall? If it's not, then it's worth continuing to look to see if the > technique is applicable. On the other hand, if it is, then every > connection needs to be tracked in any case, so the technique can't be > useful. > > Anyone's thoughts would be welcome. > For my understanding OVN LB doesn't directly relate to FW (OVN ACLs), although they both use conntrack. For LB, we use conntrack for NAT (convert the client IP to an LB owned IP) purposes. Does this technique support NAT without using conntrack?
Moreover, maybe for the future, we also need to consider the cases when a LB is applied on a OVN gateway, for HA purposes the NAT tracking entries need to be able to be replicated across nodes, so that when failover happens the existing connections can continue working through another gateway node. There are also OVN LB use cases that don't require NAT. If this technique doesn't support NAT, it is probably still useful for those scenarios. Thanks, Han _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
