Hi Numan,
I've taken a close look at the patches in this series, and they seem
really good. They're very well commented and well tested as well. It's
quite easy to follow the change, and I couldn't find any flaws in my review.
However, I do want to double-check that this does not put unnecessary
load on ovn-controller. I suspect it won't be much of a problem since
1) The port security flows are calculated incrementally.
2) The reduced SB DB size likely lessens the overall load on
ovn-controller .
3) The removed port security logical flows means there is less parsing
of logical flows per iteration of ovn-controller.
However, this does add new OF flow creation in ovn-controller, so it's
worth checking to make sure ovn-controller does not see any noticeable
performance decrease.
If we can get confirmation, then I'll ack the series.
On 5/12/22 20:42, num...@ovn.org wrote:
From: Numan Siddique <num...@ovn.org>
This patch series adds generic logical flows for port security in
the logical switch pipeline and pushes the actual port security
implementation logic to ovn-controller from ovn-northd.
ovn-northd will now add logical flows like:
table=0 (ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[14] =
check_in_port_sec(); next;)
table=1 (ls_in_apply_port_sec), priority=50 , match=(reg0[14] == 1),
action=(drop;)
table=1 (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;)
OVN action check_in_port_sec() resubmits the packet to openflow table
73. ovn-controller will add port security flows in table 73,74 and 75
for all the logical ports it has claimed. The port security information
is passed down the Port_Binding table in Southbound database.
The main motivation for the patch is to address scale concerns.
This patch series reduces the number of logical flows and ovn-northd
CPU utilization time.
Did some scale testing and below are the results:
Used a Northbound database from a deployment of 120 node cluster.
Number of logical switch ports with port security configured: 13711
With vanilla ovn-northd
-----------------------
Number of logical flows : 208061
Avg time taken to run build_lflows() : 1301 msec
Size of Southbound database after compaction: 104M
With ovn-northd using this feature
---------------------------------
Number of logical flows : 83396
Avg time taken to run build_lflows() : 560 msec
Size of Southbound database after compaction: 45M
Numan Siddique (3):
ovn-controller: Add OF rules for port security.
actions: Add new actions check_in_port_sec and check_out_port_sec.
northd: Add generic port security logical flows.
controller/binding.c | 78 +++-
controller/binding.h | 23 +-
controller/lflow.c | 792 ++++++++++++++++++++++++++++++++++-
controller/lflow.h | 4 +
controller/ovn-controller.c | 21 +-
include/ovn/actions.h | 6 +
include/ovn/logical-fields.h | 1 +
lib/actions.c | 75 +++-
northd/northd.c | 557 +++++-------------------
northd/ovn-northd.8.xml | 263 ++++++------
ovn-sb.ovsschema | 7 +-
ovn-sb.xml | 54 +++
tests/ovn-northd.at | 431 ++++++++++++-------
tests/ovn.at | 369 ++++++++++++++--
tests/test-ovn.c | 2 +
utilities/ovn-trace.c | 313 ++++++++++++++
16 files changed, 2175 insertions(+), 821 deletions(-)
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
