On Mon, May 16, 2022 at 4:27 PM Mark Michelson <mmich...@redhat.com> wrote:
> Hi Numan, > > I've taken a close look at the patches in this series, and they seem > really good. They're very well commented and well tested as well. It's > quite easy to follow the change, and I couldn't find any flaws in my > review. > > However, I do want to double-check that this does not put unnecessary > load on ovn-controller. I suspect it won't be much of a problem since > > 1) The port security flows are calculated incrementally. > 2) The reduced SB DB size likely lessens the overall load on > ovn-controller . > 3) The removed port security logical flows means there is less parsing > of logical flows per iteration of ovn-controller. > > However, this does add new OF flow creation in ovn-controller, so it's > worth checking to make sure ovn-controller does not see any noticeable > performance decrease. > > If we can get confirmation, then I'll ack the series. > Thanks Mark for the reviews. Sure. I'll do some tests and share the results. Numan > > On 5/12/22 20:42, num...@ovn.org wrote: > > From: Numan Siddique <num...@ovn.org> > > > > This patch series adds generic logical flows for port security in > > the logical switch pipeline and pushes the actual port security > > implementation logic to ovn-controller from ovn-northd. > > > > ovn-northd will now add logical flows like: > > > > table=0 (ls_in_check_port_sec), priority=50 , match=(1), > action=(reg0[14] = check_in_port_sec(); next;) > > table=1 (ls_in_apply_port_sec), priority=50 , match=(reg0[14] == 1), > action=(drop;) > > table=1 (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) > > > > OVN action check_in_port_sec() resubmits the packet to openflow table > > 73. ovn-controller will add port security flows in table 73,74 and 75 > > for all the logical ports it has claimed. The port security information > > is passed down the Port_Binding table in Southbound database. > > > > The main motivation for the patch is to address scale concerns. > > This patch series reduces the number of logical flows and ovn-northd > > CPU utilization time. > > > > Did some scale testing and below are the results: > > > > Used a Northbound database from a deployment of 120 node cluster. > > Number of logical switch ports with port security configured: 13711 > > > > With vanilla ovn-northd > > ----------------------- > > Number of logical flows : 208061 > > Avg time taken to run build_lflows() : 1301 msec > > Size of Southbound database after compaction: 104M > > > > With ovn-northd using this feature > > --------------------------------- > > Number of logical flows : 83396 > > Avg time taken to run build_lflows() : 560 msec > > Size of Southbound database after compaction: 45M > > > > > > > > Numan Siddique (3): > > ovn-controller: Add OF rules for port security. > > actions: Add new actions check_in_port_sec and check_out_port_sec. > > northd: Add generic port security logical flows. > > > > controller/binding.c | 78 +++- > > controller/binding.h | 23 +- > > controller/lflow.c | 792 ++++++++++++++++++++++++++++++++++- > > controller/lflow.h | 4 + > > controller/ovn-controller.c | 21 +- > > include/ovn/actions.h | 6 + > > include/ovn/logical-fields.h | 1 + > > lib/actions.c | 75 +++- > > northd/northd.c | 557 +++++------------------- > > northd/ovn-northd.8.xml | 263 ++++++------ > > ovn-sb.ovsschema | 7 +- > > ovn-sb.xml | 54 +++ > > tests/ovn-northd.at | 431 ++++++++++++------- > > tests/ovn.at | 369 ++++++++++++++-- > > tests/test-ovn.c | 2 + > > utilities/ovn-trace.c | 313 ++++++++++++++ > > 16 files changed, 2175 insertions(+), 821 deletions(-) > > > > _______________________________________________ > dev mailing list > d...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev