On 2/2/24 10:32, Felix Huettner via dev wrote: > Previously the kernel did not provide a netlink interface to flush/list > only conntrack entries matching a specific zone. With [1] it is now > possible to flush and list conntrack entries filtered by zone. Older > kernels not yet supporting this feature will ignore the filter. > For the list request that means just returning all entries (which we can > then filter in userspace as before). > For the flush request that means deleting all conntrack entries. > > These significantly improves the performance of flushing conntrack zones > when the conntrack table is large. Since flushing a conntrack zone is > normally triggered via an openflow command it blocks the main ovs thread > and thereby also blocks new flows from being applied. Using this new > feature we can reduce the flushing time for zones by around 93%. > > In combination with OVN the creation of a Logical_Router (which causes > the flushing of a ct zone) could block other operations, e.g. the > failover of Logical_Routers (as they cause new flows to be created). > This is visible from a user perspective as a ovn-controller that is idle > (as it waits for vswitchd) and vswitchd reporting: > "blocked 1000 ms waiting for main to quiesce" (potentially with ever > increasing times). > > The following performance tests where run in a qemu vm with 500.000 > conntrack entries distributed evenly over 500 ct zones using `ovstest > test-netlink-conntrack flush zone=<zoneid>`. > > With this patch and kernel v6.8-rc2: >
<snip> > diff --git a/tests/system-traffic.at b/tests/system-traffic.at > index f363a778c..869728a1d 100644 > --- a/tests/system-traffic.at > +++ b/tests/system-traffic.at > @@ -3214,6 +3214,14 @@ AT_CHECK([ovs-appctl dpctl/dump-conntrack | > FORMAT_CT(10.1.1.4)], [0], [dnl > > tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>) > ]) > > +dnl flushing one zone should leave the others intact Hi, Felix. Not a full review, but I'm a little concerned if that part actually works for zone 0, i.e. that zone 0 remains intact when we flush other zones. I sent a question to the netdev list: https://lore.kernel.org/netdev/2032238f-31ac-4106-8f22-522e76df5...@ovn.org/ Please, reply there. Best regards, Ilya Maximets. _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
