> On 5 Jul 2018, at 23:34, Han Zhou <zhou...@gmail.com> wrote: > > > > On Thu, Jul 5, 2018 at 6:00 AM, Daniel Alvarez Sanchez <dalva...@redhat.com> > wrote: > > > > Hi Han, all > > > > While implementing Port Groups in OpenStack I have noticed that we are > > duplicating the lflows for the DHCP now with the current code. Seeking for > > advice here: > > > > When we create a Neutron subnet, I'm creating a Port Group with the ACL for > > the DHCP: > > > > _uuid : 7f2b64eb-090b-4bb4-85fd-09576329c21b > > action : allow > > direction : from-lport > > external_ids : {} > > log : false > > match : "inport == @pg_12070130_e7f0_47a7_aee2_cde2064e7a28 > > && ip4 && ip4.dst == {255.255.255.255, 192.168.1.0/24} && udp && udp.src == > > 68 && udp.dst == 67" > > name : [] > > priority : 1002 > > severity : [] > > > > > > This generates the proper lflow in the Logical_Flow table: > > > > _uuid : a2a970ec-82ee-4474-bf0e-43f1cdedd7ed > > actions : "next;" > > external_ids : {source="ovn-northd.c:3192", stage-hint="7f2b64eb", > > stage-name=ls_in_acl} > > logical_datapath : e1bdb553-5bbf-4b76-a19d-cf385612a3ff > > match : "inport == @pg_12070130_e7f0_47a7_aee2_cde2064e7a28 > > && ip4 && ip4.dst == {255.255.255.255, 192.168.1.0/24} && udp && udp.src == > > 68 && udp.dst == 67" > > pipeline : ingress > > priority : 2002 > > table_id : 6 > > hash : 0 > > > > > > However, all the ports belonging in that subnet also have a lflow for DHCP > > (different stages though) > > > > _uuid : f159803f-6b8d-4c8a-9339-b89ee267c2eb > > actions : "next;" > > external_ids : {source="ovn-northd.c:2579", > > stage-name=ls_in_port_sec_ip} > > logical_datapath : 2b3126db-74d4-48a1-9e81-192066748de6 > > match : "inport == \"240edf21-5a9c-4edd-98b5-8dadc343b9de\" > > && eth.src == fa:16:3e:07:85:91 && ip4.src == 0.0.0.0 && ip4.dst == > > 255.255.255.255 && udp.src == 68 && udp.dst == 67" > > pipeline : ingress > > priority : 90 > > table_id : 1 > > hash : 0 > > > > > > My questions are: > > > > 1) Do I really need to create the Port Group for every subnet just to take > > care of the DHCP? > > Yes, I think it is the right way to do in networking-ovn. Otherwise, we will > have to create per-port ACL to allow DHCP. The example you gave above are NOT > redundant flows, as you mentioned they are in different stages (for different > purposes), and they will end up as ovs flows in different ovs flow tables. > > > 2) We have per-port DHCP lflows, is it worth to implement port groups > > around them too? > > For the per-port DHCP flows in port-security stage, they can't be "grouped" > because eth.src is in match condition, which is different for each port. > Oh absolutely! For my 1K ports test using 6 security group rules, the number of ACLs when down from 9000 to 197 while the number of lflows went down from 34000 to 22000. The time to create a port in OVN went down from 0.35-0.40 to 0.1-0.15 seconds. Still neutron ML2 is the bottleneck in the Openstack case.
Thanks Han! My bad for not realizing, sorry > > > > Thanks! > > Daniel > >
_______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss