> On 5 Jul 2018, at 23:34, Han Zhou <zhou...@gmail.com> wrote:
>
>
>
> On Thu, Jul 5, 2018 at 6:00 AM, Daniel Alvarez Sanchez <dalva...@redhat.com>
> wrote:
> >
> > Hi Han, all
> >
> > While implementing Port Groups in OpenStack I have noticed that we are
> > duplicating the lflows for the DHCP now with the current code. Seeking for
> > advice here:
> >
> > When we create a Neutron subnet, I'm creating a Port Group with the ACL for
> > the DHCP:
> >
> > _uuid : 7f2b64eb-090b-4bb4-85fd-09576329c21b
> > action : allow
> > direction : from-lport
> > external_ids : {}
> > log : false
> > match : "inport == @pg_12070130_e7f0_47a7_aee2_cde2064e7a28
> > && ip4 && ip4.dst == {255.255.255.255, 192.168.1.0/24} && udp && udp.src ==
> > 68 && udp.dst == 67"
> > name : []
> > priority : 1002
> > severity : []
> >
> >
> > This generates the proper lflow in the Logical_Flow table:
> >
> > _uuid : a2a970ec-82ee-4474-bf0e-43f1cdedd7ed
> > actions : "next;"
> > external_ids : {source="ovn-northd.c:3192", stage-hint="7f2b64eb",
> > stage-name=ls_in_acl}
> > logical_datapath : e1bdb553-5bbf-4b76-a19d-cf385612a3ff
> > match : "inport == @pg_12070130_e7f0_47a7_aee2_cde2064e7a28
> > && ip4 && ip4.dst == {255.255.255.255, 192.168.1.0/24} && udp && udp.src ==
> > 68 && udp.dst == 67"
> > pipeline : ingress
> > priority : 2002
> > table_id : 6
> > hash : 0
> >
> >
> > However, all the ports belonging in that subnet also have a lflow for DHCP
> > (different stages though)
> >
> > _uuid : f159803f-6b8d-4c8a-9339-b89ee267c2eb
> > actions : "next;"
> > external_ids : {source="ovn-northd.c:2579",
> > stage-name=ls_in_port_sec_ip}
> > logical_datapath : 2b3126db-74d4-48a1-9e81-192066748de6
> > match : "inport == \"240edf21-5a9c-4edd-98b5-8dadc343b9de\"
> > && eth.src == fa:16:3e:07:85:91 && ip4.src == 0.0.0.0 && ip4.dst ==
> > 255.255.255.255 && udp.src == 68 && udp.dst == 67"
> > pipeline : ingress
> > priority : 90
> > table_id : 1
> > hash : 0
> >
> >
> > My questions are:
> >
> > 1) Do I really need to create the Port Group for every subnet just to take
> > care of the DHCP?
>
> Yes, I think it is the right way to do in networking-ovn. Otherwise, we will
> have to create per-port ACL to allow DHCP. The example you gave above are NOT
> redundant flows, as you mentioned they are in different stages (for different
> purposes), and they will end up as ovs flows in different ovs flow tables.
>
> > 2) We have per-port DHCP lflows, is it worth to implement port groups
> > around them too?
>
> For the per-port DHCP flows in port-security stage, they can't be "grouped"
> because eth.src is in match condition, which is different for each port.
>
Oh absolutely! For my 1K ports test using 6 security group rules, the number of
ACLs when down from 9000 to 197 while the number of lflows went down from 34000
to 22000.
The time to create a port in OVN went down from 0.35-0.40 to 0.1-0.15 seconds.
Still neutron ML2 is the bottleneck in the Openstack case.
Thanks Han! My bad for not realizing, sorry
> >
> > Thanks!
> > Daniel
> >
_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
