On Thu, Jul 5, 2018 at 3:15 PM, Daniel Alvarez <dalva...@redhat.com> wrote:
> > > On 5 Jul 2018, at 23:34, Han Zhou <zhou...@gmail.com> wrote: > > > > On Thu, Jul 5, 2018 at 6:00 AM, Daniel Alvarez Sanchez < > dalva...@redhat.com> wrote: > > > > Hi Han, all > > > > While implementing Port Groups in OpenStack I have noticed that we are > duplicating the lflows for the DHCP now with the current code. Seeking for > advice here: > > > > When we create a Neutron subnet, I'm creating a Port Group with the ACL > for the DHCP: > > > > _uuid : 7f2b64eb-090b-4bb4-85fd-09576329c21b > > action : allow > > direction : from-lport > > external_ids : {} > > log : false > > match : "inport == @pg_12070130_e7f0_47a7_aee2_cde2064e7a28 > && ip4 && ip4.dst == {255.255.255.255, 192.168.1.0/24} && udp && udp.src > == 68 && udp.dst == 67" > > name : [] > > priority : 1002 > > severity : [] > > > > > > This generates the proper lflow in the Logical_Flow table: > > > > _uuid : a2a970ec-82ee-4474-bf0e-43f1cdedd7ed > > actions : "next;" > > external_ids : {source="ovn-northd.c:3192", > stage-hint="7f2b64eb", stage-name=ls_in_acl} > > logical_datapath : e1bdb553-5bbf-4b76-a19d-cf385612a3ff > > match : "inport == @pg_12070130_e7f0_47a7_aee2_cde2064e7a28 > && ip4 && ip4.dst == {255.255.255.255, 192.168.1.0/24} && udp && udp.src > == 68 && udp.dst == 67" > > pipeline : ingress > > priority : 2002 > > table_id : 6 > > hash : 0 > > > > > > However, all the ports belonging in that subnet also have a lflow for > DHCP (different stages though) > > > > _uuid : f159803f-6b8d-4c8a-9339-b89ee267c2eb > > actions : "next;" > > external_ids : {source="ovn-northd.c:2579", > stage-name=ls_in_port_sec_ip} > > logical_datapath : 2b3126db-74d4-48a1-9e81-192066748de6 > > match : "inport == \"240edf21-5a9c-4edd-98b5-8dadc343b9de\" > && eth.src == fa:16:3e:07:85:91 && ip4.src == 0.0.0.0 && ip4.dst == > 255.255.255.255 && udp.src == 68 && udp.dst == 67" > > pipeline : ingress > > priority : 90 > > table_id : 1 > > hash : 0 > > > > > > My questions are: > > > > 1) Do I really need to create the Port Group for every subnet just to > take care of the DHCP? > > Yes, I think it is the right way to do in networking-ovn. Otherwise, we > will have to create per-port ACL to allow DHCP. The example you gave above > are NOT redundant flows, as you mentioned they are in different stages (for > different purposes), and they will end up as ovs flows in different ovs > flow tables. > > > 2) We have per-port DHCP lflows, is it worth to implement port groups > around them too? > > For the per-port DHCP flows in port-security stage, they can't be > "grouped" because eth.src is in match condition, which is different for > each port. > > Oh absolutely! For my 1K ports test using 6 security group rules, the > number of ACLs when down from 9000 to 197 while the number of lflows went > down from 34000 to 22000. > The time to create a port in OVN went down from 0.35-0.40 to 0.1-0.15 > seconds. > That's a 60 ~ 70% improvement. Sounds great and thanks for sharing! Did we get the benefit of conjuncture with less OVS flows, too? Still neutron ML2 is the bottleneck in the Openstack case. > > Thanks Han! My bad for not realizing, sorry > > > > > Thanks! > > Daniel > > > >
_______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss