Public bug reported: Updating firewall with a large number of firewall rules needs improving performance.
When the Firewall is updated, the conntrack entries will be deleted by conntrack-tools ("conntrack -D" commands) with each rule associated with this firewall. The problem is inside a cloud system with a large number of firewall rules applied. Updating so much rules will lead to call a large number of subprocesses to implement the "conntrack -D" commands. That will consume the system resource and it will take a long time to finish updating firewall[1]. By using Netlink, we can call the subprocess only one time [6], so as to reduce the system resource and time to update firewall. There should be some critical points need to be discussed: - The standard Netlink interface for Python. There are 2 sources: [3] and [4] on github, but I don't know these resources are acceptable or not. - The "conntrack -D" needs *root privilege*. My solution is make the Python module which performs deleting conntrack entries become Linux command (calling "python pythonmodule.py") and wrap by rootwrap.[5] [1] With the system with Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz and 16GiB memory, it take 429s to finish removing 10.000 rules. The client is in [2] [2] http://paste.openstack.org/show/584602/ [3] https://github.com/ei-grad/python-conntrack [4] https://github.com/regit/pynetfilter_conntrack [5] https://ask.openstack.org/en/question/60893/rootwrap-python-write-to-root-only-owned-file/ [6] http://paste.openstack.org/show/584603/ ** Affects: neutron Importance: Undecided Status: New ** Tags: fwaas needs-attention rfe -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1630832 Title: [RFE] FWaaS: Using Netlink instead of conntrack-tools to improve performance Status in neutron: New Bug description: Updating firewall with a large number of firewall rules needs improving performance. When the Firewall is updated, the conntrack entries will be deleted by conntrack-tools ("conntrack -D" commands) with each rule associated with this firewall. The problem is inside a cloud system with a large number of firewall rules applied. Updating so much rules will lead to call a large number of subprocesses to implement the "conntrack -D" commands. That will consume the system resource and it will take a long time to finish updating firewall[1]. By using Netlink, we can call the subprocess only one time [6], so as to reduce the system resource and time to update firewall. There should be some critical points need to be discussed: - The standard Netlink interface for Python. There are 2 sources: [3] and [4] on github, but I don't know these resources are acceptable or not. - The "conntrack -D" needs *root privilege*. My solution is make the Python module which performs deleting conntrack entries become Linux command (calling "python pythonmodule.py") and wrap by rootwrap.[5] [1] With the system with Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz and 16GiB memory, it take 429s to finish removing 10.000 rules. The client is in [2] [2] http://paste.openstack.org/show/584602/ [3] https://github.com/ei-grad/python-conntrack [4] https://github.com/regit/pynetfilter_conntrack [5] https://ask.openstack.org/en/question/60893/rootwrap-python-write-to-root-only-owned-file/ [6] http://paste.openstack.org/show/584603/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1630832/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp