Reviewed: https://review.openstack.org/411699 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=22352f5d4c595e373bb73c8bc590e6d3e621dac0 Submitter: Jenkins Branch: master
commit 22352f5d4c595e373bb73c8bc590e6d3e621dac0 Author: Jesse <je...@easystack.cn> Date: Fri Dec 16 15:13:13 2016 +0800 Remove iptables nat and mangle rules for security group There is no need to add iptables nat and mangle rules for security group, these rules will slow down network performance especially when using 6wind Virtual Accelerator. Change-Id: I1d5748394665535d114e8d942a68d5bd43927058 Closes-Bug: #1650466 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1650466 Title: Remove iptables nat and mangle rules for security group Status in neutron: Fix Released Bug description: It seems there is no need to add iptables nat and mangle rules for security group, these rules will slow down network performance especially when using 6wind Virtual Accelerator. When we enable security group, the OVSHybridIptablesFirewallDriver or IptablesFirewallDriver will set rules in iptables nat, mangle table. These rules are useless to security group, and these rule will consume CPU usage. When we using 6wind Virtual Accelerator on compute nodes. these rules in nat and mangle table will dramatically slow down the network performance. So We can remove these rules. The rules in iptables nat: [root@node-4 ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 42 packets, 2520 bytes) pkts bytes target prot opt in out source destination 42 2520 neutron-openvswi-PREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 Chain INPUT (policy ACCEPT 42 packets, 2520 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 3 packets, 180 bytes) pkts bytes target prot opt in out source destination 3 180 neutron-openvswi-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 3 packets, 180 bytes) pkts bytes target prot opt in out source destination 3 180 neutron-openvswi-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 3 180 neutron-postrouting-bottom all -- * * 0.0.0.0/0 0.0.0.0/0 Chain neutron-openvswi-OUTPUT (1 references) pkts bytes target prot opt in out source destination Chain neutron-openvswi-POSTROUTING (1 references) pkts bytes target prot opt in out source destination Chain neutron-openvswi-PREROUTING (1 references) pkts bytes target prot opt in out source destination Chain neutron-openvswi-float-snat (1 references) pkts bytes target prot opt in out source destination Chain neutron-openvswi-snat (1 references) pkts bytes target prot opt in out source destination 3 180 neutron-openvswi-float-snat all -- * * 0.0.0.0/0 0.0.0.0/0 Chain neutron-postrouting-bottom (1 references) pkts bytes target prot opt in out source destination 3 180 neutron-openvswi-snat all -- * * 0.0.0.0/0 0.0.0.0/0 /* Perform source NAT on outgoing traffic. */ The rules in mangle table: [root@node-4 ~]# iptables -t mangle -nvL Chain PREROUTING (policy ACCEPT 10485 packets, 1130K bytes) pkts bytes target prot opt in out source destination 10485 1130K neutron-openvswi-PREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 Chain INPUT (policy ACCEPT 10473 packets, 1127K bytes) pkts bytes target prot opt in out source destination 10473 1127K neutron-openvswi-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 neutron-openvswi-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 11083 packets, 1416K bytes) pkts bytes target prot opt in out source destination 11083 1416K neutron-openvswi-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 11083 packets, 1416K bytes) pkts bytes target prot opt in out source destination 11083 1416K neutron-openvswi-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 Chain neutron-openvswi-FORWARD (1 references) pkts bytes target prot opt in out source destination Chain neutron-openvswi-INPUT (1 references) pkts bytes target prot opt in out source destination Chain neutron-openvswi-OUTPUT (1 references) pkts bytes target prot opt in out source destination Chain neutron-openvswi-POSTROUTING (1 references) pkts bytes target prot opt in out source destination Chain neutron-openvswi-PREROUTING (1 references) pkts bytes target prot opt in out source destination 10485 1130K neutron-openvswi-mark all -- * * 0.0.0.0/0 0.0.0.0/0 Chain neutron-openvswi-mark (1 references) pkts bytes target prot opt in out source destination To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1650466/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp