Hi,
> The current ACL implementation is using rules as {ProtocolType, IPsrc, IPdest,
> PortSrc, PortDest}, so I'm limited to play just with these 5 fields.
>
From experience with real-world OVS deployments using bonded interfaces and
overlay tunnels (e.g. VXLAN) I would say that the vast majority of dpif
megaflows match on packet metadata like in_port, recirc_id, hashes, tunnel
header etc.
Given that, I wonder if an ACL-based cache can be the right tool to accelerate
the megaflow lookup, especially also looking at the ACL reconfiguration times.
What we do see, however is that there is often a strong correlation between the
ingress port and the subset of masks/subtables that have hits. The entire
megaflow cache typically decomposes nicely into partitions that are hit only by
packets entering from equivalent ports (e.g. traffic from Phy -> VM and VM ->
Phy)
Since megaflows are by nature non-overlapping, the search can stop at the first
match. Keeping a separate list of subtables per ingress port, sorted by
frequency of hits, should reduce the average number of subtables lookups to a
minimum, even if the total number of subtables gets large.
Has such an idea been considered?
/Jan
_______________________________________________
dev mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/dev
