20.03.2013 05:40, Jesse Gross пишет:
On Mon, Mar 18, 2013 at 8:50 PM, George Shuklin
<george.shuk...@gmail.com> wrote:
Why ovs-vswitchd can't feed kernel with very simple 'kernel flow' 'drop all'
after some smart and exact rules for arp?

Why UDP is parsed so deep?

Is any way to feed kernel module with fast generic rules without passing
every new flow to the userspace?
Directly moving classification logic into the kernel as you describe
is either not very general purpose (i.e. having special logic for
"drop everything except ARP") or not very performant/good design (it
ends up moving much more logic into the fast path).  There is ongoing
work to improve performance in this area but it is a non-trivial
problem.
Yep, I'm digging into openvswitch kernel module. I think I'll change ovs_flow_extract() to change depth on inspection depends on port number.

In my opinion, main problem for OVS is lack of mask in kernel path, so every new packet with different UDP/TCP ports is forwarded to userspace. If only rules can say 'all udp' or 'all traffic for ip_src xxx' it can drastically improve performance for the worst case scenario.

I know that OVS makes hash for key, extracted from packet header, and than search flow table for the match - so no masks of any kind allowed, but, for example, can it be few different algorithms for ovs_flow_extract and some mechanism to set different algorithm for different interfaces.

Right now situation is almost critical, because any server with 10G interface with OVS as softswitch can be shut down from simple attack of microscopic size (about 10-15Mb/s).
_______________________________________________
discuss mailing list
discuss@openvswitch.org
http://openvswitch.org/mailman/listinfo/discuss

Reply via email to