On 9/7/20 2:55 PM, Numan Siddique wrote: > > > On Wed, Sep 2, 2020 at 8:36 PM Dumitru Ceara <[email protected] > <mailto:[email protected]>> wrote: > > A new table is added to OVN_Northbound: Stateless_Filter. Users can > populate this table with records consisting of <priority, match>. These > records generate logical flows in the PRE_ACL stages of the logical > switch pipeline. > > Packets matching these flows will completely bypass connection tracking > for ACL purposes. In specific scenarios CMSs can predetermine which > traffic must be firewalled statefully or not, e.g., UDP vs TCP. However, > until now, if at least one stateful ACL (allow-related) is configured > on the switch, all traffic gets sent to connection tracking. > This induces a hit in performance when forwarding packets that don't > need stateful processing. > > New command line arguments are added to ovn-nbctl (stateless-filter-*) > to allow the users to interact with the Stateless_Filter table. > > Signed-off-by: Dumitru Ceara <[email protected] > <mailto:[email protected]>> > > > Hi Dumitru, >
Hi Numan, > Unfortunately due to the bug reported here [1] and the patch to fix the > issue[2], your patch 2 in this > series will not have any benefit if a logical switch has a load balancer > configured. > > CMS can still use the feature of this patch if there are no load > balancers configured on a logical switch. > Yes, this does make Stateless_Filters more complicated to use. > I'm fine if you still want to pursue this patch for the use case I > mentioned. What do you think ? > I'll give it more thought. I think it might be risky to allow stateless_filters in any case because it will be hard to enforce that traffic that matches a stateless_filter is not traffic that is part of a load balanced session. Which might lead to hard to debug misconfigurations with symptoms similar to what your fix is trying to address. However, I think patch 1/2 of this series could still be reviewed and applied independently. > [1] - https://bugzilla.redhat.com/show_bug.cgi?id=1870359 > [2] > - > https://patchwork.ozlabs.org/project/ovn/patch/[email protected]/ > > Thanks > Numan > > Thanks, Dumitru _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
