On 8/24/22 08:40, Han Zhou wrote: > The ls_in_pre_stateful priority 120 flow that saves dst IP and Port to > registers is causing a critical dataplane performance impact to > short-lived connections, because it unwildcards megaflows with exact > match on dst IP and L4 ports. Any new connections with a different > client side L4 port will encounter datapath flow miss and upcall to > ovs-vswitchd, which makes typical use cases such as HTTP1.0 based > RESTful API calls suffer big performance degredations. > > These fields (dst IP and port) were saved to registers to solve a > problem of LB hairpin use case when different VIPs are sharing > overlapping backend+port [0]. The change [0] might not have as wide > performance impact as it is now because at that time one of the match > condition "REGBIT_CONNTRACK_NAT == 1" was set only for established and > natted traffic, while now the impact is more obvious because > REGBIT_CONNTRACK_NAT is now set for all IP traffic (if any VIP > configured on the LS) since commit [1], after several other indirectly > related optimizations and refactors. > > This patch fixes the problem by modifying the priority-120 flows in > ls_in_pre_stateful. Instead of blindly saving dst IP and L4 port for any > traffic with the REGBIT_CONNTRACK_NAT == 1, we now save dst IP and L4 > port only for traffic matching the LB VIPs, because these are the ones > that need to be saved for the hairpin purpose. The existed priority-110 > flows will match the rest of the traffic just like before but wouldn't > not save dst IP and L4 port, so any server->client traffic would not > unwildcard megaflows with client side L4 ports.
Hmm, but if higher priority flows have matches on these fields, datapath flows will have them unwildcarded anyway. So, why exactly that is better than the current approach? I see how that can help for the case where vIPs has no ports specified, because we will not have ports unwildcarded in this case, but I thought it's a very unlikely scenario for, e.g., ovn-kubernetes setups. And if even one vIP will have a port, all the datapath flows will have a port match. Or am I missing something? Best regards, Ilya Maximets. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
