[Yahoo-eng-team] [Bug 1630832] Re: [RFE] FWaaS: Using Netlink instead of conntrack-tools to improve performance

Mon, 07 Nov 2022 17:27:43 -0800 

** Changed in: neutron
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1630832

Title:
  [RFE] FWaaS: Using Netlink instead of conntrack-tools to improve
  performance

Status in neutron:
  Won't Fix

Bug description:
  Updating firewall with a large number of firewall rules needs
  improving performance.

  When the Firewall is updated, the conntrack entries will be deleted by 
conntrack-tools ("conntrack -D" commands) with each rule associated with this 
firewall. The problem is inside a cloud system with a large number of firewall 
rules applied. Updating so much rules will call a large number of subprocesses 
to implement the "conntrack -D" commands. That will consume the system resource 
and  it will take a long time to finish updating firewall[1]. The client 
example to delete rules is in [2].
  By using Netlink, we can call the subprocess only one time [3], so as to 
reduce the system resource and time to update firewall[4].

  There should be some points need to be discussed:
  - The standard Netlink interface for Python. There are 2 sources: [5] and [6] 
on github, but I don't know these resources are acceptable or not. If there is 
not standard one, we may need to write conntrack library for OpenStack from 
scratch.
  - The "conntrack -D" needs *root privilege*. My solution is using 
oslo_privsep for instead.[7]

  [1] For example: With the developer system (Intel(R) Core(TM) i7-3770 CPU @ 
3.40GHz and 16GiB memory) and using "conntrack-tools", it take average 429s to 
finish removing 10.000 rules.
  [2] http://paste.openstack.org/show/584602/
  [3] http://paste.openstack.org/show/584603/
  [4] For example: With the developer system (Intel(R) Core(TM) i7-3770 CPU @ 
3.40GHz and 16GiB memory) and using "Netlink", it take average 33s to finish 
removing 10.000 rules.
  [5] https://github.com/ei-grad/python-conntrack
  [6] https://github.com/regit/pynetfilter_conntrack
  [7] https://review.openstack.org/#/c/389654/

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1630832/+subscriptions


-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to