<p dir="ltr">This sounds like a good idea to handle some of the performance issues until the ovs firewall can be implemented down the the line. <br>
Do you have any performance comparisons? </p>
<div class="gmail_quote">On Jun 18, 2014 7:46 PM, "shihanzhang" <<a href="mailto:ayshihanzhang@126.com">ayshihanzhang@126.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial"><div><span style="font-family:tahoma,sans-serif;line-height:21.203636169433594px">Hello all,</span></div><div><span style="font-family:tahoma,sans-serif;line-height:21.203636169433594px"><br>
</span></div><div><span style="font-family:tahoma,sans-serif;line-height:21.203636169433594px">Now in neutron, it use iptable </span><font face="tahoma, sans-serif"><span style="line-height:21.203636169433594px">implementing security group, but the performance of this  implementation is very poor, there is a bug:</span><a href="https://bugs.launchpad.net/neutron/+bug/1302272" style="line-height:21.203636169433594px" target="_blank">https://bugs.launchpad.net/neutron/+bug/1302272</a><span style="line-height:21.203636169433594px"> to reflect this problem. In his test, w</span><span style="line-height:21.203636169433594px">ith default security groups(which has remote security group), beyond 250-300 VMs, there were around 6k Iptable rules on evry compute node, although his patch can reduce the processing time, but it don't solve this problem fundamentally. I have commit a BP to </span></font><span style="font-family:tahoma,sans-serif;line-height:21.203636169433594px;font-size:14px">solve this problem:</span><font face="tahoma, sans-serif"><span style="line-height:21.203636169433594px"><a href="https://blueprints.launchpad.net/neutron/+spec/add-ipset-to-security," target="_blank">https://blueprints.launchpad.net/neutron/+spec/add-ipset-to-security</a> </span></font></div>
<div><font face="tahoma, sans-serif"><span style="line-height:21.203636169433594px">There are other people interested in this it?</span></font></div></div><br><br><span title="neteasefooter"><span></span></span><br>_______________________________________________<br>

OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div>