
<div dir="ltr">we have done some tests, but have different result: the performance is nearly the same for empty and 5k rules in iptable, but huge gap between enable/disable iptable hook on linux bridge</div><div class="gmail_extra">

<br><br><div class="gmail_quote">On Thu, Jun 19, 2014 at 11:21 AM, shihanzhang <span dir="ltr"><<a href="mailto:ayshihanzhang@126.com" target="_blank">ayshihanzhang@126.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial"><div>Now I have not get accurate test data, but I  can confirm the following points：</div><div>1. In compute node, the iptable's chain of a VM is liner, iptable filter it one by one, if a VM in default <span style="font-family:tahoma,sans-serif;line-height:21.203636169433594px;font-size:14px">security group and this </span><span style="font-size:14px;line-height:1.7">default </span><span style="font-size:14px;font-family:tahoma,sans-serif;line-height:21.203636169433594px">security group have many members, but ipset chain is set, the time ipset filter one and many member is not </span><font face="tahoma, sans-serif"><span style="line-height:21.203636169433594px">much difference.</span></font></div>

<div><font face="tahoma, sans-serif"><span style="line-height:21.203636169433594px">2. when the iptable rule is very large, the probability of  failure  that </span></font><span style="font-family:tahoma,sans-serif;line-height:21.203636169433594px;font-size:14px"> iptable-save save the </span><span style="font-family:tahoma,sans-serif;line-height:21.203636169433594px;font-size:14px">iptable rule  </span><span style="font-size:14px;line-height:21.203636169433594px;font-family:tahoma,sans-serif">is very large.</span></div>

<div><div class="h5"><br><br><br><br><div></div><div></div><br>At 2014-06-19 10:55:56, "Kevin Benton" <<a href="mailto:blak111@gmail.com" target="_blank">blak111@gmail.com</a>> wrote:<br> <blockquote style="PADDING-LEFT:1ex;MARGIN:0px 0px 0px 0.8ex;BORDER-LEFT:#ccc 1px solid">

<p dir="ltr">This sounds like a good idea to handle some of the performance issues until the ovs firewall can be implemented down the the line. <br>

Do you have any performance comparisons? </p>

<div class="gmail_quote">On Jun 18, 2014 7:46 PM, "shihanzhang" <<a href="mailto:ayshihanzhang@126.com" target="_blank">ayshihanzhang@126.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


<div style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial"><div><span style="font-family:tahoma,sans-serif;line-height:21.203636169433594px">Hello all,</span></div><div><span style="font-family:tahoma,sans-serif;line-height:21.203636169433594px"><br>


</span></div><div><span style="font-family:tahoma,sans-serif;line-height:21.203636169433594px">Now in neutron, it use iptable </span><font face="tahoma, sans-serif"><span style="line-height:21.203636169433594px">implementing security group, but the performance of this  implementation is very poor, there is a bug:</span><a href="https://bugs.launchpad.net/neutron/+bug/1302272" style="line-height:21.203636169433594px" target="_blank">https://bugs.launchpad.net/neutron/+bug/1302272</a><span style="line-height:21.203636169433594px"> to reflect this problem. In his test, w</span><span style="line-height:21.203636169433594px">ith default security groups(which has remote security group), beyond 250-300 VMs, there were around 6k Iptable rules on evry compute node, although his patch can reduce the processing time, but it don't solve this problem fundamentally. I have commit a BP to </span></font><span style="font-family:tahoma,sans-serif;line-height:21.203636169433594px;font-size:14px">solve this problem:</span><font face="tahoma, sans-serif"><span style="line-height:21.203636169433594px"><a href="https://blueprints.launchpad.net/neutron/+spec/add-ipset-to-security," target="_blank">https://blueprints.launchpad.net/neutron/+spec/add-ipset-to-security</a> </span></font></div>


<div><font face="tahoma, sans-serif"><span style="line-height:21.203636169433594px">There are other people interested in this it?</span></font></div></div><br><br><span title="neteasefooter"><span></span></span><br>_______________________________________________<br>


OpenStack-dev mailing list<br>

<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

<br></blockquote></div>

</blockquote></div></div></div><br><br><span title="neteasefooter"><span></span></span><br>_______________________________________________<br>

OpenStack-dev mailing list<br>

<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

<br></blockquote></div><br></div>