[openstack-dev] [neutron]Performance of security group
henry4hly at gmail.com
Thu Jun 19 06:25:34 UTC 2014
we have done some tests, but have different result: the performance is
nearly the same for empty and 5k rules in iptable, but huge gap between
enable/disable iptable hook on linux bridge
On Thu, Jun 19, 2014 at 11:21 AM, shihanzhang <ayshihanzhang at 126.com> wrote:
> Now I have not get accurate test data, but I can confirm the following
> 1. In compute node, the iptable's chain of a VM is liner, iptable filter
> it one by one, if a VM in default security group and this default security
> group have many members, but ipset chain is set, the time ipset filter one
> and many member is not much difference.
> 2. when the iptable rule is very large, the probability of failure that iptable-save
> save the iptable rule is very large.
> At 2014-06-19 10:55:56, "Kevin Benton" <blak111 at gmail.com> wrote:
> This sounds like a good idea to handle some of the performance issues
> until the ovs firewall can be implemented down the the line.
> Do you have any performance comparisons?
> On Jun 18, 2014 7:46 PM, "shihanzhang" <ayshihanzhang at 126.com> wrote:
>> Hello all,
>> Now in neutron, it use iptable implementing security group, but the
>> performance of this implementation is very poor, there is a bug:
>> https://bugs.launchpad.net/neutron/+bug/1302272 to reflect this problem.
>> In his test, with default security groups(which has remote security
>> group), beyond 250-300 VMs, there were around 6k Iptable rules on evry
>> compute node, although his patch can reduce the processing time, but it
>> don't solve this problem fundamentally. I have commit a BP to solve this
>> There are other people interested in this it?
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev