[openstack-dev] [neutron] OpenFlow security groups (pre-benchmarking plan)

Brian Haley brian.haley at hp.com
Wed Feb 25 15:20:57 UTC 2015


On 02/25/2015 08:52 AM, Miguel Ángel Ajo wrote:
> I’m writing a plan/script to benchmark OVS+OF(CT) vs OVS+LB+iptables+ipsets,
> so we can make sure there’s a real difference before jumping into any
> OpenFlow security group filters when we have connection tracking in OVS.
> 
> The plan is to keep all of it in a single multicore host, and make all the measures
> within it, to make sure we just measure the difference due to the software layers.
> 
> Suggestions or ideas on what to measure are welcome, there’s an initial draft here:
> 
> https://github.com/mangelajo/ovs-experiments/tree/master/ovs-ct

Thanks for writing this up Miguel.

I realize this is more focusing on performance (how fast the packets flow), but
one of the orthogonal issues to Security Groups in general is the time it takes
for Neutron to apply or update them, for example, iptables_manager.apply().  I
would like to make sure that time doesn't grow any larger than it is today.
This can probably all be scraped from log files, so wouldn't require any special
work, except for testing with a large SG set.

Thanks,

-Brian




More information about the OpenStack-dev mailing list