Commit Graph

3 Commits (6c9a282bcd36d744d1ad753afd8e7a219b1189c4)

Author SHA1 Message Date
Kevin Benton c76164c058 Move conntrack zones to IPTablesFirewall
The regular IPTablesFirewall needs zones to support safely
clearly conntrack entries.

In order to support the single bridge use case, the conntrack
manager had to be refactored slightly to allow zones to be
either unique to ports or unique to networks.

Since all ports in a network share a bridge in the IPTablesDriver
use case, a zone per port cannot be used since there is no way
to distinguish which zone traffic should be checked against when
traffic enters the bridge from outside the system.

A zone per network is adequate for the single bridge per network
solution since it implicitly does not suffer from the double-bridge
cross in a single network that led to per port usage in OVS.[1]

This had to adjust the functional firewall tests to use the correct
bridge name now that it's relevant in the non hybrid IPTables case.

1. Ibe9e49653b2a280ea72cb95c2da64cd94c7739da

Closes-Bug: #1668958
Closes-Bug: #1657260
Change-Id: Ie88237d3fe4807b712a7ec61eb932748c38952cc
6 years ago
Chandan Dutta Chowdhury 468b2f1b8b IP Conntrack Manager changes for FWaaS v2
IpConntrackManager class should be a singleton
to be used by both SG and FWaaS v2 API at the same time

Change-Id: I4a9f3d9b3ac7afe989c0efb1fa4e7fd792cd9610
Closes-Bug: 1595515
7 years ago
Kevin Benton d7aeb8dd4b De-dup conntrack deletions before running them
During a lot of port deletions, the OVS agent will
build up a lot of remote security group member updates
for a single device. Once the call to delete all
of the removed remote IP conntrack state gets issued,
there will be many duplicated entries for the same
device in the devices_with_updated_sg_members dicionary
of lists.

This results in many duplicated calls to remove conntrack
entries that are just a waste of time. The longer it takes
to remove conntrack entries, the more of these duplicates
build up for other pending changes, to the point where there
can be hundreds of duplicate calls for a single device.

This just adjusts the conntrack manager clearing logic to
make sure it de-duplicates all of its delete commands before
it issues them.

In a local test on a single host I have 11 threads create
11 ports each, plug them into OVS, and then delete them.
Here are the number of conntrack delete calls issued:

Before this patch - ~232000
With this patch - ~5200

While the remaining number still seems high, the agent is now
fast enough to keep up with all of the deletes.

Closes-Bug: #1513765
Change-Id: Icba88ab47ee17bf5d6ccdfc0f78bec911987ca90
7 years ago