yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #53667
[Bug 1596976] Re: optimize refresh firewall on ipset member update
*** This bug is a duplicate of bug 1371435 ***
https://bugs.launchpad.net/bugs/1371435
** This bug has been marked a duplicate of bug 1371435
Remove unnecessary iptables reload when L2 agent enable ipset
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1596976
Title:
optimize refresh firewall on ipset member update
Status in neutron:
New
Bug description:
Before the ipset, a port was creating explicit firewall rule to other ports(member of the same security group) i.e
port's firewall rules without ipset
-A neutron-openvswi-i92605eaf-b -s 192.168.83.17/32 -j RETURN
-A neutron-openvswi-i92605eaf-b -s 192.168.83.18/32 -j RETURN
-A neutron-openvswi-i92605eaf-b -s 192.168.83.15/32 -j RETURN
with ipset
-A neutron-openvswi-i92605eaf-b -m set –match-set ${ipset_name} src -j RETURN
With ipset, when a new port is up on remote ovs agent, then on local
ovs agent, only kernel ipset has to be updated and no need to update
any firewall rules. When port on remote agent is deleted, then it has
to be deleted from local agent's ipset, and corresponding connection
tracking entries has to deleted. In both the above scenarios, ovs
shouldn't update firewall rules.
But current implementation is trying to update firewall rules(this
will result in removing all in-memory firewall rules and again
creating them, but still no iptable rules are updated on system). This
is consuming lot of agent's time. We can optimize this by avoid
updating in-memory firewall rules for this scenario, and make firewall
refresh for securitygroup-member-update faster.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1596976/+subscriptions
References
