yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #60209
[Bug 1650466] Re: Remove iptables nat and mangle rules for security group
Reviewed: https://review.openstack.org/411699
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=22352f5d4c595e373bb73c8bc590e6d3e621dac0
Submitter: Jenkins
Branch: master
commit 22352f5d4c595e373bb73c8bc590e6d3e621dac0
Author: Jesse <jesse@xxxxxxxxxxxx>
Date: Fri Dec 16 15:13:13 2016 +0800
Remove iptables nat and mangle rules for security group
There is no need to add iptables nat and mangle rules for security
group, these rules will slow down network performance especially
when using 6wind Virtual Accelerator.
Change-Id: I1d5748394665535d114e8d942a68d5bd43927058
Closes-Bug: #1650466
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1650466
Title:
Remove iptables nat and mangle rules for security group
Status in neutron:
Fix Released
Bug description:
It seems there is no need to add iptables nat and mangle rules for
security group, these rules will slow down network performance
especially when using 6wind Virtual Accelerator.
When we enable security group, the OVSHybridIptablesFirewallDriver or
IptablesFirewallDriver will set rules in iptables nat, mangle table.
These rules are useless to security group, and these rule will consume CPU usage.
When we using 6wind Virtual Accelerator on compute nodes. these rules in nat and mangle table will dramatically slow down the network performance.
So We can remove these rules.
The rules in iptables nat:
[root@node-4 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 42 packets, 2520 bytes)
pkts bytes target prot opt in out source destination
42 2520 neutron-openvswi-PREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 42 packets, 2520 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3 packets, 180 bytes)
pkts bytes target prot opt in out source destination
3 180 neutron-openvswi-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 3 packets, 180 bytes)
pkts bytes target prot opt in out source destination
3 180 neutron-openvswi-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
3 180 neutron-postrouting-bottom all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-openvswi-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-openvswi-POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-openvswi-PREROUTING (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-openvswi-float-snat (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-openvswi-snat (1 references)
pkts bytes target prot opt in out source destination
3 180 neutron-openvswi-float-snat all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-postrouting-bottom (1 references)
pkts bytes target prot opt in out source destination
3 180 neutron-openvswi-snat all -- * * 0.0.0.0/0 0.0.0.0/0 /* Perform source NAT on outgoing traffic. */
The rules in mangle table:
[root@node-4 ~]# iptables -t mangle -nvL
Chain PREROUTING (policy ACCEPT 10485 packets, 1130K bytes)
pkts bytes target prot opt in out source destination
10485 1130K neutron-openvswi-PREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 10473 packets, 1127K bytes)
pkts bytes target prot opt in out source destination
10473 1127K neutron-openvswi-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 neutron-openvswi-FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 11083 packets, 1416K bytes)
pkts bytes target prot opt in out source destination
11083 1416K neutron-openvswi-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 11083 packets, 1416K bytes)
pkts bytes target prot opt in out source destination
11083 1416K neutron-openvswi-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-openvswi-FORWARD (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-openvswi-INPUT (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-openvswi-OUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-openvswi-POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
Chain neutron-openvswi-PREROUTING (1 references)
pkts bytes target prot opt in out source destination
10485 1130K neutron-openvswi-mark all -- * * 0.0.0.0/0 0.0.0.0/0
Chain neutron-openvswi-mark (1 references)
pkts bytes target prot opt in out source destination
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1650466/+subscriptions
References
