yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1628819] Re: OVS firewall can generate too many flows

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1628819@xxxxxxxxxxxxxxxxxx>
Date: Wed, 26 Apr 2017 18:00:44 -0000
Reply-to: Bug 1628819 <1628819@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/333804
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=192bc5f1a8781111b6b0c2211f4421fafacb27c7
Submitter: Jenkins
Branch:    master

commit 192bc5f1a8781111b6b0c2211f4421fafacb27c7
Author: IWAMOTO Toshihiro <iwamoto@xxxxxxxxxxxxx>
Date:   Fri Jun 24 17:20:36 2016 +0900

    Use conjunction for security group rules with remote_group_id
    
    Prior to this commit, the number of flows can be prohibitively large
    in some cases.
    
    Closes-bug: #1628819
    Change-Id: I194e7f40db840d29af317ddc2e342a1409000151


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1628819

Title:
  OVS firewall can generate too many flows

Status in neutron:
  Fix Released

Bug description:
  The firewall code generate O(n^2) flows when a security group rule uses a remote_group_id.
  See OVSFirewallDriver.create_rules_generator.

  This can be problematic when a large number of addresses are in a
  security group.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1628819/+subscriptions

References

[Bug 1628819] [NEW] OVS firewall can generate too many flows
From: IWAMOTO Toshihiro, 2016-09-29