[ovs-dev] can userspace conntrack support IP fragment?
Aaron Conole
aconole at redhat.com
Mon Nov 16 14:57:51 UTC 2020
"Yi Yang (杨燚)-云服务集团" <yangyi01 at inspur.com> writes:
> Hi, folks
>
>
>
> I used latest ovs matser in Openstack, when I enabled security group and port security (note: openstack is
> using ovs openflow to implement security group), TCP performance is about several Mbps, big UDP packet (i.e.
> 8192) can’t work, but after disabled security group and port security, everything is ok, I doubt userspace
> conntrack can’t support IP fragment (or recent changes introduced bugs),
> https://bugzilla.redhat.com/show_bug.cgi?id=1639173 said it can’t handle big ICMP packet, anybody can
> help clarify what limitations of userspace conntrack are? Is there any existing document to warn users about
> them? Thank you in advance.
What were your frag settings? For example, try:
ovs-appctl dpctl/ipf-set-min-frag v4 1000
ovs-appctl dpctl/ipf-set-max-nfrags 500
See if that helps?
IIRC, the fragmentation engine doesn't support ICMP, just tcp/udp.
More information about the dev
mailing list