[ovs-dev] [PATCH v6 ovn] ovn-northd: introduce new allow-stateless ACL verb

Dumitru Ceara dceara at redhat.com
Wed Apr 28 07:49:04 UTC 2021 

On 4/27/21 1:53 AM, Ihar Hrachyshka wrote:
> For allow-stateless ACLs, bypass connection tracking by avoiding
> setting ct hints for matching traffic. Avoid sending all traffic to ct
> when a stateful ACL is present.
> 
> ===
> 
> Reusing an existing 'allow' verb for stateless matching would have its
> drawbacks, specifically, when it comes to backwards incompatibility of
> the new behavior with existing environments. When using "allow" ACLs
> in mixed allow/allow-related environment, we still commit "allow"
> traffic to conntrack. This unnecessarily hits performance when mixed
> ACL action types were used for the same datapath. This is why we
> introduce a new action verb to describe stateless behavior.
> 
> Another complexity to consider is the fact that with stateless
> matching, one would not be able to rely on 'related' magic that
> guarantees that reply traffic is passed through. Instead, the user
> would have to accurately define matching rules both for request and
> reply directions of a protocol session. Specifically, when allowing
> ICMP for a specific peer host, one has to define 'allow-stateless'
> rules that would match against ip.dst for request direction and ip.src
> for reply direction. Other protocols and scenarios will require their
> own fine grained matching approaches implemented by the user.
> 
> ===
> 
> For performance measurements, ovn-fake-multinode environment and qperf
> were used. Performance measured between two virtual nodes, two ports
> that belong to different LSs connected via router. Using qperf,
> performance was measured for UDP, TCP, SCTP protocols (using
> <proto>_lat and <proto>_bw tests). The qperf version used:
> 0.4.9-16.fc31.x86_64.  Each test scenario was executed five times and
> averages compared.
> 
> Tests were executed with `allow-stateless` rules for the tested
> protocol and `allow-related` for another protocol set for both ports,
> both directions, e.g. for TCP scenario, the following ACLs were
> defined:
> 
> ovn-nbctl acl-add sw0 to-lport 100 tcp allow-stateless
> ovn-nbctl acl-add sw0 from-lport 100 tcp allow-stateless
> ovn-nbctl acl-add sw1 to-lport 100 tcp allow-stateless
> ovn-nbctl acl-add sw1 from-lport 100 tcp allow-stateless
> 
> ovn-nbctl acl-add sw0 to-lport 100 sctp allow-related
> ovn-nbctl acl-add sw0 from-lport 100 sctp allow-related
> ovn-nbctl acl-add sw1 to-lport 100 sctp allow-related
> ovn-nbctl acl-add sw1 from-lport 100 sctp allow-related
> 
> In this particular environment, improvement was seen in send_bw,
> latency, and msg_rate measurements, where applicable, for all three
> protocols under test.
> 
> for UDP, send_bw: 293.6 MB/sec => 313.2 MB/sec (+6.68%)
>          latency: 16 us => 14.08 us (-12%)
>          msg_rate: 62.56 K/sec => 71.06 K/sec (+13.59%)
> 
> for TCP, latency: 18.6 us => 14.88 us (-20%)
>          msg_rate: 53.8 K/sec => 67.28 K/sec (+25.06%)
> 
> for SCTP, latency: 21.98 us => 19.42 us (-11.65%)
>           msg_rate: 45.58 K/sec => 51.54 K/sec (+13.08%)
> 
> Interestingly, some performance improvement was also seen for the same
> scenarios with no ACLs set at all, albeit significantly more
> negligible.
> 
> for UDP, send_bw: 320.0 MB/sec => 338.6 MB/sec (+5.81%)
>          latency: 13.74 us => 12.88 us (-6.68%)
>          msg_rate: 73.02 K/sec => 77.84 K/sec (+6.6%)
> 
> for TCP, latency: 15.62 us => 14.26 us (-9.54%)
>          msg_rate: 64.02 K/sec => 70.26 K/sec (+9.75%)
> 
> for SCTP, latency: 19.56 us => 18.16 us (-7.16%)
>           msg_rate: 51.16 K/sec => 55.12 K/sec (+7.74%)
> 
> Comparable numbers can be captured with iperf. It may be useful to run
> more tests in a more elaborate (bare metal) environment.
> 
> ===
> 
> The patch takes inspiration from a now abandoned patch:
> 
> "ovn-northd: Support mixing stateless/stateful ACLs with
> Stateless_Filter." by Dumitru Ceara.
> 
> The original patch assumed CMS doesn't require full flexibility of
> matching rules for stateless matching (for example, to be used by
> OpenShift). But other CMS interfaces may require the same
> customizability for stateless as well as stateful matching, like in
> OpenStack Neutron API. Which is why this patch reuses existing ACL
> object type to describe stateless rules.
> 
> Signed-off-by: Ihar Hrachyshka <ihrachys at redhat.com>
> 
> ---

A minor nit below (sorry I missed it in the previous iteration),
otherwise my ack stands:

Acked-by: Dumitru Ceara <dceara at redhat.com>

[...]

> diff --git a/ovn-nb.ovsschema b/ovn-nb.ovsschema
> index 29019809c..58932db14 100644
> --- a/ovn-nb.ovsschema
> +++ b/ovn-nb.ovsschema
> @@ -1,7 +1,7 @@
>  {
>      "name": "OVN_Northbound",
>      "version": "5.31.0",

We should bump the version to 5.32.0 because there were changes to the
schema in a backwards compatible way:

https://github.com/openvswitch/ovs/blob/master/Documentation/ref/ovsdb.7.rst#schemas

More information about the dev mailing list