[ovs-dev] is the OVN load balancer also intended to be a firewall?

[Ben Pfaff]

Hi, I've been talking to Shay Vargaftik (CC'd), also a researcher at
VMware, about some work he's done on optimizing load balancers.  What
he's come up with is a technique that in many cases avoids putting
connections into the connection-tracking table, because it can achieve
per-connection consistency without needing to do that.  This improves
performance by reducing the size of the connection-tracking table, which
is therefore more likely to fit inside a CPU cache and cheaper to
search.

I'm trying to determine whether this technique would apply to OVN's load
balancer.  There would be challenges in any case, but one fundamental
question I have is: is the OVN load balancer also supposed to be a
firewall?  If it's not, then it's worth continuing to look to see if the
technique is applicable.  On the other hand, if it is, then every
connection needs to be tracked in any case, so the technique can't be
useful.

Anyone's thoughts would be welcome.

Thanks,

Ben.