Uploaded image for project: 'VinePerf'
  1. VinePerf
  2. VINEPERF-545

Add Contrack firewall rules performance tests

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Major Major
    • Future Release
    • None
    • None

      We would like to add some of our tests we run here to profile the effect of adding firewall type rules to the openflow tables.

      Here are some examples.

      ovs-ofctl -O OpenFlow13 --timeout 10 del-flows ovsbr0                      
                             
      ovs-ofctl add-flow ovsbr0 "table=0,priority=1000,dl_src=04:f4:bc:2f:c8:c1,dl_dst=04:f4:bc:2f:c8:c0,ip,nw_src=10.0.0.1/12,nw_dst=10.0.0.1/12,udp,tp_src=1234,tp_dst=1234,ct_state=-trk,action=ct(table=1)"                      
      ovs-ofctl add-flow ovsbr0 "table=0,priority=1000,dl_src=04:f4:bc:2f:c8:c0,dl_dst=04:f4:bc:2f:c8:c1,ip,nw_src=10.0.0.1/12,nw_dst=10.0.0.1/12,udp,tp_src=1234,tp_dst=1234,ct_state=-trk,action=ct(table=1)"                      
      ovs-ofctl add-flow ovsbr0 "table=1,in_port=10,ip,ct_state=+trk,action=ct(commit),20"                      
      ovs-ofctl add-flow ovsbr0 "table=1,in_port=10,ip,ct_state=+trk,action=output:20"                      
      ovs-ofctl add-flow ovsbr0 "table=1,in_port=20,ip,ct_state=+trk,action=output:10"                      
      ovs-ofctl add-flow ovsbr0 "table=1,in_port=11,ip,ct_state=+trk,action=ct(commit),21"                      
      ovs-ofctl add-flow ovsbr0 "table=1,in_port=11,ip,ct_state=+trk,action=output:21"                      
      ovs-ofctl add-flow ovsbr0 "table=1,in_port=21,ip,ct_state=+trk,action=output:11"                      
      ovs-ofctl add-flow ovsbr0 "table=0,priority=1,action=drop"                      
      ovs-ofctl add-flow ovsbr0 "table=0,priority=1000,dl_src=04:f4:bc:2f:c8:c1,dl_dst=04:f4:bc:2f:c8:c0,ip,ct_state=-trk,action=ct(table=1)"              
      ovs-ofctl add-flow ovsbr0 "table=0,priority=1000,dl_src=04:f4:bc:2f:c8:c0,dl_dst=04:f4:bc:2f:c8:c1,ip,ct_state=-trk,action=ct(table=1)"              
      ovs-ofctl add-flow ovsbr0 "table=1,in_port=10,ip,ct_state=+trk,action=ct(commit),20"              
      ovs-ofctl add-flow ovsbr0 "table=1,in_port=10,ip,ct_state=+trk,action=output:20"              
      ovs-ofctl add-flow ovsbr0 "table=1,in_port=20,ip,ct_state=+trk,action=output:10"              
      ovs-ofctl add-flow ovsbr0 "table=1,in_port=11,ip,ct_state=+trk,action=ct(commit),21"              
      ovs-ofctl add-flow ovsbr0 "table=1,in_port=11,ip,ct_state=+trk,action=output:21"              
      ovs-ofctl add-flow ovsbr0 "table=1,in_port=21,ip,ct_state=+trk,action=output:11"              
      ovs-ofctl add-flow ovsbr0 "table=0,priority=1,action=drop"              

      There are others, but the idea is to setup different match action rules and see how it affects performance under our continuous or tput tests. We already run these in house so its just a matter of adding them and making sure they work with VSPerf.

            ctrautma Christian Trautman
            ctrautma Christian Trautman
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: