[ovs-discuss] Newbie and q. about implementing firewall-rules ala iptables with openflow for qemu-VMs

Ben Pfaff blp at nicira.com
Fri May 4 12:38:29 PDT 2012


On Fri, May 04, 2012 at 09:34:27PM +0200, Oliver Francke wrote:
> … showed the following:
> 
> root at fcmsnode10:~# ovs-dpctl show
> system at vmbr1:
> 	lookups: hit:263209087 missed:904392 lost:0
> 	flows: 5
> 	port 0: vmbr1 (internal)
> 	port 1: eth1
> 	port 4: vlan10 (internal)
> 	port 7: tap410i1d0
> 	port 13: tap433i1d0
> 	port 15: tap377i1d0
> 	port 16: tap416i1d0
> 	port 18: tap287i1d0
> 	port 19: tap451i1d0
> 	port 21: tap822i1d0
> 	port 23: tap160i1d0
> 	port 24: tap376i1d0
> 	port 27: tap1084i1d0
> 	port 28: tap1085i1d0
> 	port 30: tap1113i1d0
> 	port 31: tap339i1d0
> 	port 38: tap760i1d0
> system at vmbr0:
> 	lookups: hit:11883603451 missed:6262740342 lost:114647219
> 	flows: 1295
> 	port 0: vmbr0 (internal)
> 	port 1: vlan146 (internal)
> 	port 2: eth0
> 	port 4: tap266i0d0
> 	port 8: tap323i0d0
> 	port 13: tap283i0d0
> 	port 31: tap410i0d0
> 	port 41: tap134i0d0
> 
> and some more ~140 ports

Hmm, vmbr0 has a pretty high flow count and far too many lost packets.

I suggest, first, upgrading to OVS 1.4.1, which should reduce the lost
packet count, and then setting vmbr0's flow eviction threshold
significantly higher (which should reduce CPU usage) with:
        ovs-vsctl set bridge vmbr0 other-config:flow-eviction-threshold=10000

The latter will probably become unnecessary with OVS 1.7, but that's
not released yet.


More information about the discuss mailing list