hostfw: scalability issue due to BPF connection tracking for overlay traffic #32335
Labels
area/host-firewall
Impacts the host firewall or the host endpoint.
feature/conntrack
kind/performance
There is a performance impact of this.
pinned
These issues are not marked stale by our issue bot.
sig/datapath
Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Comments
julianwiedmann
added
sig/datapath
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In the context of #31082, @qmonnet spotted that the Host Firewall code in
to-netdevcurrently treats all overlay traffic as "host-originating", and thus creates CT entries for every VXLAN / GENEVE connection.These CT entries are meant to enable policy-bypass for reply traffic - but due to how VXLAN / GENEVE work, this doesn't make sense (replies are addressed to the
TUNNEL_PORT, not to the initial source port). Instead, the inbound path infrom-netdevjust creates another pair of CT entries.All these additional CT entries can result in scalability concerns for the BPF conntrack map - potential LRU evictions, additional overhead when running GC on the map etc.
Proposal
For the outbound path, we could
ctx_is_overlay()to apply policy, but then skip the CT entry creating.The text was updated successfully, but these errors were encountered: