On Mon, May 19, 2025 at 10:58 AM Trọng Đạt Trần via discuss <
[email protected]> wrote:
> *Summary*
>
> When ACLs using the sample action are configured on a logical port and
> placed in a non-zero ACL tier (e.g., tier=3), sampled packets are
> reported *multiple times* by IPFIX. This does not occur when the ACL is
> placed in tier=0. This suggests a *sampling duplication issue* related to
> the ACL tier pipeline.
> ------------------------------
>
> *Environment*
>
> -
>
> *OVN version*: 24.09.0
> -
>
> *Open vSwitch version*: 3.4.0
> -
>
> *Southbound schema*: 20.37.0
>
> ------------------------------
>
> *Topology*
>
> server_a ----- logical_switch ----- server_b
>
> *ACLs Applied:*
>
> -
>
> On server_a port group:
>
> to-lport, tier=3, priority=1002
> match: outport == @pg_server_a && ip4 && ip4.src == 0.0.0.0/0 && icmp4
> action: allow-related; sample (sample UUID: bab5…)
>
> -
>
> On server_b port group:
>
> from-lport, tier=3, priority=1002
> match: inport == @pg_server_b && ip4 && ip4.dst == 0.0.0.0/0 && icmp4
> action: allow-related (no sampling)
>
>
> (ovn-nb-db)[root@Openstack-controller-3-ovn-scale-test /]# ovn-nbctl list
> acl 032187d0-460b-409d-b263-1a5c3a23f6ec
> _uuid : 032187d0-460b-409d-b263-1a5c3a23f6ec
> action : allow-related
> direction : to-lport
> match : "outport == @pg_2fe352c0_af39_4321_a582_5760e993a401 && ip4 &&
> ip4.src == 0.0.0.0/0 && icmp4"
> priority : 1002
> sample_est : bab51b1e-ddb6-4105-b7ea-69c5c51beaeb
> tier : 3
>
> (ovn-nb-db)[root@Openstack-controller-3-ovn-scale-test /]# ovn-nbctl list
> sample bab51b1e-ddb6-4105-b7ea-69c5c51beaeb
> _uuid : bab51b1e-ddb6-4105-b7ea-69c5c51beaeb
> collectors : [38fff76a-e439-4e52-901e-79bdcb82dd24]
> metadata : 306377
>
> (ovn-nb-db)[root@Openstack-controller-3-ovn-scale-test /]# ovn-nbctl list
> sample_collector 38fff76a-e439-4e52-901e-79bdcb82dd24
> _uuid : 38fff76a-e439-4e52-901e-79bdcb82dd24
> external_ids : {}
> id : 1
> name : project-a5e59a1161704eef8028d1db8e032147
> probability : 65535
> set_id : 1
>
> ------------------------------
>
> *Expected Behavior*
>
> -
>
> First ICMP request from server_b to server_a:
> -
>
> Echo *request*: not sampled (new connection).
> -
>
> Echo *reply*: sampled once.
> -
>
> Subsequent packets:
> -
>
> Echo *request* and *reply*: each sampled *once* via the ACL on
> server_a.
>
> ------------------------------
>
> *Actual Behavior*
>
> -
>
> First flow: behaves correctly.
> -
>
> Subsequent flows:
> -
>
> *Echo request* is sampled *multiple times*.
> -
>
> *Echo reply* is sampled *once* (correct).
>
> ------------------------------
>
> *Observed Pattern*
> The number of userspace(flow_sample(...)) actions in the OpenFlow rule
> *increases
> with ACL tier*:
>
> Example OpenFlow rule (Tier=3):
>
> actions: userspace(flow_sample...), userspace(flow_sample...),
> userspace(flow_sample...), userspace(flow_sample...), ...
>
> With acl tier = 3, sample 4 times:
> recirc_id(0x10d),tunnel(tun_id=0x1,src=172.25.240.92,dst=172.25.240.93,geneve({}{}),flags(-df+csum+key)),in_port(1),ct_state(-new+est-rel-rpl-inv+trk),ct_mark(0x10020/0xff0031),ct_label(0x4acc9000000000000000000000000),eth(src=fa:16:3e:5e:bc:67,dst=fa:16:3e:5e:1e:71),eth_type(0x0800),ipv4(dst=10.1.1.5,proto=1,frag=no),
> packets:118, bytes:11564, used:0.936s,
> actions:userspace(pid=4294967295,flow_sample(probability=65535,collector_set_id=1,obs_domain_id=33554433,obs_point_id=306377,output_port=4294967295)),userspace(pid=4294967295,flow_sample(probability=65535,collector_set_id=1,obs_domain_id=33554433,obs_point_id=306377,output_port=4294967295)),userspace(pid=4294967295,flow_sample(probability=65535,collector_set_id=1,obs_domain_id=33554433,obs_point_id=306377,output_port=4294967295)),userspace(pid=4294967295,flow_sample(probability=65535,collector_set_id=1,obs_domain_id=33554433,obs_point_id=306377,output_port=4294967295)),9
>
> with acl tier = 2, sample 3 times:
> recirc_id(0x10d),tunnel(tun_id=0x1,src=172.25.240.92,dst=172.25.240.93,geneve({}{}),flags(-df+csum+key)),in_port(1),ct_state(-new+est-rel-rpl-inv+trk),ct_mark(0x10020/0xff0031),ct_label(0x4acc9000000000000000000000000),eth(src=fa:16:3e:5e:bc:67,dst=fa:16:3e:5e:1e:71),eth_type(0x0800),ipv4(dst=10.1.1.5,proto=1,frag=no),
> packets:148, bytes:14504, used:0.828s,
> actions:userspace(pid=4294967295,flow_sample(probability=65535,collector_set_id=1,obs_domain_id=33554433,obs_point_id=306377,output_port=4294967295)),userspace(pid=4294967295,flow_sample(probability=65535,collector_set_id=1,obs_domain_id=33554433,obs_point_id=306377,output_port=4294967295)),userspace(pid=4294967295,flow_sample(probability=65535,collector_set_id=1,obs_domain_id=33554433,obs_point_id=306377,output_port=4294967295)),9
>
> with acl tier = 1, sample 2 times:
> recirc_id(0x10d),tunnel(tun_id=0x1,src=172.25.240.92,dst=172.25.240.93,geneve({}{}),flags(-df+csum+key)),in_port(1),ct_state(-new+est-rel-rpl-inv+trk),ct_mark(0x10020/0xff0031),ct_label(0x4acc9000000000000000000000000),eth(src=fa:16:3e:5e:bc:67,dst=fa:16:3e:5e:1e:71),eth_type(0x0800),ipv4(dst=10.1.1.5,proto=1,frag=no),
> packets:168, bytes:16464, used:0.468s,
> actions:userspace(pid=4294967295,flow_sample(probability=65535,collector_set_id=1,obs_domain_id=33554433,obs_point_id=306377,output_port=4294967295)),userspace(pid=4294967295,flow_sample(probability=65535,collector_set_id=1,obs_domain_id=33554433,obs_point_id=306377,output_port=4294967295)),9
>
> with acl tier = 0, sample 1 time:
> recirc_id(0x10d),tunnel(tun_id=0x1,src=172.25.240.92,dst=172.25.240.93,geneve({}{}),flags(-df+csum+key)),in_port(1),ct_state(-new+est-rel-rpl-inv+trk),ct_mark(0x10020/0xff0031),ct_label(0x4acc9000000000000000000000000),eth(src=fa:16:3e:5e:bc:67,dst=fa:16:3e:5e:1e:71),eth_type(0x0800),ipv4(dst=10.1.1.5,proto=1,frag=no),
> packets:184, bytes:18032, used:0.708s,
> actions:userspace(pid=4294967295,flow_sample(probability=65535,collector_set_id=1,obs_domain_id=33554433,obs_point_id=306377,output_port=4294967295)),9
>
> This suggests that maybe *the sample action is re-applied at each logical
> pipeline tier*.
> ------------------------------
>
> *Hypothesis*
> It appears that the sample action when ACLs are placed in higher tiers is *not
> deduplicated*. Since OVN handles ACLs per tier and recirculates between
> them, each tier may be injecting the same sample action again.
> ------------------------------
>
> *Reproduction Steps*
>
> 1.
>
> Configure ACL with sample and tier > 0 on a port group.
> 2.
>
> Send traffic between two VMs.
> 3.
>
> Observe IPFIX export or OVS flow with userspace(flow_sample(...))
> appearing multiple times per flow.
>
> Thank you very much for your time and support of the sampling feature.
>
>
> *Best regards,*Oscar
> _______________________________________________
> discuss mailing list
> [email protected]
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Hi Oscar,
thank you for the report.
>From the description it seems this was fixed already in the newer version
of 24.09 [0] more specifically it's within the 24.09.2 release. Would you
mind trying out the newer version and let us know if it's the same issue or
something different?
Regards,
Ales
[0]
https://github.com/ovn-org/ovn/commit/177ce930c3012c53f171c2ff88365baa8f8233f0
_______________________________________________
discuss mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
