Hi Brendan, Ilya,
On 10/31/25 2:15 PM, Ilya Maximets wrote:
> On 10/30/25 12:57 PM, Brendan Doyle via discuss wrote:
>>
>> As a follow up, the man page for Sampling_App states...
>>
>> *i**d*: integer, in range 1 to 255
>>
>> This identifier is used as part of the sample’s observation
>> domain ID.
>>
>> So in my generated samples I have:
>>
>> "observationDomainID" : 704643079,
>> "observationPointID" : 1003,
>>
>> My Sample collector:
>> ovn-nbctl list Sampling_App
>> _uuid : daa18e34-7705-42c4-bed7-afc4497e0a21
>> external_ids : {}
>> id : 42
>> type : acl-new
>>
>>
>> But I can't find '42' in '704643079' binary/hex or decimal, so how is the
>> observationDomainID generated?
>
>>>> hex(704643079)
> '0x2a000007'
>>>> 0x2a
> 42
>
> The 7 is a datapath key.
>
> This is documented in the description for debug_drop_domain_id.
> But the docs could be better indeed...
>
>>
>> Brendan.
>>
>>
>> On 30/10/2025 11:09, Brendan Doyle via discuss wrote:
>>> Hi,
>>>
>>> I've asked this before but perhaps the question or response got lost, I'm
>>> struggling
>>> to understand the relationship between Sampling_App, Sample_Collector and
>>> Sample
>>> when creating ACLs with samples. I can't find any good documentation/blog
>>> or tutorial
>>> so I'm working off the unit tests.
>>>
>>> So what's the purpose of Sampling_App type="drop", it seems you don't need
>>> it to
>>> sample dropped packets. I have
>>>
>>> collector1=$(ovn-nbctl create Sample_Collector id=1 name=c1
>>> probability=65535 set_id=100)
>>>
>>> ovn-nbctl create Sampling_App type="acl-new" id="42"
>>>
>>> ovn-nbctl acl-add ls_vcn1_net1 from-lport 32767 "inport ==
>>> \"00bff7c0-2e2d-41ba-9485-3b5fa9801365\" && arp" allow-related
>>> ovn-nbctl acl-add ls_vcn1_net1 from-lport 14000 "inport ==
>>> \"00bff7c0-2e2d-41ba-9485-3b5fa9801365\" && ip.proto == 6" allow-related
>>>
>>> ovn-nbctl \
>>> -- --id=@sample_in_1c_new create Sample collector="$collector1"
>>> metadata=1003 \
>>> -- --sample-new=@sample_in_1c_new \
>>> acl-add ls_vcn1_net1 from-lport 0 "inport ==
>>> \"00bff7c0-2e2d-41ba-9485-3b5fa9801365\"" drop
>>>
>>>
>>> And this generates samples for dropped pkts, I don't need to create:
>>>
>>> ovn-nbctl create Sampling_App type="drop" id="44"
>>>
>>> And in any case there is no "--sample-drop=sample" option for ovn-nbctl
>>> acl_add so how would I use it?
>
> IIRC, the drop sampling app is for any packet drops in the system that OVN
> is responsible for, it's not tied to ACLs. E.g. if the packet is dropped
> due to routing or there is no port to deliver, it will be sampled using the
> "drop" sampling app. This behavior may need to be enabled separately, see
> the docs for debug_drop_collector_set.
>
> Dumitru or Adrian may correct me if I'm wrong.
>
This is correct.
If you want to sample packets that hit "drop ACLs" then you need to
attach a sample record to the ACL's "sample_new" field. The column
name is not great but the docs say that already:
<column name="sample_new">
<p>
The entry in the <ref table="Sample"/> table to use for sampling for
new sessions matched by this ACL. In case the ACL is stateless
this is used for sampling all traffic matched by the ACL.
</p>
In other words, if the ACL's action is to drop packets we'll sample
those packets that match the ACL criteria.
Regards,
Dumitru
_______________________________________________
discuss mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
