Based on the introduction of the OVN "sample" action (still WIP) [1], the proposal of this RFC is to use per-flow IPFIX sampling to increase visibility on ACLs.
The idea of ACL sampling is very similar to the already existing ACL logging whith the following key differences: - Using IPFIX sampling collects header information of the actual packet that was dropped / accepted by the ACL. This information is key to debug an issue or understand the traffic profile that traverses the ACLs. - With ACL logging, the information goes to the ovn-controller, adding pressure to it. Using IPFIX sampling can offload the ovn-controller by sending samples to external IPFIX collectors. - Using the sample action, we don't need to rely on a meter to limit the amount of data we process since we have the sampling rate/probability. - Using IPFIX as standard format makes the solution interoperable so it's possible to combine with other IPFIX sources to build comprehensive observability tools. This RFC includes a prototype implementation based on the creation of a new NBDB table "Sample" and a reference to it from the ACL table. This would allow the use of per-flow IPFIX sampling to add visibility to other areas of OVN as the needs arise. [1] https://patchwork.ozlabs.org/project/ovn/patch/[email protected]/ Adrian Moreno (2): northd: add ACL Sampling ovn-nbctl: add sample to acl-add northd/northd.c | 31 ++++++++++++++++++++++++++++++- ovn-nb.ovsschema | 23 ++++++++++++++++++++++- ovn-nb.xml | 31 +++++++++++++++++++++++++++++++ utilities/ovn-nbctl.8.xml | 7 ++++++- utilities/ovn-nbctl.c | 20 +++++++++++++++++++- 5 files changed, 108 insertions(+), 4 deletions(-) -- 2.37.3 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
