Hi Numan,
On 14 Feb 2025, at 07:23, Numan Siddique <[email protected]> wrote:
I guess with this, you can mirror to any logical port and it's fine
if the logical switch of this mirror port
is not connected to the source port via any router. Which I guess is
your goal too.
Yes, we pursued this goal.
I don't think it is necessary for the cloned packet to go through all
the stages of the datapath pipeline once the packet is cloned.
I think it can be directly output to the destination mirror port.
If I understood your point correctly, then logical flow is now being
added to the egress pipeline of logical pipes containing the target ports
in the pre_acl reset to the last table, which ensures this.
I'm fine if we want to use a new action or not as a short term approach.
I've seen your vision of the mirror action below, and I'll take it to work.
In this patch, what happens if the packet from a source port is
dropped in the ACL stage ?
Looks like we end up mirroring this packet. Is this fine ?
yes, we wanted to make the mirroring as close to the source port
as possible.
I also noticed that if a user creates a chain, like below, the
behavior is weird
and the packets are dropped. I didn't dig further.
ovn-nbctl mirror-add mirror0 both from-lport sw1-p1
ovn-nbctl lsp-attach-mirror sw0-p1 mirror0
ovn-nbctl mirror-add mirror1 both from-lport sw0-p1
ovn-nbctl lsp-attach-mirror sw1-p1 mirror1
Regarding the case you described, I tend to believe that the v5
patch fixes this situation. when pinging from port s1-p1 to
s0-p1, I see a request on port s1-p1 and then 2 replays from port s0-p1.
In the long term (hopefully in 25.09), below is what I think we
should design this feature as :
Suppose if I create a mirror like this:
ovn-nbctl mirror-add mirror0 both from-lport sw1-p1
ovn-nbctl lsp-attach-mirror sw0-p1 mirror0
then
1 . Consider a mirror as a separate datapath. Hopefully we can make
use of composable services features.
2. Create an internal patch port connecting the logical switch sw0 to
the mirror datapath ( SB port binding)
3. If the packet needs to be mirrored, in the ingress or egress
pipeline we just do something like
table=2 (ls_in_mirror ), priority=100 , match=(inport ==
"sw0-p1"), action=(mirror(outport == sw0-mirror0); next;)
or
table=7 (ls_out_mirror ), priority=100 , match=(outport ==
"sw01-port1"), action=(mirror(outport == sw0-mirror0); ; next;)
In the mirror pipeline, we can add logical flows for the mirror rules
(or mirror ACLs). These mirror rules
can drop the packet if there is no match or output to the mirror output port.
3. We can consider that each mirror has one output port.
4. If we want we can enhance a mirror to have multiple output ports.
Depending on the match, the output port
can be chosen.
Regarding your ideas on how it should be designed in 25.09:
I understand your ideas, I will think in this way for version 25.09.
Thank you for taking the time to test this patch,
I am extremely grateful.
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
