[ovs-discuss] IPFIX Packets Sampled Multiple Times When ACL Tier > 0

Mon, 19 May 2025 01:58:33 -0700 

*Summary*

When ACLs using the sample action are configured on a logical port and
placed in a non-zero ACL tier (e.g., tier=3), sampled packets are
reported *multiple
times* by IPFIX. This does not occur when the ACL is placed in tier=0. This
suggests a *sampling duplication issue* related to the ACL tier pipeline.
------------------------------

*Environment*

   -

   *OVN version*: 24.09.0
   -

   *Open vSwitch version*: 3.4.0
   -

   *Southbound schema*: 20.37.0

------------------------------

*Topology*

server_a ----- logical_switch ----- server_b

*ACLs Applied:*

   -

   On server_a port group:

   to-lport, tier=3, priority=1002
   match: outport == @pg_server_a && ip4 && ip4.src == 0.0.0.0/0 && icmp4
   action: allow-related; sample (sample UUID: bab5…)

   -

   On server_b port group:

   from-lport, tier=3, priority=1002
   match: inport == @pg_server_b && ip4 && ip4.dst == 0.0.0.0/0 && icmp4
   action: allow-related (no sampling)


(ovn-nb-db)[root@Openstack-controller-3-ovn-scale-test /]# ovn-nbctl list
acl 032187d0-460b-409d-b263-1a5c3a23f6ec
_uuid : 032187d0-460b-409d-b263-1a5c3a23f6ec
action : allow-related
direction : to-lport
match : "outport == @pg_2fe352c0_af39_4321_a582_5760e993a401 && ip4 &&
ip4.src == 0.0.0.0/0 && icmp4"
priority : 1002
sample_est : bab51b1e-ddb6-4105-b7ea-69c5c51beaeb
tier : 3

(ovn-nb-db)[root@Openstack-controller-3-ovn-scale-test /]# ovn-nbctl list
sample bab51b1e-ddb6-4105-b7ea-69c5c51beaeb
_uuid : bab51b1e-ddb6-4105-b7ea-69c5c51beaeb
collectors : [38fff76a-e439-4e52-901e-79bdcb82dd24]
metadata : 306377

(ovn-nb-db)[root@Openstack-controller-3-ovn-scale-test /]# ovn-nbctl list
sample_collector 38fff76a-e439-4e52-901e-79bdcb82dd24
_uuid : 38fff76a-e439-4e52-901e-79bdcb82dd24
external_ids : {}
id : 1
name : project-a5e59a1161704eef8028d1db8e032147
probability : 65535
set_id : 1

------------------------------

*Expected Behavior*

   -

   First ICMP request from server_b to server_a:
   -

      Echo *request*: not sampled (new connection).
      -

      Echo *reply*: sampled once.
      -

   Subsequent packets:
   -

      Echo *request* and *reply*: each sampled *once* via the ACL on
      server_a.

------------------------------

*Actual Behavior*

   -

   First flow: behaves correctly.
   -

   Subsequent flows:
   -

      *Echo request* is sampled *multiple times*.
      -

      *Echo reply* is sampled *once* (correct).

------------------------------

*Observed Pattern*
The number of userspace(flow_sample(...)) actions in the OpenFlow rule
*increases
with ACL tier*:

Example OpenFlow rule (Tier=3):

actions: userspace(flow_sample...), userspace(flow_sample...),
userspace(flow_sample...), userspace(flow_sample...), ...

With acl tier = 3, sample 4 times:
recirc_id(0x10d),tunnel(tun_id=0x1,src=172.25.240.92,dst=172.25.240.93,geneve({}{}),flags(-df+csum+key)),in_port(1),ct_state(-new+est-rel-rpl-inv+trk),ct_mark(0x10020/0xff0031),ct_label(0x4acc9000000000000000000000000),eth(src=fa:16:3e:5e:bc:67,dst=fa:16:3e:5e:1e:71),eth_type(0x0800),ipv4(dst=10.1.1.5,proto=1,frag=no),
packets:118, bytes:11564, used:0.936s,
actions:userspace(pid=4294967295,flow_sample(probability=65535,collector_set_id=1,obs_domain_id=33554433,obs_point_id=306377,output_port=4294967295)),userspace(pid=4294967295,flow_sample(probability=65535,collector_set_id=1,obs_domain_id=33554433,obs_point_id=306377,output_port=4294967295)),userspace(pid=4294967295,flow_sample(probability=65535,collector_set_id=1,obs_domain_id=33554433,obs_point_id=306377,output_port=4294967295)),userspace(pid=4294967295,flow_sample(probability=65535,collector_set_id=1,obs_domain_id=33554433,obs_point_id=306377,output_port=4294967295)),9

with acl tier = 2, sample 3 times:
recirc_id(0x10d),tunnel(tun_id=0x1,src=172.25.240.92,dst=172.25.240.93,geneve({}{}),flags(-df+csum+key)),in_port(1),ct_state(-new+est-rel-rpl-inv+trk),ct_mark(0x10020/0xff0031),ct_label(0x4acc9000000000000000000000000),eth(src=fa:16:3e:5e:bc:67,dst=fa:16:3e:5e:1e:71),eth_type(0x0800),ipv4(dst=10.1.1.5,proto=1,frag=no),
packets:148, bytes:14504, used:0.828s,
actions:userspace(pid=4294967295,flow_sample(probability=65535,collector_set_id=1,obs_domain_id=33554433,obs_point_id=306377,output_port=4294967295)),userspace(pid=4294967295,flow_sample(probability=65535,collector_set_id=1,obs_domain_id=33554433,obs_point_id=306377,output_port=4294967295)),userspace(pid=4294967295,flow_sample(probability=65535,collector_set_id=1,obs_domain_id=33554433,obs_point_id=306377,output_port=4294967295)),9

with acl tier = 1, sample 2 times:
recirc_id(0x10d),tunnel(tun_id=0x1,src=172.25.240.92,dst=172.25.240.93,geneve({}{}),flags(-df+csum+key)),in_port(1),ct_state(-new+est-rel-rpl-inv+trk),ct_mark(0x10020/0xff0031),ct_label(0x4acc9000000000000000000000000),eth(src=fa:16:3e:5e:bc:67,dst=fa:16:3e:5e:1e:71),eth_type(0x0800),ipv4(dst=10.1.1.5,proto=1,frag=no),
packets:168, bytes:16464, used:0.468s,
actions:userspace(pid=4294967295,flow_sample(probability=65535,collector_set_id=1,obs_domain_id=33554433,obs_point_id=306377,output_port=4294967295)),userspace(pid=4294967295,flow_sample(probability=65535,collector_set_id=1,obs_domain_id=33554433,obs_point_id=306377,output_port=4294967295)),9

with acl tier = 0, sample 1 time:
recirc_id(0x10d),tunnel(tun_id=0x1,src=172.25.240.92,dst=172.25.240.93,geneve({}{}),flags(-df+csum+key)),in_port(1),ct_state(-new+est-rel-rpl-inv+trk),ct_mark(0x10020/0xff0031),ct_label(0x4acc9000000000000000000000000),eth(src=fa:16:3e:5e:bc:67,dst=fa:16:3e:5e:1e:71),eth_type(0x0800),ipv4(dst=10.1.1.5,proto=1,frag=no),
packets:184, bytes:18032, used:0.708s,
actions:userspace(pid=4294967295,flow_sample(probability=65535,collector_set_id=1,obs_domain_id=33554433,obs_point_id=306377,output_port=4294967295)),9

This suggests that maybe *the sample action is re-applied at each logical
pipeline tier*.
------------------------------

*Hypothesis*
It appears that the sample action when ACLs are placed in higher tiers is *not
deduplicated*. Since OVN handles ACLs per tier and recirculates between
them, each tier may be injecting the same sample action again.
------------------------------

*Reproduction Steps*

   1.

   Configure ACL with sample and tier > 0 on a port group.
   2.

   Send traffic between two VMs.
   3.

   Observe IPFIX export or OVS flow with userspace(flow_sample(...))
   appearing multiple times per flow.

Thank you very much for your time and support of the sampling feature.


*Best regards,*Oscar

_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

Reply via email to