On Thu, Nov 06, 2014 at 11:04:35AM +0100, Martin Vizvary wrote: > > > On 11/05/2014 05:16 PM, Ben Pfaff wrote: > > On Wed, Nov 05, 2014 at 04:59:30PM +0100, Martin Vizvary wrote: > >> does anybody know if and how is implemented passive timeout for flow > >> expiration? > >> > >> I was playing around with it, but you can configure only active timeout. > >> (passive timeout is approximately 1s - I guess it is connected with > >> next_timeout cycle only... > > > > The passive timeout triggers at the same time that OVS removes a flow > > from the datapath. That is managed internally to OVS mainly to ensure a > > good balance between performance, CPU usage, and memory usage. It's > > probably not a good idea to try to adjust it just to change the NetFlow > > passive timeout. > > > > Thank you for fast response. Well, I know it will have impact on OVS > performance, however it is not a good idea to use network flows with 1s > timeout (current netflow probes use 30s/60s). Every request that takes > longer than 2s will be divided into two flow records. Every service with > keep-alive longer than 1-2s timeout will be divided into several flow > records, etc. > > It will ends with huge amount of network flows in real networks. Also > divided flows will be useless for current Intrusion Detection Systems... > > Did you measure the impact of longer timeouts on OVS performance?
Currently the passive timeout is tied to the datapath flow expiration interval. It's not a good idea to adjust the timeout interval just to change the NetFlow passive timeout. You could experiment with implementing a NetFlow-specific cache to hold records for a while. _______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
