On Tue, Apr 29, 2025 at 11:29:57AM +0700, Trọng Đạt Trần via discuss wrote: > Summary > > In an OpenStack deployment using Neutron with OVN as the backend, I > observed that enabling sampling on ACLs appears to create duplicated > sampling actions for certain OpenFlow datapath flows, resulting in > duplicated IPFIX records. This may indicate that ovn-controller is > installing redundant sampled flows. > Test Topology > > vm_a ---- network1 ---- router ---- network2 ---- vm_b > > > - > > OpenStack Neutron with OVN backend. > - > > Testing with ICMP traffic (but TCP shows the same behavior). > - > > Two ACLs: one allowing related outbound IPv4 traffic and one allowing > related inbound ICMP traffic. > - > > Security groups (containing the two ACLs) applied symmetrically to both > VMs. > - > > ACL correctness has been verified separately. > > Problem Description > > - > > When sampling is enabled on both the inbound ICMP rule and the outbound > IPv4 rule, the same OpenFlow flow (0x3d62e572) appears twice, leading to > duplicated IPFIX records.
From flow dumps, I don't see an OpenFlow duplication, quoting from below: > cookie=0x3d62e572, duration=6.139s, table=50, n_packets=5, n_bytes=490, > idle_age=0, > priority=1000,ct_state=+est+rpl+trk,ct_mark=0x20000/0xff0000,ct_label=0/0xffffffffffffffffffffffff,ip,metadata=0x11 > > actions=sample(probability=65535,collector_set_id=2,obs_domain_id=33554449,obs_point_id=NXM_NX_CT_LABEL[96..127]),resubmit(,51) > cookie=0x3d62e572, duration=6.139s, table=50, n_packets=3, n_bytes=294, > idle_age=0, > priority=1000,ct_state=+est+rpl+trk,ct_mark=0x20000/0xff0000,ct_label=0/0xffffffffffffffffffffffff,ip,metadata=0x12 > > actions=sample(probability=65535,collector_set_id=2,obs_domain_id=33554450,obs_point_id=NXM_NX_CT_LABEL[96..127]),resubmit(,51) They match on different metadata values, each of them probably indicating the sampling direction. > - > > Dumping flows with ovs-dpctl dump-flows system@ovs-system shows > duplicated flow_sample actions on some flows. > > *"recirc_id(0x6b9d),in_port(9),ct_state(-new+est-rel+rpl-inv+trk),ct_mark(0x20020/0xff0031),ct_label(0x1c8000000000000000000000000),eth(src=fa:16:3e:01:f9:9f,dst=fa:16:3e:05:9c:9a),eth_type(0x0800),ipv4(src=10.2.1.171,dst=10.2.2.88,proto=1,ttl=64,frag=no), > packets:3298, bytes:323204, used:0.277s, > actions:userspace(pid=4294967295,flow_sample(probability=65535,collector_set_id=2,obs_domain_id=33554449,obs_point_id=456,output_port=4294967295)),userspace(pid=4294967295,flow_sample(probability=65535,collector_set_id=2,obs_domain_id=33554449,obs_point_id=456,output_port=4294967295)),ct_clear,set(eth(src=fa:16:3e:37:38:47,dst=fa:16:3e:b0:69:d3)),set(ipv4(ttl=63)),ct(zone=23),recirc(0x6b9e)"* > > - > > This behavior does not occur when sampling is applied to only one > direction (either inbound or outbound). > > Verification Steps > > 1. > > *Sampling only inbound ICMP ACL* > → Flows sampled once as expected. > 2. > > *Sampling both inbound ICMP and outbound IPv4 ACLs* > → Certain OpenFlow flows are installed twice with sampling, suggesting > duplication. > 3. > > *Sampling only outbound IPv4 ACL* > → No duplication observed. > > (Example OpenFlow outputs and logical_flow outputs included below.) > Observations > > > - > > The same cookie (e.g., 0x3d62e572) shows up multiple times when both > sampling rules are active. As mentioned above, I don't think this is an issue. A single logical flow (cookie) can generate multiple flows. > [...] > > Request for Clarification > > Based on the above, I would like to ask: > > - > > Is this duplicated sampling behavior expected when both inbound and > outbound ACLs sample? > - From what you post below, you have only configured a single entry in the Sample table. > (ovn-nb-db)[root@site2-osp-controller-01-2024 /]# ovn-nbctl --no-leader-only > list sample > _uuid : 49d84040-1081-430a-be1b-a8dfbcbf6fe6 > collectors : [60407201-e6db-4719-9908-ea0dc53c64e4] > metadata : 456 The output of the "ACL" table is not listed but I assume you configured both ACLs to use the same entry in the Sample table. Since both ACLs are matched, generating a duplicated samples is expected. One is saying that it matched the ingress ACL and the other says it matched the egress one. ACL sampling uses per-flow sampling and when two OFP flows are matched, their actions are not magically "de-duplicated". > > If not expected, could this indicate a bug in how ovn-controller > generates OpenFlow rules under overlapping ACL sampling? > - > > Are there any known workarounds? If you want to distinguish both, you can create a new entry in the Sample table with a different metadata value and link each ACL to a different Sample entry. Thanks. Adrián _______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
