From patchwork Tue Aug 6 09:44:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1969399 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=b67+Uy95; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WdT1z22lRz1ydt for ; Tue, 6 Aug 2024 19:45:25 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 32E9D408BA; Tue, 6 Aug 2024 09:45:23 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id 5aMuxop5yu4Q; Tue, 6 Aug 2024 09:45:21 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 95911400F3 Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key, unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=b67+Uy95 Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp2.osuosl.org (Postfix) with ESMTPS id 95911400F3; Tue, 6 Aug 2024 09:45:21 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 72458C002B; Tue, 6 Aug 2024 09:45:21 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 84EFCC002A for ; Tue, 6 Aug 2024 09:45:20 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 6E0F780B1F for ; Tue, 6 Aug 2024 09:45:20 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id NFuUNweyWyiD for ; Tue, 6 Aug 2024 09:45:19 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.129.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=dceara@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org 4355D80B1E Authentication-Results: smtp1.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 4355D80B1E Authentication-Results: smtp1.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=b67+Uy95 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp1.osuosl.org (Postfix) with ESMTPS id 4355D80B1E for ; Tue, 6 Aug 2024 09:45:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1722937517; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=RieCZTukQbCDjg8JG/6j//+DLzrxviuzlQ2TBIUZGzU=; b=b67+Uy958yvF4SIamJGdO/BJmr9UeDEsEMv8/EYbEbXNPp0N32lui+5XGLvtrH3lmetrO0 1sPkUGDRX4DEpybRDEBa3X2E98kGbjJ3noC7C58Ad8ZbCfVGFkNoXw7tHZ8K7Nh0gYE0dI 0qjZ7O1rMQxu9VYqHW5okr3YDAYqaYM= Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-355-ZjDEx9iuMUezZYVeUgiXCA-1; Tue, 06 Aug 2024 05:45:12 -0400 X-MC-Unique: ZjDEx9iuMUezZYVeUgiXCA-1 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 3421919560A2; Tue, 6 Aug 2024 09:45:11 +0000 (UTC) Received: from cecil-rh.redhat.com (unknown [10.39.193.207]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id CAB9A1956046; Tue, 6 Aug 2024 09:45:08 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Tue, 6 Aug 2024 11:44:42 +0200 Message-ID: <20240806094451.730622-1-dceara@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn v6 0/9] Add ACL Sampling using per-flow IPFIX. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: i.maximets@ovn.org Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" This series adds support for sampling packets processed by ACLs by using per-flow IPFIX. This new feature allows users to configure (potentially) different sampling options for ACL matched traffic that creates new connections or that is forwarded on existing connections. This work is based on Adrian's original RFC: https://patchwork.ozlabs.org/project/ovn/cover/20221018155936.1394396-1-amorenoz@redhat.com/ In order for the whole feature to work properly some pre-requisite work is done: - patch 1: fixes the QoS logical flow documentation. This is needed because the sampling patches need to insert new tables and numbers were inconsistent. - patch 2: fixes a bug in the way ACLs with labels are processed when the switches also have load balancers configured The feature itself is implemented by the last 3 patches: - patch 3: adds support for users to configure different types of sampling applications (drop debug, acl-new-traffic, acl-established-traffic) - patch 4: combines the already existing drop debug sampling configuration with the new sampling application configuration (giving priority to the latter) - patch 5: adds sampling support to ACLs Patches 6-9 implement an optimization and reduce the number of logical and openflow rules for the case when sampling is enabled for ACLs with a single collector (the common case). This optimization requires the recently added OVS support for sampling with observation IDs passed directly from fields [0]. [0] https://github.com/openvswitch/ovs/commit/1aa9e137fe36a810271415d79735dedfedfc9f6e Changes in V6: - Addressed (some) review comments from Ilya (individual changes listed in each patch). Most important changes: - Changed sample_collector schema to add unique ID (4 bit): this fixes the case with multiple probabilities per set_id and reduces the number of register and ct-mark bits used. - Made Sample table non-root (this needs changes to ovn-nbctl acl-add command too). Not addressed review comments: - Didn't use the single collector per sample_config type suggestion because OVN-K8s needs the flexibility of using different collectors (or multiple collectors) per ACL. Fixed a bug with sampling on to-lport ACLs when they're hit in the egress pipeline towards logical routers. Changes in V5: - Addressed review comments from Numan and Ilya (individual changes listed in each patch). The most important change is the NB.Sampling_App 'name' column change to 'type' along with shortening of the strings representing allowed app types. Changes in V4: - Addressed review comments from Mark, Ales and Numan (individual changes listed in each patch). - Dropped first 4 patches of V3 because they were already accepted. - Added a first 1/5 patch to fix documentation that I needed to touch too. - Added Ales as co-author of patch 5, he provided most of the incremental changes that were added to that patch in v4. - Included Ales' patches (6-9) to reduce the number of sampling flows when the underlying OVS instance supports sampling with IDs taken from fields (or registers). Changes in V3: - Addressed Ilya's comment and bumped NB schema version on patch 8. I didn't bump it on patch 6 too because I don't think these two commits will ever be separated in different releases. Changes in V2: - Addressed Adrian's comments on patch 8. - Fixed unit test failure in patch 2. Adrian Moreno (1): northd: Add ACL Sampling. Ales Musil (4): features: Make querying of OpenFlow features more versatile. features: Add detection for sample with registers. actions: Add support for sample with register. northd: Allow flow simplification for ACL sampling. Dumitru Ceara (4): northd: Fix up logical flow documentation for QoS. northd: Commit from-lport ACL label (and state) when LBs are used. northd: Add Sampling_App table. northd: Override NB_Global drop sampling id with Sampling_App config. NEWS | 6 + controller/chassis.c | 15 + controller/lflow.h | 12 +- include/ovn/actions.h | 16 +- include/ovn/features.h | 5 + include/ovn/logical-fields.h | 2 + lib/actions.c | 12 +- lib/features.c | 360 ++++++++--- lib/logical-fields.c | 12 + lib/ovn-util.h | 2 +- northd/automake.mk | 2 + northd/debug.c | 12 +- northd/debug.h | 3 +- northd/en-global-config.c | 41 +- northd/en-global-config.h | 1 + northd/en-lflow.c | 5 + northd/en-sampling-app.c | 117 ++++ northd/en-sampling-app.h | 51 ++ northd/inc-proc-northd.c | 11 +- northd/northd.c | 635 ++++++++++++++++++-- northd/northd.h | 55 +- northd/ovn-northd.8.xml | 157 +++-- ovn-nb.ovsschema | 63 +- ovn-nb.xml | 96 +++ tests/atlocal.in | 6 + tests/ovn-controller.at | 168 +++--- tests/ovn-macros.at | 14 +- tests/ovn-nbctl.at | 36 ++ tests/ovn-northd.at | 795 +++++++++++++++++++++++-- tests/ovn.at | 88 +-- tests/system-common-macros.at | 11 + tests/system-ovn.at | 475 ++++++++++++++- utilities/containers/fedora/Dockerfile | 1 + utilities/containers/ubuntu/Dockerfile | 1 + utilities/ovn-nbctl.8.xml | 8 +- utilities/ovn-nbctl.c | 35 +- 36 files changed, 2904 insertions(+), 425 deletions(-) create mode 100644 northd/en-sampling-app.c create mode 100644 northd/en-sampling-app.h Acked-by: Mark Michelson