[ovs-dev] [ovs-discuss] [PATCH] secchan: Avoid sending NetFlow packets for empty flows.
Ben Pfaff
blp at nicira.com
Mon Aug 31 20:01:36 UTC 2009
Sure, absolutely true.
The part about Reid's earlier report to me (over IM) that sounded
like a bug was that (it sounded like) the flows were taking
longer to expire than they should have.
Jesse Gross <jesse at nicira.com> writes:
> This doesn't sound like a bug to me. If you are doing a port scan or
> similar activity that only sends one packet per flow, you'll see this
> behavior.
>
> In this situation each packet won't match an existing flow so it will
> get sent up to userspace, which will then process and send the packet.
> After sending the packet it will install a flow in the kernel, which
> will never get used since the packet was already sent. ofctl should
> have the correct stats but dpctl will have a bunch of unused flows as
> described.
>
> This change won't hide port scans, since netconf runs in userspace and
> therefore has the correct stats for flows.
>
> Ben Pfaff wrote:
>> This particular change should only affect netflow.
>>
>> I know that you mentioned the many used:never flows earlier in
>> IM. Did you ever file a bug report on that? It sounds like
>> something that we should try to understand, although it may or
>> may not be actually a bug.
>>
>> <reid at nicira.com> writes:
>>
>>
>>> Silly question,
>>> Does this have the side-effect of glossing over port-scan-like activity? I
>>> know my dpctl dump-flows has had dozens of thousands of flows that have
>>> used:'never', due to hpinging, but perhaps that was related to recently
>>> resolved bugs.
>>>
>>> -Reid
>>>
>>> On Fri, 28 Aug 2009 15:08:00 -0700, Peter Balland <peter at nicira.com> wrote:
>>>
>>>> Seems like a perfectly reasonable check to me.
>>>>
>>>> Peter
>>>>
>>>> Ben Pfaff wrote:
>>>>
>>>>> There is no value in sending out NetFlow messages when the byte counter
>>>>> (hence, packet counter) is 0. This does not often happen, but it can in
>>>>> corner cases where a flow gets installed but never sees any traffic
>>>>>
>>>> before
>>>>
>>>>> it is uninstalled.
>>>>>
>>>>> CC: Peter Balland <peter at nicira.com>
>>>>> ---
>>>>> secchan/ofproto.c | 2 +-
>>>>> 1 files changed, 1 insertions(+), 1 deletions(-)
>>>>>
>>>>> diff --git a/secchan/ofproto.c b/secchan/ofproto.c
>>>>> index efa5c9b..b3fef1b 100644
>>>>> --- a/secchan/ofproto.c
>>>>> +++ b/secchan/ofproto.c
>>>>> @@ -1696,7 +1696,7 @@ rule_post_uninstall(struct ofproto *ofproto,
>>>>>
>>>> struct rule *rule)
>>>>
>>>>> struct rule *super = rule->super;
>>>>>
>>>>> rule_account(ofproto, rule, 0);
>>>>> - if (ofproto->netflow) {
>>>>> + if (ofproto->netflow && rule->byte_count) {
>>>>> struct ofexpired expired;
>>>>> expired.flow = rule->cr.flow;
>>>>> expired.packet_count = rule->packet_count;
>>>>>
>>>> _______________________________________________
>>>> discuss mailing list
>>>> discuss at openvswitch.org
>>>> http://openvswitch.org/mailman/listinfo/discuss_openvswitch.org
>>>>
>>
>> _______________________________________________
>> discuss mailing list
>> discuss at openvswitch.org
>> http://openvswitch.org/mailman/listinfo/discuss_openvswitch.org
>>
More information about the dev
mailing list