[ovs-dev] [ovs-discuss] [PATCH] secchan: Avoid sending NetFlow packets for empty flows.

Ben Pfaff blp at nicira.com
Mon Aug 31 20:01:36 UTC 2009 

Sure, absolutely true.

The part about Reid's earlier report to me (over IM) that sounded
like a bug was that (it sounded like) the flows were taking
longer to expire than they should have.

Jesse Gross <jesse at nicira.com> writes:

> This doesn't sound like a bug to me.  If you are doing a port scan or
> similar activity that only sends one packet per flow, you'll see this
> behavior.
>
> In this situation each packet won't match an existing flow so it will
> get sent up to userspace, which will then process and send the packet.
> After sending the packet it will install a flow in the kernel, which
> will never get used since the packet was already sent.  ofctl should
> have the correct stats but dpctl will have a bunch of unused flows as
> described.
>
> This change won't hide port scans, since netconf runs in userspace and
> therefore has the correct stats for flows.
>
> Ben Pfaff wrote:
>> This particular change should only affect netflow.
>>
>> I know that you mentioned the many used:never flows earlier in
>> IM.  Did you ever file a bug report on that?  It sounds like
>> something that we should try to understand, although it may or
>> may not be actually a bug.
>>
>> <reid at nicira.com> writes:
>>
>>   
>>> Silly question,
>>> Does this have the side-effect of glossing over port-scan-like activity?  I
>>> know my dpctl dump-flows has had dozens of thousands of flows that have
>>> used:'never', due to hpinging, but perhaps that was related to recently
>>> resolved bugs.
>>>
>>>   -Reid
>>>
>>> On Fri, 28 Aug 2009 15:08:00 -0700, Peter Balland <peter at nicira.com> wrote:
>>>     
>>>> Seems like a perfectly reasonable check to me.
>>>>
>>>> Peter
>>>>
>>>> Ben Pfaff wrote:
>>>>       
>>>>> There is no value in sending out NetFlow messages when the byte counter
>>>>> (hence, packet counter) is 0.  This does not often happen, but it can in
>>>>> corner cases where a flow gets installed but never sees any traffic
>>>>>         
>>>> before
>>>>       
>>>>> it is uninstalled.
>>>>>
>>>>> CC: Peter Balland <peter at nicira.com>
>>>>> ---
>>>>>  secchan/ofproto.c |    2 +-
>>>>>  1 files changed, 1 insertions(+), 1 deletions(-)
>>>>>
>>>>> diff --git a/secchan/ofproto.c b/secchan/ofproto.c
>>>>> index efa5c9b..b3fef1b 100644
>>>>> --- a/secchan/ofproto.c
>>>>> +++ b/secchan/ofproto.c
>>>>> @@ -1696,7 +1696,7 @@ rule_post_uninstall(struct ofproto *ofproto,
>>>>>         
>>>> struct rule *rule)
>>>>       
>>>>>      struct rule *super = rule->super;
>>>>>
>>>>>      rule_account(ofproto, rule, 0);
>>>>> -    if (ofproto->netflow) {
>>>>> +    if (ofproto->netflow && rule->byte_count) {
>>>>>          struct ofexpired expired;
>>>>>          expired.flow = rule->cr.flow;
>>>>>          expired.packet_count = rule->packet_count;
>>>>>         
>>>> _______________________________________________
>>>> discuss mailing list
>>>> discuss at openvswitch.org
>>>> http://openvswitch.org/mailman/listinfo/discuss_openvswitch.org
>>>>       
>>
>> _______________________________________________
>> discuss mailing list
>> discuss at openvswitch.org
>> http://openvswitch.org/mailman/listinfo/discuss_openvswitch.org
>>

More information about the dev mailing list