Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question about filtering mirrored packets by TCP port in OVS bridge configuration #350

Open
dufanrong opened this issue Nov 27, 2024 · 5 comments
Open

Question about filtering mirrored packets by TCP port in OVS bridge configuration #350

dufanrong opened this issue Nov 27, 2024 · 5 comments

Comments

@dufanrong
Copy link

I'm using Open vSwitch version 2.8.0-0091-24.07-based-3.3.0 and have configured packet mirroring on my bridge ovsbr1. The setup currently mirrors all packets from the pf0hpf port to sf88 on ovsbr1, which works as expected. Here's the configuration:

Bridge Configuration:

5f7e1b73-514b-4863-a3dc-807e45330b52
    Bridge ovsbr2
        Port ovsbr2
            Interface ovsbr2
                type: internal
        Port p1
            Interface p1
        Port en3f1pf1sf0
            Interface en3f1pf1sf0
        Port pf1hpf
            Interface pf1hpf
    Bridge ovsbr1
        Port ovsbr1
            Interface ovsbr1
                type: internal
        Port en3f0pf0sf88
            Interface en3f0pf0sf88
        Port p0
            Interface p0
        Port pf0hpf
            Interface pf0hpf
        Port en3f0pf0sf0
            Interface en3f0pf0sf0
    ovs_version: "2.8.0-0091-24.07-based-3.3.0"

Mirror Configuration:

ovs-vsctl -- --id=@p1 get port en3f0pf0sf88 \
            -- --id=@p2 get port pf0hpf \
            -- --id=@m create mirror name=m0 select-dst-port=@p2 output-port=@p1 \
            -- set bridge ovsbr1 mirrors=@m

ovs-vsctl list mirror
_uuid               : f171e0d3-7523-4d8f-8ad3-caaa786c288e
external_ids        : {}
name                : m0
output_port         : 678522e8-7a03-4310-a339-323339338f61
output_vlan         : []
select_all          : false
select_dst_port     : [88adc3e8-0514-4a9d-945e-3a169943af90]
select_src_port     : []
select_vlan         : []
snaplen             : []
statistics          : {tx_bytes=66473765638, tx_packets=612819721}

This configuration successfully mirrors all packets from pf0hpf to sf88.

I would like to filter the mirrored packets so that only TCP packets with a specific port (e.g., TCP port 8080) are mirrored to sf88, rather than all packets from pf0hpf.

Is this kind of filtering supported in Open vSwitch, and if so, how can I configure it to only mirror packets that match a specific TCP port? I have searched through documentation but couldn't find relevant information on packet filtering for mirroring.

Thanks in advance for your help!
@igsilya
Copy link
Member

igsilya commented Nov 27, 2024

I'm not sure what the 2.8.0-0091-24.07-based-3.3.0 version means. What distribution is it?

Anyways, there is a new feature in OVS 3.4 that allows setting a filter for a mirror in OpenFlow format, so you can do something like this:

ovs-vsctl set mirror m0 filter='"tcp,tcp_dst=8080"'

It's documented in the database man page here: https://www.openvswitch.org/support/dist-docs/ovs-vswitchd.conf.db.5.html Though not very extensively.

If you need a more complex filtering or need filtering in older version of OVS, a better solution might be to modify your OpenFlow rules to direct traffic to a separate OpenFlow table before egresing a specific port. Then you could add any kinds of OpenFlow rules to filter and send a copy of the packet on the other port.

@dufanrong

This comment was marked as duplicate.

Sign in to view
@amorenoz
Copy link

If there some entity inside Bluefield DPU creating the OpenFlow flows, you should probably add support to your filtering there.

@dufanrong
Copy link
Author

If there some entity inside Bluefield DPU creating the OpenFlow flows, you should probably add support to your filtering there.

I understand, thank you!

@dufanrong
Copy link
Author

I'm not sure what the 2.8.0-0091-24.07-based-3.3.0 version means. What distribution is it?

Anyways, there is a new feature in OVS 3.4 that allows setting a filter for a mirror in OpenFlow format, so you can do something like this:

ovs-vsctl set mirror m0 filter='"tcp,tcp_dst=8080"'

It's documented in the database man page here: https://www.openvswitch.org/support/dist-docs/ovs-vswitchd.conf.db.5.html Though not very extensively.

If you need a more complex filtering or need filtering in older version of OVS, a better solution might be to modify your OpenFlow rules to direct traffic to a separate OpenFlow table before egresing a specific port. Then you could add any kinds of OpenFlow rules to filter and send a copy of the packet on the other port.

Thanks for the response!

I'm running Open vSwitch on a Bluefield2 DPU. When I installed the DPU system image, OVS was installed as part of the system. Running ovs-appctl --version outputs:

ovs-appctl (Open vSwitch) 2.8.0-0091-24.07-based-3.3.0

I believe the 3.3.0 version corresponds to the actual OVS version, while 2.8.0 refers to the version of the DPU system image.

Regarding your suggestion to modify OpenFlow rules to direct traffic to a separate table before exiting a specific port, could you please elaborate on this method? Specifically, I would like to know how I can configure the flow to direct traffic to a different OpenFlow table and then apply filters before mirroring the packets to another port. Any detailed steps or examples would be greatly appreciated!

Thanks again for your help!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@igsilya @amorenoz @dufanrong