1 .. contents:: Table of Contents
8 https://git.opendaylight.org/gerrit/#/q/topic:acl-stats
10 This feature is to provide additional operational support for ACL through statistical counters.
11 ACL rules provide security to VMs by filtering packets in either directions (ingress/egress).
12 Using OpenFlow statistical counters, ODL will provide additional information on the number of
13 packets dropped by the ACL rules. This information is made available to the operator “on demand”.
15 Drop statistics will be provided for below cases:
17 * Packets dropped due to ACL rules
18 * Packets dropped due to INVALID state. The INVALID state means that the packet can't be identified
19 or that it does not have any state. This may be due to several reasons, such as the system
20 running out of memory or ICMP error messages that do not respond to any known connections.
22 The packet drop information provided through the statistical counters enable operators to
23 trouble shoot any misbehavior and take appropriate actions through automated or manual
26 Collection and retrieval of information on the number of packets dropped by the SG rules
28 * Done for all (VM) ports in which SG is configured
29 * Flow statistical counters (in OpenFlow) are used for this purpose
30 * The information in these counters are made available to the operator, on demand, through an API
32 This feature will only be supported with Stateful ACL mode.
36 With only ACL support, operators would not be able to tell how many packets dropped by ACL rules.
37 This enhancement planned is about ACL module supporting aforementioned limitation.
41 Collection and retrieval of information on the number of packets dropped by the ACL rules
43 * Done for all (VM) ports in which ACL is configured
44 * The information in these counters are made available to the operator, on demand, through an API
45 * Service Orchestrator/operator can also specify ports selectively where ACL rules are configured
52 Current Stateful ACL implementation has drop flows for all ports combined for a device. This needs
53 to be modified to have drop flows for each of the OF ports connected to VMs (Neutron Ports).
55 With the current implementation, drop flows are as below:
59 cookie=0x6900000, duration=938.964s, table=252, n_packets=0, n_bytes=0, priority=62020,
60 ct_state=+inv+trk actions=drop
62 cookie=0x6900000, duration=938.969s, table=252, n_packets=0, n_bytes=0, priority=50,
63 ct_state=+new+trk actions=drop
65 Now, for supporting Drop packets statistics per port, ACL will be updated to replace above
66 flows with new DROP flows with lport tag as metadata for each of the VM (Neutron port) being
67 added to OVS as specified below:
71 cookie=0x6900001, duration=938.964s, table=252, n_packets=0, n_bytes=0, priority=62015,
72 metadata=0x10000000000/0xffffff0000000000, ct_state=+inv+trk actions=drop
74 cookie=0x6900001, duration=938.969s, table=252, n_packets=0, n_bytes=0, priority=50,
75 metadata=0x10000000000/0xffffff0000000000, ct_state=+new+trk actions=drop
77 Drop flows details explained above are for pipeline egress direction. For ingress side,
78 similar drop flows would be added with ``table=41``.
80 Also, new cookie value ``0x6900001`` would be added with drop flows to identify it uniquely and
81 priority ``62015`` would be used with +inv+trk flows to give higher priority for +est and +rel
84 Drop packets statistics support
85 -------------------------------
86 ODL Controller will be updated to provide a new RPC/NB REST API ``<get-acl-port-statistics>`` in
87 ACL module with ``ACL Flow Stats Request`` and ``ACL Flow Stats Response`` messages. This RPC/API
88 will retrieve details of dropped packets by Security Group rules for all the neutron ports
89 specified as part of ``ACL Flow Stats Request``. The retrieved information (instantaneous) received
90 in the OF reply message is formatted as ``ACL Flow Stats Response`` message before sending it as a
91 response towards the NB.
93 ``<get-acl-port-statistics>`` RPC/API implementation would be triggering
94 ``opendaylight-direct-statistics:get-flow-statistics`` request of OFPlugin towards OVS to get the
95 flow statistics of ACL tables (ingress / egress) for the required ports.
97 ACL Flow Stats Request/Response messages are explained in subsequent sections.
101 No changes needed in OF pipeline. But, new flows as specified in above section would be added for
102 each of the Neutron ports being added.
106 New yang file will be created with RPC as specified below:
109 :caption: acl-live-statistics.yang
111 module acl-live-statistics {
112 namespace "urn:opendaylight:netvirt:acl:live:statistics";
116 import ietf-interfaces {prefix if;}
117 import aclservice {prefix aclservice; revision-date "2016-06-08";}
119 description "YANG model describes RPC to retrieve ACL live statistics.";
121 revision "2016-11-29" {
122 description "Initial revision of ACL live statistics";
133 grouping acl-drop-counts {
135 description "Packets/Bytes dropped by ACL rules";
138 leaf invalid-drop-count {
139 description "Packets/Bytes identified as invalid";
144 grouping acl-stats-output {
145 description "Output for ACL port statistics";
146 list acl-interface-stats {
147 key "interface-name";
148 leaf interface-name {
150 path "/if:interfaces/if:interface/if:name";
153 list acl-drop-stats {
158 base "aclservice:direction-base";
162 uses acl-drop-counts;
165 uses acl-drop-counts;
176 grouping acl-stats-input {
177 description "Input parameters for ACL port statistics";
181 base "aclservice:direction-base";
185 leaf-list interface-names {
187 path "/if:interfaces/if:interface/if:name";
189 max-elements "unbounded";
194 rpc get-acl-port-statistics {
195 description "Get ACL statistics for given list of ports";
198 uses acl-stats-input;
201 uses acl-stats-output;
207 ---------------------
208 No configuration parameters being added/deprecated for this feature
210 Clustering considerations
211 -------------------------
212 No additional changes required to be done as only one RPC is being supported as part of
215 Other Infra considerations
216 --------------------------
219 Security considerations
220 -----------------------
223 Scale and Performance Impact
224 ----------------------------
233 Dispatcher table (table 17 and table 220) based approach of querying drop packets count was
234 considered. ie., arriving drop packets count by below rule:
236 **<total packets entered ACL tables> - <total packets entered subsequent service>**
238 This approach was not selected as this only provides total packets dropped count per port by ACL
239 services and does not provide details of whether it’s dropped by ACL rules or for some other
246 odl-netvirt-openstack
252 Following API gets ACL statistics for given list of ports.
256 **URI**: /operations/acl-live-statistics:get-acl-port-statistics
260 ================= =================== ================================= ==============
261 Parameter Type Possible Values Comments
262 ================= =================== ================================= ==============
263 "direction" Enum ingress/egress/both Required
265 "interface-names" Array [UUID String] [<UUID String>,<UUID String>,.. ] Required (1,N)
266 ================= =================== ================================= ==============
277 "4ae8cd92-48ca-49b5-94e1-b2921a2661c5",
278 "6c53df3a-3456-11e5-a151-feff819cdc9f"
283 **Possible Responses**:
293 "interface-name": "4ae8cd92-48ca-49b5-94e1-b2921a2661c5",
296 "direction": "ingress",
298 "invalid-drop-count": "0",
302 "invalid-drop-count": "0",
307 "direction": "egress",
309 "invalid-drop-count": "168",
313 "invalid-drop-count": "2",
319 "interface-name": "6c53df3a-3456-11e5-a151-feff819cdc9f",
322 "direction": "ingress",
324 "invalid-drop-count": "1064",
328 "invalid-drop-count": "18",
333 "direction": "egress",
335 "invalid-drop-count": "462",
339 "invalid-drop-count": "11",
346 **RPC Success (with error for one of the interface)**:
355 "interface-name": "4ae8cd92-48ca-49b5-94e1-b2921a2661c5",
358 "direction": "ingress",
360 "invalid-drop-count": "0",
364 "invalid-drop-count": "0",
369 "direction": "egress",
371 "invalid-drop-count": "168",
375 "invalid-drop-count": "2",
380 "interface-name": "6c53df3a-3456-11e5-a151-feff819cdc9f",
382 "error-message": "Interface not found in datastore."
390 Below are error messages for the interface:
392 (a) "Interface not found in datastore."
393 (b) "Failed to find device for the interface."
394 (c) "Unable to retrieve drop counts due to error: <<error message>>”
395 (d) "Unable to retrieve drop counts as interface is not configured for statistics collection."
396 (e) "Operation not supported for ACL <<Stateless/Transparent/Learn>> mode"
400 No CLI being added for this feature
414 #. Adding new drop rules per port (in table 41 and 252)
416 #. Supporting new RPC
420 This doesn't add any new dependencies.
422 This feature has dependency on below bug reported in OF Plugin:
424 `Bug 7232 - Problem observed with "get-flow-statistics" RPC call <https://bugs.opendaylight.org/show_bug.cgi?id=7232>`__
430 Following test cases will need to be added/expanded
432 #. Verify ACL STAT RPC with single Neutron port
433 #. Verify ACL STAT RPC with multiple Neutron ports
434 #. Verify ACL STAT RPC with invalid Neutron port
435 #. Verify ACL STAT RPC with mode set to "transparent/learn/stateless"
437 Also, existing unit tests will be updated to include new drop flows.
441 Integration tests will be added, once IT framework is ready
445 Following test cases will need to be added/expanded
447 #. Verify ACL STAT RPC with single Neutron port with different directions (ingress, egress, both)
448 #. Verify ACL STAT RPC with multiple Neutron ports with different
449 directions (ingress, egress, both)
450 #. Verify ACL STAT RPC with invalid Neutron port
451 #. Verify ACL STAT RPC with combination of valid and invalid Neutron ports
452 #. Verify ACL STAT RPC with combination of Neutron ports with few having port-security-enabled as
453 true and others having false
457 This will require changes to User Guide. User Guide needs to be updated with details about new RPC
458 being supported and also about its REST usage.
466 This work is licensed under a Creative Commons Attribution 3.0 Unported License.
467 http://creativecommons.org/licenses/by/3.0/legalcode