Bug 1812820
| Summary: | [OVN 2.12] config the ip.dst==x.x.x.1/24 of acl,it doesn't work | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux Fast Datapath | Reporter: | ying xu <yinxu> |
| Component: | ovn2.13 | Assignee: | Dumitru Ceara <dceara> |
| Status: | CLOSED ERRATA | QA Contact: | ying xu <yinxu> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | FDP 20.A | CC: | ctrautma, dceara, fiezzi, jishi, mmichels, ralongi |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-10-27 09:49:12 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
ying xu
2020-03-12 09:42:03 UTC
Fix committed upstream: https://github.com/ovn-org/ovn/commit/2104f67aacd62f62a31f4e23a6720aeeaa751154 Will be available in upstream release v20.09.0. I verified on version:
# rpm -qa|grep ovn
ovn2.13-host-20.09.0-2.el8fdp.x86_64
ovn2.13-20.09.0-2.el8fdp.x86_64
ovn2.13-central-20.09.0-2.el8fdp.x86_64
# ovn-nbctl show
switch 8efe6b48-e9f6-46d9-bec1-4d82d3322390 (ls)
port vm1
addresses: ["00:00:00:00:00:01"]
port vm3
addresses: ["00:00:00:00:00:03"]
port vm2
addresses: ["00:00:00:00:00:02"]
# ovn-nbctl list acl
_uuid : 43bb3e91-e16d-4789-99d7-7c55392bec76
action : drop
direction : to-lport
external_ids : {}
log : false
match : "ip4 && ip4.src == 42.42.42.3/24 && sctp && sctp.dst == 2349"
meter : []
name : []
priority : 800
severity : []
ip netns exec vm2 ncat --sctp 42.42.42.1 2349 < /tmp/send.pkt -----------------------vm2 src is 42.42.42.2
ip netns exec vm3 ncat --sctp 42.42.42.1 2349 < /tmp/send.pkt ----------------------vm3 src is 42.42.42.3
tcpdump -r acl3.pcap -nnle |grep "COOKIE ECHO"|grep "42.42.42.2.*42.42.42.1.2349"' --------no packet from 42.42.42.2
reading from file acl3.pcap, link-type LINUX_SLL (Linux cooked v1)
dropped privs to tcpdump
tcpdump -r acl4.pcap -nnle |grep INIT|grep "42.42.42.3.*42.42.42.1.2349"' -----------------no packet from 42.42.42.3
reading from file acl4.pcap, link-type LINUX_SLL (Linux cooked v1)
dropped privs to tcpdump
another scenario:
# ovn-nbctl show
switch 98843701-1c5f-4aa7-be5a-df75d23ef162 (ls3)
port ls3-rtr
type: router
addresses: ["00:00:00:00:03:00"]
router-port: rtr-ls3
port vm3
addresses: ["00:00:00:00:00:03"]
switch 6343a0af-a1bd-4e7c-80a9-ad7ab5d4e185 (ls2)
port vm2
addresses: ["00:00:00:00:00:02"]
port ls2-rtr
type: router
addresses: ["00:00:00:00:02:00"]
router-port: rtr-ls2
switch d34a1907-27b5-4c49-b0ba-85a226a3b6c2 (ls)
port vm1
addresses: ["00:00:00:00:00:01"]
port ls-rtr
type: router
addresses: ["00:00:00:00:01:00"]
router-port: rtr-ls
router f9204aaf-4df3-4abf-a3bb-c2319f4b3ae5 (rtr)
port rtr-ls2
mac: "00:00:00:00:02:00"
networks: ["2002::1/64", "77.77.77.1/24"]
port rtr-ls3
mac: "00:00:00:00:03:00"
networks: ["2003::1/64", "66.66.66.1/24"]
port rtr-ls
mac: "00:00:00:00:01:00"
networks: ["2000::1/64", "42.42.42.1/24"]
# ovn-nbctl list Logical_Router_Policy
_uuid : 5932b00d-bab2-4651-9849-753c18c5a68a
action : drop
external_ids : {}
match : "ip6 && ip6.src == 2003::2/64"
nexthop : []
options : {}
priority : 3000
_uuid : 732c9dea-9259-419f-b4b7-5974161ed664
action : drop
external_ids : {}
match : "ip4 && ip4.src == 66.66.66.2/24"
nexthop : []
options : {}
priority : 3000
ip netns exec vm3 ping 77.77.77.2 -c 3' -------------vm3 src is 66.66.66.2
PING 77.77.77.2 (77.77.77.2) 56(84) bytes of data. -------------ping failed
--- 77.77.77.2 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 70ms
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (ovn2.13 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4356 |