Bug 1955161
| Summary: | OVN Expression parser generates repeated conjunctions | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux Fast Datapath | Reporter: | Mark Michelson <mmichels> |
| Component: | OVN | Assignee: | OVN Team <ovnteam> |
| Status: | CLOSED ERRATA | QA Contact: | Ehsan Elahi <eelahi> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | FDP 21.D | CC: | ctrautma, dcbw |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ovn2.13-20.12.0-119 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-06-21 14:44:39 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1953613 | ||
|
Description
Mark Michelson
2021-04-29 14:53:03 UTC
v2 posted: http://patchwork.ozlabs.org/project/ovn/patch/20210506204922.2287892-1-mmichels@redhat.com/ Updating to MODIFIED and updating fixed-in version to ovn2.13-20.12.0-119 Reproduced in:
[root@dell-per740-30 ~]# rpm -qa | grep ovn2.13
ovn2.13-20.12.0-118.el8fdp.x86_64
ovn2.13-central-20.12.0-118.el8fdp.x86_64
ovn2.13-host-20.12.0-118.el8fdp.x86_64
The topo I used is:
vm1---42.42.42.2---LS1---42.42.42.1----RTR----66.66.66.1----LS3----66.66.66.2----vm3
|
77.77.77.1
|
LS2----77.77.77.2 ----vm2
Policy setting used is:
ovn-nbctl --id=@logical_router_policy -- create logical_router_policy priority=9999 "match=\"(ip4.dst == 77.77.77.2/32) && ip4.src =={42.42.42.2/32,42.42.42.3/32} && ip4.dst != 66.66.66.2/32\"" action=allow -- add logical_router $uuid policies @logical_router_policy
[root@dell-per740-30 ~]# ovs-ofctl dump-flows br-int | grep priority=9999
cookie=0x0, duration=31.520s, table=20, n_packets=0, n_bytes=0, idle_age=31, priority=9999,ip,metadata=0x1,nw_dst=77.77.77.2 actions=conjunction(2,1/2),conjunction(2,1/2),conjunction(2,1/2),conjunction(2,1/2),conjunction(2,1/2),conjunction(2,1/2),conjunction(2,1/2),conjunction(2,1/2),conjunction(2,1/2),conjunction(2,1/2),conjunction(2,1/2),conjunction(2,1/2)
cookie=0xde1f257c, duration=31.520s, table=20, n_packets=3, n_bytes=294, idle_age=22, priority=9999,conj_id=2,ip,metadata=0x1 actions=load:0->OXM_OF_PKT_REG4[32..47],resubmit(,21)
cookie=0x0, duration=31.520s, table=20, n_packets=0, n_bytes=0, idle_age=31, priority=9999,ip,metadata=0x1,nw_src=42.42.42.3 actions=conjunction(2,2/2)
cookie=0x0, duration=31.520s, table=20, n_packets=0, n_bytes=0, idle_age=31, priority=9999,ip,metadata=0x1,nw_src=42.42.42.2 actions=conjunction(2,2/2)
<==== multiple conjunctions created
Verified in:
[root@dell-per740-81 ~]# rpm -qa | grep ovn2.13
ovn2.13-20.12.0-120.el8fdp.x86_64
ovn2.13-central-20.12.0-120.el8fdp.x86_64
ovn2.13-host-20.12.0-120.el8fdp.x86_64
same policy seeting
[root@dell-per740-81 ~]# ovs-ofctl dump-flows br-int | grep priority=9999
cookie=0x5de3a816, duration=28.052s, table=20, n_packets=3, n_bytes=294, idle_age=3, priority=9999,ip,metadata=0x1,nw_src=42.42.42.2,nw_dst=77.77.77.2 actions=load:0->OXM_OF_PKT_REG4[32..47],resubmit(,21)
cookie=0x5de3a816, duration=28.052s, table=20, n_packets=0, n_bytes=0, idle_age=28, priority=9999,ip,metadata=0x1,nw_src=42.42.42.3,nw_dst=77.77.77.2 actions=load:0->OXM_OF_PKT_REG4[32..47],resubmit(,21)
<==== No conjunction seen
Then if remove the positive ip4.dst match, conjunctive match created:
ovn-nbctl --id=@logical_router_policy -- create logical_router_policy priority=9999 "match=\"ip4.src =={42.42.42.2/32,42.42.42.3/32} && ip4.dst != 66.66.66.2/32\"" action=allow -- add logical_router 3e08bc1e-63a0-435c-b1de-548cc444aa50 policies @logical_router_policy
[root@dell-per740-81 ~]# ovs-ofctl dump-flows br-int | grep priority=9999
cookie=0x0, duration=16.726s, table=20, n_packets=0, n_bytes=0, idle_age=16, priority=9999,ip,metadata=0x1,nw_dst=0.0.0.64/0.0.0.64 actions=conjunction(2,1/2)
cookie=0x0, duration=16.726s, table=20, n_packets=0, n_bytes=0, idle_age=16, priority=9999,ip,metadata=0x1,nw_dst=0.0.0.0/0.64.0.0 actions=conjunction(2,1/2)
.....
Verified on:
[root@dell-per740-30 ~]# rpm -qa | grep ovn
ovn2.13-20.12.0-135.el8fdp.x86_64
ovn2.13-central-20.12.0-135.el8fdp.x86_64
ovn2.13-host-20.12.0-135.el8fdp.x86_64
topo I used is:
vm1---42.42.42.2---LS1---42.42.42.1----RTR----66.66.66.1----LS3----66.66.66.2----vm3
|
77.77.77.1
|
LS2----77.77.77.2 ----vm2
Policy setting used is:
ovn-nbctl create Address_Set name=myset addresses="42.42.42.2/32 42.42.42.3/32 42.42.42.4/32"
ovn-nbctl --id=@logical_router_policy -- create logical_router_policy priority=9999 "match=\"(ip4.dst == 77.77.77.2/32) && ip4.src ==\$myset && ip4.dst != 66.66.0.0/16\"" action=allow -- add logical_router $rtr_uuid policies @logical_router_policy
[root@dell-per740-30 ~]# ovs-ofctl dump-flows br-int | grep priority=9999
cookie=0x82c4cbec, duration=30.179s, table=20, n_packets=3, n_bytes=294, idle_age=17, priority=9999,ip,metadata=0x1,nw_src=42.42.42.2,nw_dst=77.77.77.2 actions=load:0->OXM_OF_PKT_REG4[32..47],resubmit(,21)
cookie=0x82c4cbec, duration=30.179s, table=20, n_packets=0, n_bytes=0, idle_age=30, priority=9999,ip,metadata=0x1,nw_src=42.42.42.3,nw_dst=77.77.77.2 actions=load:0->OXM_OF_PKT_REG4[32..47],resubmit(,21)
cookie=0x82c4cbec, duration=30.179s, table=20, n_packets=0, n_bytes=0, idle_age=30, priority=9999,ip,metadata=0x1,nw_src=42.42.42.4,nw_dst=77.77.77.2 actions=load:0->OXM_OF_PKT_REG4[32..47],resubmit(,21)
<======= No conjunctive matches found
Removing positive ip4.dst, conjunctive matches created:
ovn-nbctl lr-policy-del rtr 9999
ovn-nbctl --id=@logical_router_policy -- create logical_router_policy priority=9999 "match=\"ip4.src ==\$myset && ip4.dst != 66.66.0.0/16\"" action=allow -- add logical_router 0c73a602-d9e8-461c-9434-46722f8fbfd5 policies @logical_router_policy
ovs-ofctl dump-flows br-int | grep priority=9999
cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=0.0.0.0/0.64.0.0 actions=conjunction(3,1/2)
cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=1.0.0.0/1.0.0.0 actions=conjunction(3,1/2)
cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=8.0.0.0/8.0.0.0 actions=conjunction(3,1/2)
cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_src=42.42.42.2 actions=conjunction(3,2/2)
cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_src=42.42.42.3 actions=conjunction(3,2/2)
cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_src=42.42.42.4 actions=conjunction(3,2/2)
cookie=0x5fb45c8a, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,conj_id=3,ip,metadata=0x1 actions=load:0->OXM_OF_PKT_REG4[32..47],resubmit(,21)
cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=0.0.0.0/0.2.0.0 actions=conjunction(3,1/2)
cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=0.128.0.0/0.128.0.0 actions=conjunction(3,1/2)
cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=32.0.0.0/32.0.0.0 actions=conjunction(3,1/2)
cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=0.0.0.0/64.0.0.0 actions=conjunction(3,1/2)
cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=128.0.0.0/1 actions=conjunction(3,1/2)
cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=0.0.0.0/2.0.0.0 actions=conjunction(3,1/2)
cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=0.32.0.0/0.32.0.0 actions=conjunction(3,1/2)
cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=16.0.0.0/16.0.0.0 actions=conjunction(3,1/2)
cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=0.16.0.0/0.16.0.0 actions=conjunction(3,1/2)
cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=0.4.0.0/0.4.0.0 actions=conjunction(3,1/2)
cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=0.1.0.0/0.1.0.0 actions=conjunction(3,1/2)
cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=0.8.0.0/0.8.0.0 actions=conjunction(3,1/2)
cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=4.0.0.0/4.0.0.0 actions=conjunction(3,1/2)
<============== conjunctive matched found as expected
Also verified on:
[root@dell-per740-81 ~]# rpm -qa |grep ovn
ovn2.13-central-20.12.0-135.el7fdp.x86_64
ovn2.13-20.12.0-135.el7fdp.x86_64
ovn2.13-host-20.12.0-135.el7fdp.x86_64
AND
[root@dell-per730-40 ~]# rpm -qa |grep ovn
ovn-2021-21.03.0-40.el8fdp.x86_64
ovn-2021-central-21.03.0-40.el8fdp.x86_64
ovn-2021-host-21.03.0-40.el8fdp.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (ovn2.13 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:2507 |