Bug 2215137

FYI the backport landed in 22.12 upstream 4 days ago: https://github.com/ovn-org/ovn/commit/6be84b57732d1756f5970e267581e691543be936

There's already a build for this in brew.

ovn22.12 fast-datapath-rhel-9 clone created at https://bugzilla.redhat.com/show_bug.cgi?id=2216315

use this topo and config to test this bug:
# Logical network:
# One LR R1 with switches foo (192.168.1.0/24), bar (192.168.2.0/24),
#
#    foo -- R1 -- bar

# ovn-nbctl show
switch 9f9d8463-f970-47e4-a232-8688e1b3a438 (foo)
    port foo1
        addresses: ["f0:00:00:01:02:03 192.168.1.2"]
    port rp-foo
        type: router
        router-port: foo
switch ca7616b3-b116-4ae4-a7e9-ac24ea3db536 (bar)
    port rp-bar
        type: router
        router-port: bar
    port bar1
        addresses: ["f0:00:00:01:02:04 192.168.2.2"]
router 8502a562-b934-43e5-8b79-b53bafb886d0 (R1)
    port bar
        mac: "00:00:01:01:02:04"
        networks: ["192.168.2.1/24"]
    port foo
        mac: "00:00:01:01:02:03"
        networks: ["192.168.1.1/24"]
[root@dell-per740-54 load_balance]# ovn-nbctl list load_balancer
_uuid               : 30199a7b-1f3b-426a-8d58-b4c270eb8dce
external_ids        : {}
health_check        : []
ip_port_mappings    : {}
name                : lb1
options             : {}
protocol            : tcp
selection_fields    : []
vips                : {"30.30.30.30:80"="192.168.2.2:80"}
[root@dell-per740-54 load_balance]# ovn-nbctl list acl
_uuid               : 8c9a48ac-87ae-43c4-a2e8-ec90a61349a5
action              : allow-stateless
direction           : from-lport
external_ids        : {}
label               : 0
log                 : false
match               : "1"
meter               : []
name                : []
options             : {}
priority            : 1
severity            : []

_uuid               : 6af28809-8b49-470b-a078-473fd5c0e1c3
action              : allow-stateless
direction           : to-lport
external_ids        : {}
label               : 0
log                 : false
match               : "1"
meter               : []
name                : []
options             : {}
priority            : 1
severity            : []


on old version: traffic sent to server and get conntrack entry 
:: [ 04:28:20 ] :: [  BEGIN   ] :: Running 'ip netns exec foo1 ncat  30.30.30.30 80 <<< d'
:: [ 04:28:21 ] :: [   FAIL   ] :: Command 'ip netns exec foo1 ncat  30.30.30.30 80 <<< d' (Expected 1, got 0)
:: [ 04:28:21 ] :: [  BEGIN   ] :: Running 'ovs-appctl dpctl/dump-conntrack zone=7|grep 30.30.30.30'
tcp,orig=(src=192.168.1.2,dst=30.30.30.30,sport=46782,dport=80),reply=(src=192.168.2.2,dst=192.168.1.2,sport=80,dport=46782),zone=7,mark=2,protoinfo=(state=TIME_WAIT)
:: [ 04:28:21 ] :: [   FAIL   ] :: Command 'ovs-appctl dpctl/dump-conntrack zone=7|grep 30.30.30.30' (Expected 1, got 0)


on fixed version: traffic fail ,and no conntrack .
# rpm -qa|grep ovn22
ovn22.12-22.12.0-94.el8fdp.x86_64
ovn22.12-central-22.12.0-94.el8fdp.x86_64
ovn22.12-host-22.12.0-94.el8fdp.x86_64

:: [ 04:28:20 ] :: [  BEGIN   ] :: Running 'ip netns exec foo1 ncat  30.30.30.30 80 <<< d'
Ncat: Connection timed out.
:: [ 04:28:30 ] :: [   PASS   ] :: Command 'ip netns exec foo1 ncat  30.30.30.30 80 <<< d' (Expected 1, got 1)
:: [ 04:28:30 ] :: [  BEGIN   ] :: Running 'ovs-appctl dpctl/dump-conntrack zone=7|grep 30.30.30.30'
:: [ 04:28:30 ] :: [   PASS   ] :: Command 'ovs-appctl dpctl/dump-conntrack zone=7|grep 30.30.30.30' (Expected 1, got 1)


set verified.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ovn22.12 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:3992