Description of problem: conjunction usage is broken in OVN. So it should be disabled. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Hi Numan,can you help describe how to reproduce or verify?Thanks!
(In reply to haidong li from comment #7) > Hi Numan,can you help describe how to reproduce or verify?Thanks! Sure. Add few ACLs like ... ip4.src == {10.0.0.4, 10.0.0.5, 10.0.0.6} && tcp.dst >= 1000 && tcp.dst <= 2000 With the earlier ovn version, run - ovs-ofctl dump-flows br-int | grep conj. You should some flows which uses conjunction. With the new version, the same command should return 0 flows. Instead of conjunction, you should see cross product of flows with all the combinations. Thanks Numan
[root@dell-per740-18 ovn]# uname -a Linux dell-per740-18.rhts.eng.pek2.redhat.com 3.10.0-1062.el7.x86_64 #1 SMP Thu Jul 18 20:25:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux [root@dell-per740-18 ovn]# rpm -qa | grep openvswitch openvswitch-selinux-extra-policy-1.0-14.el7fdp.noarch openvswitch2.11-2.11.0-26.el7fdp.x86_64 kernel-kernel-networking-openvswitch-ovn_ha-1.0-41.noarch [root@dell-per740-18 ovn]# rpm -qa | grep ovn ovn2.11-2.11.1-8.el7fdp.x86_64 ovn2.11-central-2.11.1-8.el7fdp.x86_64 ovn2.11-host-2.11.1-8.el7fdp.x86_64 kernel-kernel-networking-openvswitch-ovn_ha-1.0-41.noarch [root@dell-per740-18 ovn]# ovn-nbctl show switch 086e87ca-1eee-4440-9790-6f0d7859360d (s3) port hv0_vm00_vnet1 addresses: ["00:de:ad:00:00:01 172.16.103.11"] port hv0_vm01_vnet1 addresses: ["00:de:ad:00:01:01 172.16.103.12"] port s3_r1 type: router addresses: ["00:de:ad:ff:01:03 172.16.103.1"] router-port: r1_s3 switch ecc8b593-19fe-4509-8590-a68edcd2185d (public) port ln_p1 type: localnet addresses: ["unknown"] port public_r1 type: router router-port: r1_public switch 3827320f-2e1f-4ad2-9394-cfef23e086dc (s2) port s2_r1 type: router addresses: ["00:de:ad:ff:01:02 172.16.102.1"] router-port: r1_s2 port hv1_vm01_vnet1 addresses: ["00:de:ad:01:01:01 172.16.102.12"] port hv1_vm00_vnet1 addresses: ["00:de:ad:01:00:01 172.16.102.11"] router 5b2f265f-abdd-4f82-b57f-a45ed441f52d (r1) port r1_s3 mac: "00:de:ad:ff:01:03" networks: ["172.16.103.1/24"] port r1_public mac: "40:44:00:00:00:03" networks: ["172.16.104.1/24"] port r1_s2 mac: "00:de:ad:ff:01:02" networks: ["172.16.102.1/24"] nat 599e4d31-0fba-4af3-8dc5-cca7adea2b42 external ip: "172.16.104.200" logical ip: "172.16.102.11" type: "dnat_and_snat" nat de0cfce7-68c6-4612-bdf8-4eaa5299e6c8 external ip: "172.16.104.201" logical ip: "172.16.103.11" type: "dnat_and_snat" [root@dell-per740-18 ovn]# [root@dell-per740-18 ovn]# ovs-ofctl dump-flows br-int | grep conj [root@dell-per740-18 ovn]# ovn-nbctl acl-add s2 to-lport 1 " ip4.src == {10.0.0.4, 10.0.0.5, 10.0.0.6} && tcp.dst >= 1000 && tcp.dst <= 2000" allow [root@dell-per740-18 ovn]# ovs-ofctl dump-flows br-int | grep conj [root@dell-per740-18 ovn]# ovn-nbctl acl-add s2 to-lport 1 "outport == \"hv0_vm01_vnet1\" && ip4.src == {172.16.102.11,172.16.102.12} && tcp.dst >= 1000 && tcp.dst <= 2000" allow [root@dell-per740-18 ovn]# ovs-ofctl dump-flows br-int | grep conj [root@dell-per740-18 ovn]#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3718
the conjunction would be re-enabled in https://bugzilla.redhat.com/show_bug.cgi?id=1764032