Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 1756466

Summary: [RHEL7] Disable conjunction flows in OVN
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Numan Siddique <nusiddiq>
Component: ovn2.11Assignee: Numan Siddique <nusiddiq>
Status: CLOSED ERRATA QA Contact: haidong li <haili>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: FDP 19.GCC: ctrautma, dalvarez, dceara, fleitner, jishi, kfida
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1757086 (view as bug list) Environment:
Last Closed: 2019-11-06 05:00:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1751942, 1757086    

Description Numan Siddique 2019-09-27 17:17:49 UTC 
Description of problem:

conjunction usage is broken in OVN. So it should be disabled.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 7 haidong li 2019-10-16 03:27:24 UTC 
Hi Numan,can you help describe how to reproduce or verify?Thanks!
Comment 8 Numan Siddique 2019-10-16 07:09:52 UTC 
(In reply to haidong li from comment #7)
> Hi Numan,can you help describe how to reproduce or verify?Thanks!

Sure.
Add few ACLs like ... ip4.src == {10.0.0.4, 10.0.0.5, 10.0.0.6} && tcp.dst >= 1000 && tcp.dst <= 2000

With the earlier ovn version, run - ovs-ofctl dump-flows br-int | grep conj. You should some flows which uses
conjunction.

With the new version, the same command should return 0 flows.

Instead of conjunction, you should see cross product of flows with all the combinations.


Thanks
Numan
Comment 9 haidong li 2019-10-23 03:51:06 UTC 
[root@dell-per740-18 ovn]# uname -a
Linux dell-per740-18.rhts.eng.pek2.redhat.com 3.10.0-1062.el7.x86_64 #1 SMP Thu Jul 18 20:25:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
[root@dell-per740-18 ovn]# rpm -qa | grep openvswitch
openvswitch-selinux-extra-policy-1.0-14.el7fdp.noarch
openvswitch2.11-2.11.0-26.el7fdp.x86_64
kernel-kernel-networking-openvswitch-ovn_ha-1.0-41.noarch
[root@dell-per740-18 ovn]# rpm -qa | grep ovn
ovn2.11-2.11.1-8.el7fdp.x86_64
ovn2.11-central-2.11.1-8.el7fdp.x86_64
ovn2.11-host-2.11.1-8.el7fdp.x86_64
kernel-kernel-networking-openvswitch-ovn_ha-1.0-41.noarch
[root@dell-per740-18 ovn]# ovn-nbctl show
switch 086e87ca-1eee-4440-9790-6f0d7859360d (s3)
    port hv0_vm00_vnet1
        addresses: ["00:de:ad:00:00:01 172.16.103.11"]
    port hv0_vm01_vnet1
        addresses: ["00:de:ad:00:01:01 172.16.103.12"]
    port s3_r1
        type: router
        addresses: ["00:de:ad:ff:01:03 172.16.103.1"]
        router-port: r1_s3
switch ecc8b593-19fe-4509-8590-a68edcd2185d (public)
    port ln_p1
        type: localnet
        addresses: ["unknown"]
    port public_r1
        type: router
        router-port: r1_public
switch 3827320f-2e1f-4ad2-9394-cfef23e086dc (s2)
    port s2_r1
        type: router
        addresses: ["00:de:ad:ff:01:02 172.16.102.1"]
        router-port: r1_s2
    port hv1_vm01_vnet1
        addresses: ["00:de:ad:01:01:01 172.16.102.12"]
    port hv1_vm00_vnet1
        addresses: ["00:de:ad:01:00:01 172.16.102.11"]
router 5b2f265f-abdd-4f82-b57f-a45ed441f52d (r1)
    port r1_s3
        mac: "00:de:ad:ff:01:03"
        networks: ["172.16.103.1/24"]
    port r1_public
        mac: "40:44:00:00:00:03"
        networks: ["172.16.104.1/24"]
    port r1_s2
        mac: "00:de:ad:ff:01:02"
        networks: ["172.16.102.1/24"]
    nat 599e4d31-0fba-4af3-8dc5-cca7adea2b42
        external ip: "172.16.104.200"
        logical ip: "172.16.102.11"
        type: "dnat_and_snat"
    nat de0cfce7-68c6-4612-bdf8-4eaa5299e6c8
        external ip: "172.16.104.201"
        logical ip: "172.16.103.11"
        type: "dnat_and_snat"
[root@dell-per740-18 ovn]# 

[root@dell-per740-18 ovn]#  ovs-ofctl dump-flows br-int | grep conj
[root@dell-per740-18 ovn]# ovn-nbctl acl-add s2 to-lport 1  " ip4.src == {10.0.0.4, 10.0.0.5, 10.0.0.6} && tcp.dst >= 1000 && tcp.dst <= 2000" allow
[root@dell-per740-18 ovn]# ovs-ofctl dump-flows br-int | grep conj
[root@dell-per740-18 ovn]# ovn-nbctl acl-add s2 to-lport 1 "outport == \"hv0_vm01_vnet1\" && ip4.src == {172.16.102.11,172.16.102.12} && tcp.dst >= 1000 && tcp.dst <= 2000" allow
[root@dell-per740-18 ovn]# ovs-ofctl dump-flows br-int | grep conj
[root@dell-per740-18 ovn]#
Comment 11 errata-xmlrpc 2019-11-06 05:00:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3718
Comment 12 Jianlin Shi 2019-11-13 05:58:48 UTC 
the conjunction would be re-enabled in https://bugzilla.redhat.com/show_bug.cgi?id=1764032