The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.
Bug 1756466 - [RHEL7] Disable conjunction flows in OVN
Summary: [RHEL7] Disable conjunction flows in OVN
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux Fast Datapath
Classification: Red Hat
Component: ovn2.11
Version: FDP 19.G
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Numan Siddique
QA Contact: haidong li
URL:
Whiteboard:
Depends On:
Blocks: 1751942 1757086
TreeView+ depends on / blocked
 
Reported: 2019-09-27 17:17 UTC by Numan Siddique
Modified: 2020-01-14 21:16 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1757086 (view as bug list)
Environment:
Last Closed: 2019-11-06 05:00:08 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3718 0 None None None 2019-11-06 05:00:27 UTC

Description Numan Siddique 2019-09-27 17:17:49 UTC
Description of problem:

conjunction usage is broken in OVN. So it should be disabled.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 7 haidong li 2019-10-16 03:27:24 UTC
Hi Numan,can you help describe how to reproduce or verify?Thanks!

Comment 8 Numan Siddique 2019-10-16 07:09:52 UTC
(In reply to haidong li from comment #7)
> Hi Numan,can you help describe how to reproduce or verify?Thanks!

Sure.
Add few ACLs like ... ip4.src == {10.0.0.4, 10.0.0.5, 10.0.0.6} && tcp.dst >= 1000 && tcp.dst <= 2000

With the earlier ovn version, run - ovs-ofctl dump-flows br-int | grep conj. You should some flows which uses
conjunction.

With the new version, the same command should return 0 flows.

Instead of conjunction, you should see cross product of flows with all the combinations.


Thanks
Numan

Comment 9 haidong li 2019-10-23 03:51:06 UTC
[root@dell-per740-18 ovn]# uname -a
Linux dell-per740-18.rhts.eng.pek2.redhat.com 3.10.0-1062.el7.x86_64 #1 SMP Thu Jul 18 20:25:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
[root@dell-per740-18 ovn]# rpm -qa | grep openvswitch
openvswitch-selinux-extra-policy-1.0-14.el7fdp.noarch
openvswitch2.11-2.11.0-26.el7fdp.x86_64
kernel-kernel-networking-openvswitch-ovn_ha-1.0-41.noarch
[root@dell-per740-18 ovn]# rpm -qa | grep ovn
ovn2.11-2.11.1-8.el7fdp.x86_64
ovn2.11-central-2.11.1-8.el7fdp.x86_64
ovn2.11-host-2.11.1-8.el7fdp.x86_64
kernel-kernel-networking-openvswitch-ovn_ha-1.0-41.noarch
[root@dell-per740-18 ovn]# ovn-nbctl show
switch 086e87ca-1eee-4440-9790-6f0d7859360d (s3)
    port hv0_vm00_vnet1
        addresses: ["00:de:ad:00:00:01 172.16.103.11"]
    port hv0_vm01_vnet1
        addresses: ["00:de:ad:00:01:01 172.16.103.12"]
    port s3_r1
        type: router
        addresses: ["00:de:ad:ff:01:03 172.16.103.1"]
        router-port: r1_s3
switch ecc8b593-19fe-4509-8590-a68edcd2185d (public)
    port ln_p1
        type: localnet
        addresses: ["unknown"]
    port public_r1
        type: router
        router-port: r1_public
switch 3827320f-2e1f-4ad2-9394-cfef23e086dc (s2)
    port s2_r1
        type: router
        addresses: ["00:de:ad:ff:01:02 172.16.102.1"]
        router-port: r1_s2
    port hv1_vm01_vnet1
        addresses: ["00:de:ad:01:01:01 172.16.102.12"]
    port hv1_vm00_vnet1
        addresses: ["00:de:ad:01:00:01 172.16.102.11"]
router 5b2f265f-abdd-4f82-b57f-a45ed441f52d (r1)
    port r1_s3
        mac: "00:de:ad:ff:01:03"
        networks: ["172.16.103.1/24"]
    port r1_public
        mac: "40:44:00:00:00:03"
        networks: ["172.16.104.1/24"]
    port r1_s2
        mac: "00:de:ad:ff:01:02"
        networks: ["172.16.102.1/24"]
    nat 599e4d31-0fba-4af3-8dc5-cca7adea2b42
        external ip: "172.16.104.200"
        logical ip: "172.16.102.11"
        type: "dnat_and_snat"
    nat de0cfce7-68c6-4612-bdf8-4eaa5299e6c8
        external ip: "172.16.104.201"
        logical ip: "172.16.103.11"
        type: "dnat_and_snat"
[root@dell-per740-18 ovn]# 

[root@dell-per740-18 ovn]#  ovs-ofctl dump-flows br-int | grep conj
[root@dell-per740-18 ovn]# ovn-nbctl acl-add s2 to-lport 1  " ip4.src == {10.0.0.4, 10.0.0.5, 10.0.0.6} && tcp.dst >= 1000 && tcp.dst <= 2000" allow
[root@dell-per740-18 ovn]# ovs-ofctl dump-flows br-int | grep conj
[root@dell-per740-18 ovn]# ovn-nbctl acl-add s2 to-lport 1 "outport == \"hv0_vm01_vnet1\" && ip4.src == {172.16.102.11,172.16.102.12} && tcp.dst >= 1000 && tcp.dst <= 2000" allow
[root@dell-per740-18 ovn]# ovs-ofctl dump-flows br-int | grep conj
[root@dell-per740-18 ovn]#

Comment 11 errata-xmlrpc 2019-11-06 05:00:08 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3718

Comment 12 Jianlin Shi 2019-11-13 05:58:48 UTC
the conjunction would be re-enabled in https://bugzilla.redhat.com/show_bug.cgi?id=1764032


Note You need to log in before you can comment on or make changes to this bug.