Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 1757086

Summary: [RHEL8] Disable conjunction flows in OVN
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Flavio Leitner <fleitner>
Component: ovn2.11Assignee: Numan Siddique <nusiddiq>
Status: CLOSED ERRATA QA Contact: ying xu <yinxu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: FDP 19.ECC: ctrautma, dalvarez, dceara, fleitner, haili, jishi, kfida, liali, nusiddiq, qding
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1756466 Environment:
Last Closed: 2020-01-21 15:21:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1756466    
Bug Blocks: 1751942    

Comment 4 haidong li 2019-10-16 09:13:28 UTC 
reproduced on the old version:
[root@dell-per730-42 ovn]# rpm -qa | grep ovn
kernel-kernel-networking-openvswitch-ovn-1.0-148.noarch
ovn2.11-central-2.11.0-36.el8fdp.x86_64
ovn2.11-host-2.11.0-36.el8fdp.x86_64
ovn2.11-2.11.0-36.el8fdp.x86_64
[root@dell-per730-42 ovn]# 

[root@dell-per730-42 ovn]# ovn-nbctl acl-add s2 to-lport 1  " ip4.src == {10.0.0.4, 10.0.0.5, 10.0.0.6} && tcp.dst >= 1000 && tcp.dst <= 2000" allow
[root@dell-per730-42 ovn]# ovs-ofctl dump-flows br-int | grep conj
 cookie=0x0, duration=9.998s, table=44, n_packets=0, n_bytes=0, idle_age=9, priority=1001,tcp,metadata=0x1,nw_src=10.0.0.5 actions=conjunction(2,1/2)
 cookie=0x0, duration=9.998s, table=44, n_packets=0, n_bytes=0, idle_age=9, priority=1001,tcp,metadata=0x1,nw_src=10.0.0.6 actions=conjunction(2,1/2)
 cookie=0x0, duration=9.998s, table=44, n_packets=0, n_bytes=0, idle_age=9, priority=1001,tcp,metadata=0x1,nw_src=10.0.0.4 actions=conjunction(2,1/2)
 cookie=0x3f455c27, duration=9.998s, table=44, n_packets=0, n_bytes=0, idle_age=9, priority=1001,conj_id=2,tcp,metadata=0x1 actions=resubmit(,45)
 cookie=0x0, duration=9.998s, table=44, n_packets=0, n_bytes=0, idle_age=9, priority=1001,tcp,metadata=0x1,tp_dst=0x600/0xff00 actions=conjunction(2,2/2)
 cookie=0x0, duration=9.998s, table=44, n_packets=0, n_bytes=0, idle_age=9, priority=1001,tcp,metadata=0x1,tp_dst=2000 actions=conjunction(2,2/2)
 cookie=0x0, duration=9.998s, table=44, n_packets=0, n_bytes=0, idle_age=9, priority=1001,tcp,metadata=0x1,tp_dst=1001 actions=conjunction(2,2/2)
 cookie=0x0, duration=9.997s, table=44, n_packets=0, n_bytes=0, idle_age=9, priority=1001,tcp,metadata=0x1,tp_dst=1000 actions=conjunction(2,2/2)
 cookie=0x0, duration=9.998s, table=44, n_packets=0, n_bytes=0, idle_age=9, priority=1001,tcp,metadata=0x1,tp_dst=0x3ea/0xfffe actions=conjunction(2,2/2)
 cookie=0x0, duration=9.998s, table=44, n_packets=0, n_bytes=0, idle_age=9, priority=1001,tcp,metadata=0x1,tp_dst=0x700/0xff80 actions=conjunction(2,2/2)
 cookie=0x0, duration=9.998s, table=44, n_packets=0, n_bytes=0, idle_age=9, priority=1001,tcp,metadata=0x1,tp_dst=0x780/0xffc0 actions=conjunction(2,2/2)

======================================================================
This bug is verified on the fixed version:

[root@dell-per730-42 ovn]# rpm -qa | grep ovn
kernel-kernel-networking-openvswitch-ovn-1.0-148.noarch
ovn2.11-2.11.1-3.el8fdp.x86_64
ovn2.11-central-2.11.1-3.el8fdp.x86_64
ovn2.11-host-2.11.1-3.el8fdp.x86_64
[root@dell-per730-42 ovn]# ovn-nbctl show
switch 36ecba42-042d-4819-b785-56d6aea6f261 (s2)
    port hv0_vm00_vnet1
        addresses: ["00:de:ad:00:00:01 172.16.102.21 2001:db8:102::21"]
    port hv1_vm00_vnet1
        addresses: ["00:de:ad:01:00:01 172.16.102.11 2001:db8:102::11"]
    port hv0_vm01_vnet1
        addresses: ["00:de:ad:00:01:01 172.16.102.22 2001:db8:102::22"]
    port hv1_vm01_vnet1
        addresses: ["00:de:ad:01:01:01 172.16.102.12 2001:db8:102::12"]
[root@dell-per730-42 ovn]# ovs-ofctl dump-flows br-int | grep conj
[root@dell-per730-42 ovn]# ovn-nbctl acl-add s2 to-lport 1 "outport == \"hv0_vm01_vnet1\" && ip4.src == {10.0.0.4, 10.0.0.5, 10.0.0.6} && tcp.dst >= 1000 && tcp.dst <= 2000" allow
[root@dell-per730-42 ovn]# ovs-ofctl dump-flows br-int | grep conj
[root@dell-per730-42 ovn]# ovs-ofctl dump-flows br-int | grep conj
[root@dell-per730-42 ovn]# ovs-ofctl dump-flows br-int | grep conj
[root@dell-per730-42 ovn]# ovn-nbctl acl-add s2 to-lport 1 "outport == \"hv0_vm01_vnet1\" && ip4.src == {172.16.102.11,172.16.102.12} && tcp.dst >= 1000 && tcp.dst <= 2000" allow
[root@dell-per730-42 ovn]# ovs-ofctl dump-flows br-int | grep conj
[root@dell-per730-42 ovn]# ovs-ofctl dump-flows br-int | grep conj
[root@dell-per730-42 ovn]# ovs-ofctl dump-flows br-int | grep conj
[root@dell-per730-42 ovn]#
Comment 7 errata-xmlrpc 2020-01-21 15:21:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0169