reproduced on the old version: [root@dell-per730-42 ovn]# rpm -qa | grep ovn kernel-kernel-networking-openvswitch-ovn-1.0-148.noarch ovn2.11-central-2.11.0-36.el8fdp.x86_64 ovn2.11-host-2.11.0-36.el8fdp.x86_64 ovn2.11-2.11.0-36.el8fdp.x86_64 [root@dell-per730-42 ovn]# [root@dell-per730-42 ovn]# ovn-nbctl acl-add s2 to-lport 1 " ip4.src == {10.0.0.4, 10.0.0.5, 10.0.0.6} && tcp.dst >= 1000 && tcp.dst <= 2000" allow [root@dell-per730-42 ovn]# ovs-ofctl dump-flows br-int | grep conj cookie=0x0, duration=9.998s, table=44, n_packets=0, n_bytes=0, idle_age=9, priority=1001,tcp,metadata=0x1,nw_src=10.0.0.5 actions=conjunction(2,1/2) cookie=0x0, duration=9.998s, table=44, n_packets=0, n_bytes=0, idle_age=9, priority=1001,tcp,metadata=0x1,nw_src=10.0.0.6 actions=conjunction(2,1/2) cookie=0x0, duration=9.998s, table=44, n_packets=0, n_bytes=0, idle_age=9, priority=1001,tcp,metadata=0x1,nw_src=10.0.0.4 actions=conjunction(2,1/2) cookie=0x3f455c27, duration=9.998s, table=44, n_packets=0, n_bytes=0, idle_age=9, priority=1001,conj_id=2,tcp,metadata=0x1 actions=resubmit(,45) cookie=0x0, duration=9.998s, table=44, n_packets=0, n_bytes=0, idle_age=9, priority=1001,tcp,metadata=0x1,tp_dst=0x600/0xff00 actions=conjunction(2,2/2) cookie=0x0, duration=9.998s, table=44, n_packets=0, n_bytes=0, idle_age=9, priority=1001,tcp,metadata=0x1,tp_dst=2000 actions=conjunction(2,2/2) cookie=0x0, duration=9.998s, table=44, n_packets=0, n_bytes=0, idle_age=9, priority=1001,tcp,metadata=0x1,tp_dst=1001 actions=conjunction(2,2/2) cookie=0x0, duration=9.997s, table=44, n_packets=0, n_bytes=0, idle_age=9, priority=1001,tcp,metadata=0x1,tp_dst=1000 actions=conjunction(2,2/2) cookie=0x0, duration=9.998s, table=44, n_packets=0, n_bytes=0, idle_age=9, priority=1001,tcp,metadata=0x1,tp_dst=0x3ea/0xfffe actions=conjunction(2,2/2) cookie=0x0, duration=9.998s, table=44, n_packets=0, n_bytes=0, idle_age=9, priority=1001,tcp,metadata=0x1,tp_dst=0x700/0xff80 actions=conjunction(2,2/2) cookie=0x0, duration=9.998s, table=44, n_packets=0, n_bytes=0, idle_age=9, priority=1001,tcp,metadata=0x1,tp_dst=0x780/0xffc0 actions=conjunction(2,2/2) ====================================================================== This bug is verified on the fixed version: [root@dell-per730-42 ovn]# rpm -qa | grep ovn kernel-kernel-networking-openvswitch-ovn-1.0-148.noarch ovn2.11-2.11.1-3.el8fdp.x86_64 ovn2.11-central-2.11.1-3.el8fdp.x86_64 ovn2.11-host-2.11.1-3.el8fdp.x86_64 [root@dell-per730-42 ovn]# ovn-nbctl show switch 36ecba42-042d-4819-b785-56d6aea6f261 (s2) port hv0_vm00_vnet1 addresses: ["00:de:ad:00:00:01 172.16.102.21 2001:db8:102::21"] port hv1_vm00_vnet1 addresses: ["00:de:ad:01:00:01 172.16.102.11 2001:db8:102::11"] port hv0_vm01_vnet1 addresses: ["00:de:ad:00:01:01 172.16.102.22 2001:db8:102::22"] port hv1_vm01_vnet1 addresses: ["00:de:ad:01:01:01 172.16.102.12 2001:db8:102::12"] [root@dell-per730-42 ovn]# ovs-ofctl dump-flows br-int | grep conj [root@dell-per730-42 ovn]# ovn-nbctl acl-add s2 to-lport 1 "outport == \"hv0_vm01_vnet1\" && ip4.src == {10.0.0.4, 10.0.0.5, 10.0.0.6} && tcp.dst >= 1000 && tcp.dst <= 2000" allow [root@dell-per730-42 ovn]# ovs-ofctl dump-flows br-int | grep conj [root@dell-per730-42 ovn]# ovs-ofctl dump-flows br-int | grep conj [root@dell-per730-42 ovn]# ovs-ofctl dump-flows br-int | grep conj [root@dell-per730-42 ovn]# ovn-nbctl acl-add s2 to-lport 1 "outport == \"hv0_vm01_vnet1\" && ip4.src == {172.16.102.11,172.16.102.12} && tcp.dst >= 1000 && tcp.dst <= 2000" allow [root@dell-per730-42 ovn]# ovs-ofctl dump-flows br-int | grep conj [root@dell-per730-42 ovn]# ovs-ofctl dump-flows br-int | grep conj [root@dell-per730-42 ovn]# ovs-ofctl dump-flows br-int | grep conj [root@dell-per730-42 ovn]#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0169