Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 1805709

Summary: [OVN] MAC anti-spoof filtering still works if port_security is disabled
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Maciej Józefczyk <mjozefcz>
Component: ovn2.11Assignee: Numan Siddique <nusiddiq>
Status: CLOSED ERRATA QA Contact: ying xu <yinxu>
Severity: high Docs Contact:
Priority: unspecified    
Version: FDP 20.ACC: ctrautma, fhallal, kfida, nusiddiq, sathlang
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1816087 (view as bug list) Environment:
Last Closed: 2020-04-14 14:29:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1816087    
Attachments:
Description Flags
patch-with-failing-ut
none
patch-with-failing-2-ut none

Description Maciej Józefczyk 2020-02-21 12:32:19 UTC 
Description of problem:

While setting unknown address for LSP we found that dhcp related logical flows are deleted from logical switch ingress pipeline.


While there are addresses configured we can see that the flows are in place:

stack@mjozefcz-ovn-train-lb:~/logs$ sudo ovn-sbctl lflow-list |grep a09a1ac7-62ad-46ad-b802-c4abf65dcf70 | grep ls_in_dhcp_options
  table=14(ls_in_dhcp_options ), priority=100  , match=(inport == "a09a1ac7-62ad-46ad-b802-c4abf65dcf70" && eth.src == fa:16:3e:05:35:b1 && ip4.src == 0.0.0.0 && ip4.dst == 255.255.255.255 && udp.src == 68 && udp.dst == 67), action=(reg0[3] = put_dhcp_opts(offerip = 10.2.1.134, classless_static_route = {169.254.169.254/32,10.2.1.2, 0.0.0.0/0,10.2.1.1}, dns_server = {127.0.0.53}, lease_time = 43200, mtu = 1442, netmask = 255.255.255.0, router = 10.2.1.1, server_id = 10.2.1.1); next;)
  table=14(ls_in_dhcp_options ), priority=100  , match=(inport == "a09a1ac7-62ad-46ad-b802-c4abf65dcf70" && eth.src == fa:16:3e:05:35:b1 && ip4.src == 10.2.1.134 && ip4.dst == {10.2.1.1, 255.255.255.255} && udp.src == 68 && udp.dst == 67), action=(reg0[3] = put_dhcp_opts(offerip = 10.2.1.134, classless_static_route = {169.254.169.254/32,10.2.1.2, 0.0.0.0/0,10.2.1.1}, dns_server = {127.0.0.53}, lease_time = 43200, mtu = 1442, netmask = 255.255.255.0, router = 10.2.1.1, server_id = 10.2.1.1); next;)


When we set unknown address all the DHCP flows are deleted:

stack@mjozefcz-ovn-train-lb:~/logs$ ovn-nbctl set logical_switch_port a09a1ac7-62ad-46ad-b802-c4abf65dcf70 addresses='"unknown"'
stack@mjozefcz-ovn-train-lb:~/logs$ sudo ovn-sbctl lflow-list |grep a09a1ac7-62ad-46ad-b802-c4abf65dcf70 | grep ls_in_dhcp_options
stack@mjozefcz-ovn-train-lb:~/logs$


In OpenStack there is a possibility to disable port security for particular port. In this situation instance is not able to get address from DHCP.

Maybe we can try to not loop over defined addresses in LSP, but to install flow that will match only inport [1]? 


[1] https://github.com/ovn-org/ovn/blob/master/northd/ovn-northd.c#L6290
Comment 1 Numan Siddique 2020-02-25 10:12:41 UTC 
I don't think this is a bug. OVN dhcp will only work if there's IP set in the addresses column.

You need to append "unknown" to the logical port if you want to allow any mac address from/to the port and also clear the port_security column.
Comment 6 Maciej Józefczyk 2020-03-02 09:27:21 UTC 
Created attachment 1666925 [details]
patch-with-failing-ut
Comment 7 Maciej Józefczyk 2020-03-03 13:16:58 UTC 
Created attachment 1667195 [details]
patch-with-failing-2-ut
Comment 9 Jakub Libosvar 2020-03-04 10:30:14 UTC 
*** Bug 1784807 has been marked as a duplicate of this bug. ***
Comment 13 ying xu 2020-03-24 12:35:32 UTC 
reproduced on version 
# rpm -qa|grep ovn
ovn2.11-2.11.1-37.el7fdp.x86_64
ovn2.11-host-2.11.1-37.el7fdp.x86_64
ovn2.11-central-2.11.1-37.el7fdp.x86_64


server:
# dhcp options
                local dhcp_102=$(ovn-nbctl create DHCP_Options cidr=42.42.42.0/24 \
                        options="\"server_id\"=\"42.42.42.254\" \"server_mac\"=\"00:de:ad:ff:01:02\" \
                        \"lease_time\"=\"3600\" \"router\"=\"42.42.42.254\"")
                echo $dhcp_102

                ovn-nbctl ls-add ls
                ovn-nbctl lsp-add ls vm1
                ovn-nbctl lsp-set-addresses vm1 "00:00:00:00:00:01 42.42.42.2" unknown
                rlRun "ovn-nbctl lsp-set-dhcpv4-options vm1 $dhcp_102"
                rlRun "ovn-nbctl lsp-get-dhcpv4-options vm1"
                ovn-nbctl lsp-add ls vm2
                ovn-nbctl lsp-set-addresses vm2 "00:00:00:00:00:02 42.42.42.3"
                rlRun "ovn-nbctl lsp-set-dhcpv4-options vm2 $dhcp_102"
                rlRun "ovn-nbctl lsp-get-dhcpv4-options vm2"

                ip netns add vm1
                ovs-vsctl add-port br-int vm1 -- set interface vm1 type=internal
                ip link set vm1 netns vm1
                ip netns exec vm1 ip link set vm1 address 00:00:00:00:00:01
                ip netns exec vm1 ip link set vm1 up
                ip netns exec vm1 ip link set lo up
                ovs-vsctl set Interface vm1 external_ids:iface-id=vm1
                ip netns exec vm1 dhclient -i vm1 -v
client:
                ip netns add vm2
                ovs-vsctl add-port br-int vm2 -- set interface vm2 type=internal
                ip link set vm2 netns vm2
                ip netns exec vm2 ip link set vm2 address 00:00:00:00:00:02
                ip netns exec vm2 ip link set vm2 up
                ip netns exec vm2 ip link set lo up
                ovs-vsctl set Interface vm2 external_ids:iface-id=vm2
                sync_set server $FUNCNAME
                sync_wait server $FUNCNAME

                pkill dhclient
                ip netns exec vm2 dhclient -v -i vm2

and then change the mac address of vm1
ip netns exec vm1 ip link set vm1 address 00:00:00:00:00:03

ping vm1 from vm2:
ip netns exec vm2 ping 42.42.42.2
PING 42.42.42.2 (42.42.42.2) 56(84) bytes of data.

--- 42.42.42.2 ping statistics ---
50 packets transmitted, 0 received, 100% packet loss, time 48999ms

verified on version:
# rpm -qa|grep ovn
ovn2.11-2.11.1-38.el7fdp.x86_64
ovn2.11-host-2.11.1-38.el7fdp.x86_64
ovn2.11-central-2.11.1-38.el7fdp.x86_64

change the mac of vm1,and then ping from vm2 to vm1:
ip netns exec vm2 ping 42.42.42.2 -c 50'
PING 42.42.42.2 (42.42.42.2) 56(84) bytes of data.
64 bytes from 42.42.42.2: icmp_seq=1 ttl=64 time=1.22 ms
64 bytes from 42.42.42.2: icmp_seq=2 ttl=64 time=0.254 ms
64 bytes from 42.42.42.2: icmp_seq=3 ttl=64 time=0.243 ms
64 bytes from 42.42.42.2: icmp_seq=4 ttl=64 time=0.225 ms
64 bytes from 42.42.42.2: icmp_seq=5 ttl=64 time=0.236 ms


set verified
Comment 15 errata-xmlrpc 2020-04-14 14:29:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1458