Description of problem: config the ip.dst==x.x.x.1/24 of acl,it doesn't work Version-Release number of selected component (if applicable): ovn2.12-2.12.0-33.el8fdp.x86_64 How reproducible: always Steps to Reproduce: 1.set the logical_router_policy as below # ovn-nbctl list Logical_Router_Policy _uuid : 5983abfd-d952-4fd6-b1c2-729dfb33fdda action : drop match : "ip4 && ip4.dst == 77.77.77.2/24" nexthop : [] priority : 3000 _uuid : a2e509ee-ba36-465e-bfb6-9e5e63aff4b6 action : drop match : "ip6 && ip6.dst == 2002::2/64" nexthop : [] priority : 3000 2.ping to 77.77.77.2,it didn't drop the packets 3.change the policy to 77.77.77.0/24,it works # ovn-nbctl list Logical_Router_Policy _uuid : 5983abfd-d952-4fd6-b1c2-729dfb33fdda action : drop match : "ip4 && ip4.dst == 77.77.77.0/24" nexthop : [] priority : 3000 Actual results: ping doesn't loss Expected results: ping packets are dropped Additional info: as I know, in the switch and router(like cisco and other vendors), if we config 77.77.77.2/24 to the rules,it will translate to 77.77.77.0/24.
Fix committed upstream: https://github.com/ovn-org/ovn/commit/2104f67aacd62f62a31f4e23a6720aeeaa751154 Will be available in upstream release v20.09.0.
I verified on version: # rpm -qa|grep ovn ovn2.13-host-20.09.0-2.el8fdp.x86_64 ovn2.13-20.09.0-2.el8fdp.x86_64 ovn2.13-central-20.09.0-2.el8fdp.x86_64 # ovn-nbctl show switch 8efe6b48-e9f6-46d9-bec1-4d82d3322390 (ls) port vm1 addresses: ["00:00:00:00:00:01"] port vm3 addresses: ["00:00:00:00:00:03"] port vm2 addresses: ["00:00:00:00:00:02"] # ovn-nbctl list acl _uuid : 43bb3e91-e16d-4789-99d7-7c55392bec76 action : drop direction : to-lport external_ids : {} log : false match : "ip4 && ip4.src == 42.42.42.3/24 && sctp && sctp.dst == 2349" meter : [] name : [] priority : 800 severity : [] ip netns exec vm2 ncat --sctp 42.42.42.1 2349 < /tmp/send.pkt -----------------------vm2 src is 42.42.42.2 ip netns exec vm3 ncat --sctp 42.42.42.1 2349 < /tmp/send.pkt ----------------------vm3 src is 42.42.42.3 tcpdump -r acl3.pcap -nnle |grep "COOKIE ECHO"|grep "42.42.42.2.*42.42.42.1.2349"' --------no packet from 42.42.42.2 reading from file acl3.pcap, link-type LINUX_SLL (Linux cooked v1) dropped privs to tcpdump tcpdump -r acl4.pcap -nnle |grep INIT|grep "42.42.42.3.*42.42.42.1.2349"' -----------------no packet from 42.42.42.3 reading from file acl4.pcap, link-type LINUX_SLL (Linux cooked v1) dropped privs to tcpdump another scenario: # ovn-nbctl show switch 98843701-1c5f-4aa7-be5a-df75d23ef162 (ls3) port ls3-rtr type: router addresses: ["00:00:00:00:03:00"] router-port: rtr-ls3 port vm3 addresses: ["00:00:00:00:00:03"] switch 6343a0af-a1bd-4e7c-80a9-ad7ab5d4e185 (ls2) port vm2 addresses: ["00:00:00:00:00:02"] port ls2-rtr type: router addresses: ["00:00:00:00:02:00"] router-port: rtr-ls2 switch d34a1907-27b5-4c49-b0ba-85a226a3b6c2 (ls) port vm1 addresses: ["00:00:00:00:00:01"] port ls-rtr type: router addresses: ["00:00:00:00:01:00"] router-port: rtr-ls router f9204aaf-4df3-4abf-a3bb-c2319f4b3ae5 (rtr) port rtr-ls2 mac: "00:00:00:00:02:00" networks: ["2002::1/64", "77.77.77.1/24"] port rtr-ls3 mac: "00:00:00:00:03:00" networks: ["2003::1/64", "66.66.66.1/24"] port rtr-ls mac: "00:00:00:00:01:00" networks: ["2000::1/64", "42.42.42.1/24"] # ovn-nbctl list Logical_Router_Policy _uuid : 5932b00d-bab2-4651-9849-753c18c5a68a action : drop external_ids : {} match : "ip6 && ip6.src == 2003::2/64" nexthop : [] options : {} priority : 3000 _uuid : 732c9dea-9259-419f-b4b7-5974161ed664 action : drop external_ids : {} match : "ip4 && ip4.src == 66.66.66.2/24" nexthop : [] options : {} priority : 3000 ip netns exec vm3 ping 77.77.77.2 -c 3' -------------vm3 src is 66.66.66.2 PING 77.77.77.2 (77.77.77.2) 56(84) bytes of data. -------------ping failed --- 77.77.77.2 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 70ms
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (ovn2.13 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4356