The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.
Bug 1841009 - Abort packet should send when acl reject rules set for sctp session
Summary: Abort packet should send when acl reject rules set for sctp session
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux Fast Datapath
Classification: Red Hat
Component: ovn2.13
Version: FDP 20.D
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Mark Michelson
QA Contact: ying xu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-05-28 06:48 UTC by ying xu
Modified: 2021-03-15 14:35 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-03-15 14:34:36 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:0839 0 None None None 2021-03-15 14:34:59 UTC

Description ying xu 2020-05-28 06:48:59 UTC 
Description of problem:
Abort packet should send when acl reject rules set for sctp session

Version-Release number of selected component (if applicable):
# rpm -qa|grep ovn
ovn2.13-host-2.13.0-30.el8fdp.x86_64
ovn2.13-2.13.0-30.el8fdp.x86_64
ovn2.13-central-2.13.0-30.el8fdp.x86_64


How reproducible:
always

Steps to Reproduce:
server:
ovn-nbctl ls-add ls
		ovn-nbctl lsp-add ls vm1
		ovn-nbctl lsp-set-addresses vm1 00:00:00:00:00:01
		ovn-nbctl lsp-add ls vm2
		ovn-nbctl lsp-set-addresses vm2 00:00:00:00:00:02

		ovn-nbctl lsp-add ls vm3
		ovn-nbctl lsp-set-addresses vm3 00:00:00:00:00:03
		ip netns add vm1
		ovs-vsctl add-port br-int vm1 -- set interface vm1 type=internal
		ip link set vm1 netns vm1
		ip netns exec vm1 ip link set vm1 address 00:00:00:00:00:01
		ip netns exec vm1 ip addr add 42.42.42.1/24 dev vm1
		ip netns exec vm1 ip link set vm1 up
		ovs-vsctl set Interface vm1 external_ids:iface-id=vm1
client:
ip netns add vm2
		ovs-vsctl add-port br-int vm2 -- set interface vm2 type=internal
		ip link set vm2 netns vm2
		ip netns exec vm2 ip link set vm2 address 00:00:00:00:00:02
		ip netns exec vm2 ip addr add 42.42.42.2/24 dev vm2
		ip netns exec vm2 ip link set vm2 up
		ip netns exec vm2 ip link set lo up
		ovs-vsctl set Interface vm2 external_ids:iface-id=vm2

		ip netns add vm3
		ovs-vsctl add-port br-int vm3 -- set interface vm3 type=internal
		ip link set vm3 netns vm3
		ip netns exec vm3 ip link set vm3 address 00:00:00:00:00:03
		ip netns exec vm3 ip addr add 42.42.42.3/24 dev vm3
		ip netns exec vm3 ip link set vm3 up
		ip netns exec vm3 ip link set lo up
		ip netns exec vm2 ip route add default via 42.42.42.5
		ip netns exec vm3 ip route add default via 42.42.42.5
		ovs-vsctl set Interface vm3 external_ids:iface-id=vm3

set acl rule on server:
ovn-nbctl acl-add ls to-lport 900 "sctp && sctp.dst == 2345" reject

then start ncat on server and client
ip netns exec vm1 ncat --sctp -l 2349
ip netns exec vm2 ncat --sctp 42.42.42.1 2345 < h

Actual results:
# ip netns exec vm2 ncat --sctp 42.42.42.1 2345 < /tmp/send.pkt
Ncat: Connection timed out.
and see the packets,only init,no abort(this is the same to the action drop,but should not)
# tcpdump -r a.pcap -nn -v
reading from file a.pcap, link-type LINUX_SLL (Linux cooked)
00:24:47.742989 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto SCTP (132), length 68)
    42.42.42.2.60553 > 42.42.42.1.2345: sctp (1) [INIT] [init tag: 4010928565] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 2977858445] 
00:24:50.771971 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto SCTP (132), length 68)
    42.42.42.2.60553 > 42.42.42.1.2345: sctp (1) [INIT] [init tag: 4010928565] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 2977858445] 
00:24:56.915963 IP (tos 0x2,ECT(0), ttl 64, id 1, offset 0, flags [DF], proto SCTP (132), length 68)
    42.42.42.2.60553 > 42.42.42.1.2345: sctp (1) [INIT] [init tag: 4010928565] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 2977858445] 



Expected results:
# ip netns exec vm2 ncat --sctp 42.42.42.1 2345 < /tmp/send.pkt
Ncat: Connection refused.

and there should be an ABORT packet return to the client.

Additional info:
Comment 3 ying xu 2021-03-05 03:42:08 UTC 
verified the bug on version:
# rpm -qa|grep ovn
ovn2.13-central-20.12.0-24.el8fdp.x86_64
ovn2.13-20.12.0-24.el8fdp.x86_64
ovn2.13-host-20.12.0-24.el8fdp.x86_64

follow the steps in description to set the env:

ovn-nbctl acl-add ls to-lport 900 "sctp && sctp.dst == 2345" reject

ip netns exec vm1 ncat --sctp -l 2349&

# ip netns exec vm2 ncat --sctp 42.42.42.1 2345 <<< h
22:17:33.146538 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto SCTP (132), length 68)
    42.42.42.2.36543 > 42.42.42.1.2345: sctp
	1) [INIT] [init tag: 1818116598] [rwnd: 106496] [OS: 10] [MIS: 65535] [init TSN: 2834273086] 
22:17:33.148250 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto SCTP (132), length 36)
    42.42.42.1.2345 > 42.42.42.2.36543: sctp
	1) [ABORT] 
Ncat: Connection refused.
Comment 5 errata-xmlrpc 2021-03-15 14:34:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ovn2.13 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0839
Note You need to log in before you can comment on or make changes to this bug.