Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 1856898

Summary: NB LSP with IPv6 CIDR in port_security does not create a SB Logical_Flow with IPv6+mask
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Rodolfo Alonso <ralonsoh>
Component: ovn2.13Assignee: Dumitru Ceara <dceara>
Status: CLOSED ERRATA QA Contact: Zhiqiang Fang <zfang>
Severity: medium Docs Contact:
Priority: high    
Version: RHEL 7.7CC: ctrautma, dceara, ebenes, jishi, kfida, ralongi
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-12-01 15:07:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1853766    

Comment 7 Zhiqiang Fang 2020-11-05 16:37:35 UTC 
~~~~~~~~~~~~~~~~~~~~~  Reproduced on ovn2.13-20.09.0-2.el8fdp ~~~~~~~~~~~~~~~~~~~~~ 

[root@impairment2 ~]# rpm -qa | egrep "openvswitch|ovn"
ovn2.13-central-20.09.0-2.el8fdp.x86_64
openvswitch2.13-2.13.0-60.el8fdp.x86_64
ovn2.13-20.09.0-2.el8fdp.x86_64
ovn2.13-host-20.09.0-2.el8fdp.x86_64
openvswitch-selinux-extra-policy-1.0-23.el8fdp.noarch

[root@impairment2 ~]# cat bug1.sh 
systemctl restart openvswitch
systemctl restart ovn-northd
ovn-nbctl set-connection ptcp:6641
ovn-sbctl set-connection ptcp:6642
ovs-vsctl set Open_vSwitch . external-ids:system-id=hv0 external-ids:ovn-remote=tcp:127.0.0.1:6642 external-ids:ovn-encap-type=geneve external-ids:ovn-encap-ip=127.0.0.1
systemctl restart ovn-controller

ovn-nbctl lr-add lr1
ovn-nbctl lrp-add lr1 lr1ls1 00:01:03:0d:ff:01 192.168.1.254/24 2000::a/64

ovn-nbctl ls-add ls1
ovn-nbctl lsp-add ls1 ls1lr1
ovn-nbctl lsp-set-type ls1lr1 router
ovn-nbctl lsp-set-options ls1lr1 router-port=lr1ls1
ovn-nbctl lsp-set-addresses ls1lr1 "00:01:03:0d:ff:01 192.168.1.254 2000::a"
ovn-nbctl lsp-add ls1 ls1p1
ovn-nbctl lsp-set-addresses ls1p1 "00:01:02:03:01:01 192.168.1.1 2000::1"

ovs-vsctl add-port br-int eth-client0 -- set interface eth-client0 type=internal
ip netns add client0
ip link set eth-client0 netns client0
ip netns exec client0 ip link set eth-client0 up
ip netns exec client0 ip link set eth-client0 address 00:01:02:03:01:01
ip netns exec client0 ip addr add 192.168.1.1/24 dev eth-client0
ip netns exec client0 ip -6 addr add 2000::1/64 dev eth-client0
ip netns exec client0 ip a
ovs-vsctl set interface eth-client0 external_ids:iface-id=ls1p1
ovn-nbctl lsp-set-port-security ls1p1 "00:01:02:03:01:01 2000::1/64"

[root@impairment2 ~]# ovn-nbctl list Logical_Switch_Port ls1p1
_uuid               : b5208aef-7c16-4003-8a08-2f403c836a84
addresses           : ["00:01:02:03:01:01 192.168.1.1 2000::1"]
...
port_security       : ["00:01:02:03:01:01 2000::1/64"]
...
[root@impairment2 ~]# ip netns exec client0 ping6 2000::a -c 1
PING 2000::a(2000::a) 56 data bytes
64 bytes from 2000::a: icmp_seq=1 ttl=254 time=0.600 ms

--- 2000::a ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.600/0.600/0.600/0.000 ms
[root@impairment2 ~]# 
[root@impairment2 ~]# ovn-nbctl lsp-set-port-security ls1p1 "00:01:02:03:01:01 2000::/64"
[root@impairment2 ~]# ovn-nbctl list Logical_Switch_Port ls1p1
_uuid               : b5208aef-7c16-4003-8a08-2f403c836a84
addresses           : ["00:01:02:03:01:01 192.168.1.1 2000::1"]
...
port_security       : ["00:01:02:03:01:01 2000::/64"]
tag                 : []
tag_request         : []
type                : ""
up                  : true
[root@impairment2 ~]# ip netns exec client0 ping6 2000::a -c 1
PING 2000::a(2000::a) 56 data bytes

--- 2000::a ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms    <<<--- ping failed

[root@impairment2 ~]# 

And some other tests:
# ovn-nbctl lsp-set-port-security ls1p1 00:01:02:03:01:01 192.168.1.1/24  ping ok
# ovn-nbctl lsp-set-port-security ls1p1 00:01:02:03:01:01 192.168.1.2/24   ping ok (as no quotes)
# ovn-nbctl lsp-set-port-security ls1p1 00:01:02:03:01:02 192.168.1.2/24   ping nok
# ovn-nbctl lsp-set-port-security ls1p1 00:01:02:03:01:02 192.168.1.1/24   ping nok
# ovn-nbctl lsp-set-port-security ls1p1 "00:01:02:03:01:01 192.168.1.1/24"  ping ok
# ovn-nbctl lsp-set-port-security ls1p1 "00:01:02:03:01:01 192.168.1.2/24"  ping nok
# ovn-nbctl lsp-set-port-security ls1p1 "00:01:02:03:01:01 2000::1"   ping ok
# ovn-nbctl lsp-set-port-security ls1p1 "00:01:02:03:01:01 2000::1/64"  ping ok
# ovn-nbctl lsp-set-port-security ls1p1 "00:01:02:03:01:01 2000::0/64"  ping nok
# ovn-nbctl lsp-set-port-security ls1p1 "00:01:02:03:01:01 2000::/64" ping nok





~~~~~~~~~~~~~~~~~~~~~ Tested on ovn2.13-20.09.0-9.el8fdp ~~~~~~~~~~~~~~~~~~~~~ 

[root@impairment2 ~]# rpm -qa | egrep "openvswitch|ovn"
ovn2.13-host-20.09.0-9.el8fdp.x86_64
openvswitch2.13-2.13.0-60.el8fdp.x86_64
ovn2.13-20.09.0-9.el8fdp.x86_64
openvswitch-selinux-extra-policy-1.0-23.el8fdp.noarch
ovn2.13-central-20.09.0-9.el8fdp.x86_64
[root@impairment2 ~]# 

[root@impairment2 ~]# ovn-nbctl lsp-set-port-security ls1p1 "00:01:02:03:01:01 2000::/64"
[root@impairment2 ~]# ovn-nbctl list Logical_Switch_Port ls1p1
_uuid               : ad101107-5e25-4787-a745-21bef30121dd
addresses           : ["00:01:02:03:01:01 192.168.1.1 2000::1"]
...
name                : ls1p1
...
port_security       : ["00:01:02:03:01:01 2000::/64"]
...

[root@impairment2 ~]# ip netns exec client0 ping6 2000::a -c 1
PING 2000::a(2000::a) 56 data bytes
64 bytes from 2000::a: icmp_seq=1 ttl=254 time=0.557 ms

--- 2000::a ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms        <<<--- ping succeed
rtt min/avg/max/mdev = 0.557/0.557/0.557/0.000 ms

[root@impairment2 ~]# #try ip6 2000::2/64 and get same result, ping succeed

[root@impairment2 ~]# ovn-nbctl lsp-set-addresses ls1p1 '00:01:02:03:01:01 192.168.1.1 2000::2/64'
[root@impairment2 ~]# ip netns exec client0 ip -6 addr del 2000::1/64 dev eth-client0
[root@impairment2 ~]# ip netns exec client0 ip -6 addr add 2000::2/64 dev eth-client0
[root@impairment2 ~]# 
[root@impairment2 ~]# 
[root@impairment2 ~]# ip netns exec client0 ping6 2000::a -c 1
PING 2000::a(2000::a) 56 data bytes
64 bytes from 2000::a: icmp_seq=1 ttl=254 time=1.21 ms

--- 2000::a ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.209/1.209/1.209/0.000 ms
[root@impairment2 ~]# ovn-nbctl list Logical_Switch_Port ls1p1
_uuid               : ad101107-5e25-4787-a745-21bef30121dd
addresses           : ["00:01:02:03:01:01 192.168.1.1 2000::2/64"]
...
name                : ls1p1
options             : {}
parent_name         : []
port_security       : ["00:01:02:03:01:01 2000::/64"]
tag                 : []
tag_request         : []
type                : ""
up                  : true
[root@impairment2 ~]#
Comment 8 Zhiqiang Fang 2020-11-06 16:51:45 UTC 
For el7:

~~~~~~~~~~~~~~~~~~~~~ Issue Reproduced on ovn2.13-20.09.0-2.el7fdp ~~~~~~~~~~~~~~~~~~~~~ 

[root@impairment2 ~]# rpm -qa | egrep "openvswitch|ovn"
openvswitch-selinux-extra-policy-1.0-15.el7fdp.noarch
openvswitch2.13-2.13.0-50.el7fdp.x86_64
ovn2.13-central-20.09.0-2.el7fdp.x86_64
ovn2.13-20.09.0-2.el7fdp.x86_64
ovn2.13-host-20.09.0-2.el7fdp.x86_64
[root@impairment2 ~]# ovn-nbctl lsp-set-port-security ls1p1 '00:01:02:03:01:01 2000::/64'
[root@impairment2 ~]# ip netns exec client0 ping6 2000::a -c 1 
PING 2000::a(2000::a) 56 data bytes

--- 2000::a ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
[root@impairment2 ~]#

[root@impairment2 ~]# ovn-nbctl lsp-set-port-security ls1p1 '00:01:02:03:01:01 2000::/64'
[root@impairment2 ~]# ip netns exec client0 ping6 2000::a -c 1 
PING 2000::a(2000::a) 56 data bytes

--- 2000::a ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms




~~~~~~~~~~~~~~~~~~ Verified on ovn2.13-20.09.0-10.el7fdp ~~~~~~~~~~~~~~~~~~ 

[root@impairment2 ~]# rpm -qa | egrep "openvswitch|ovn"
openvswitch-selinux-extra-policy-1.0-15.el7fdp.noarch
openvswitch2.13-2.13.0-50.el7fdp.x86_64
ovn2.13-20.09.0-10.el7fdp.x86_64
ovn2.13-host-20.09.0-10.el7fdp.x86_64
ovn2.13-central-20.09.0-10.el7fdp.x86_64
[root@impairment2 ~]# 

[root@impairment2 ~]# ovn-nbctl lsp-set-port-security ls1p1 "00:01:02:03:01:01 2000::/64"
[root@impairment2 ~]# 
[root@impairment2 ~]# 
[root@impairment2 ~]# ip netns exec client0 ping6 2000::a -c 1
PING 2000::a(2000::a) 56 data bytes
64 bytes from 2000::a: icmp_seq=1 ttl=254 time=0.502 ms

--- 2000::a ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.502/0.502/0.502/0.000 ms
[root@impairment2 ~]#
Comment 10 errata-xmlrpc 2020-12-01 15:07:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ovn2.13 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:5308