+++ This bug was initially created as a clone of Bug #1840556 +++ RPM versions on the compute node openvswitch2.11-2.11.0-35.el8fdp.x86_64 network-scripts-openvswitch2.11-2.11.0-35.el8fdp.x86_64 rhosp-openvswitch-2.11-0.5.el8ost.noarch ovn2.11-2.11.1-44.el8fdp.x86_64 rhosp-openvswitch-ovn-host-2.11-0.6.el8ost.noarch puppet-ovn-15.4.1-0.20200229002436.192ac4e.el8ost.noarch rhosp-openvswitch-ovn-common-2.11-0.6.el8ost.noarch ovn2.11-host-2.11.1-44.el8fdp.x86_64 Customer is creating rule ALLOW IPv4 8081-8086/tcp from 0.0.0.0/0 and gets this error logs, from either using horizon or CLI 2020-08-24T14:13:35.062Z|00733|ofp_actions|WARN|"conjunction" actions may be used along with "note" but not any other kind of action (such as the "set_field" action used here) 2020-08-24T14:13:35.062Z|00734|ofctrl|INFO|OpenFlow error: OFPT_ERROR (OF1.3) (xid=0x14863): NXBAC_BAD_CONJUNCTION OFPT_FLOW_MOD (OF1.3) (xid=0x14863): ***decode error: NXBAC_BAD_CONJUNCTION***
*** Bug 1889282 has been marked as a duplicate of this bug. ***
reproduced with following script on ovn20.09-2: systemctl start openvswitch systemctl start ovn-northd ovn-nbctl set-connection ptcp:6641 ovn-sbctl set-connection ptcp:6642 ovs-vsctl set open . external_ids:system-id=hv1 external_ids:ovn-remote=tcp:20.0.49.25:6642 external_ids:ovn-encap-type=geneve external_ids:ovn-encap-ip=20.0.49.25 systemctl restart ovn-controller ip netns add server0 ip link add veth0_s0 netns server0 type veth peer name veth0_s0_p ip netns exec server0 ip link set lo up ip netns exec server0 ip link set veth0_s0 up ip netns exec server0 ip link set veth0_s0 address 00:00:00:01:01:02 ip netns exec server0 ip addr add 192.168.1.1/24 dev veth0_s0 ip netns exec server0 ip -6 addr add 2001::1/64 dev veth0_s0 ip netns exec server0 ip route add default via 192.168.1.254 dev veth0_s0 ip netns exec server0 ip -6 route add default via 2001::a dev veth0_s0 ovs-vsctl add-port br-int veth0_s0_p ip link set veth0_s0_p up ovs-vsctl set interface veth0_s0_p external_ids:iface-id=ls1p1 ovn-nbctl ls-add ls1 ovn-nbctl lsp-add ls1 ls1p1 #ovn-nbctl lsp-set-addresses ls1p1 "00:00:00:01:01:02 2001::1 192.168.1.1" ovn-nbctl lsp-set-addresses ls1p1 "00:00:00:01:01:02 192.168.1.1 2001::1" ovn-nbctl lsp-add ls1 ls1p2 ovn-nbctl lsp-set-addresses ls1p2 "00:00:00:01:02:02 192.168.1.2 2001::2" ovn-nbctl lr-add lr1 ovn-nbctl lrp-add lr1 lr1-ls1 00:00:00:00:00:01 192.168.1.254/24 2001::a/64 ovn-nbctl lsp-add ls1 ls1-lr1 ovn-nbctl lsp-set-addresses ls1-lr1 "00:00:00:00:00:01 192.168.1.254 2001::a" ovn-nbctl lsp-set-type ls1-lr1 router ovn-nbctl lsp-set-options ls1-lr1 router-port=lr1-ls1 ovn-nbctl lrp-add lr1 lr1-ls2 00:00:00:00:00:02 192.168.2.254/24 2002::a/64 ovn-nbctl ls-add ls2 ovn-nbctl lsp-add ls2 ls2-lr1 ovn-nbctl lsp-set-addresses ls2-lr1 "00:00:00:00:00:02 192.168.2.254 2002::a" ovn-nbctl lsp-set-type ls2-lr1 router ovn-nbctl lsp-set-options ls2-lr1 router-port=lr1-ls2 ovn-nbctl lsp-add ls2 ls2p1 ovn-nbctl lsp-set-addresses ls2p1 "00:00:00:02:01:02 192.168.2.1 2002::1" ovn-nbctl lsp-add ls1 ls1p3 ovn-nbctl lsp-set-addresses ls1p3 "00:00:00:01:03:02 192.168.1.3 2001::3" ip netns add server2 ip link add veth0_s2 netns server2 type veth peer name veth0_s2_p ip netns exec server2 ip link set lo up ip netns exec server2 ip link set veth0_s2 up ip netns exec server2 ip link set veth0_s2 address 00:00:00:01:03:02 ip netns exec server2 ip addr add 192.168.1.3/24 dev veth0_s2 ip netns exec server2 ip -6 addr add 2001::3/64 dev veth0_s2 ip netns exec server2 ip route add default via 192.168.1.254 dev veth0_s2 ip netns exec server2 ip -6 route add default via 2001::a dev veth0_s2 ovs-vsctl add-port br-int veth0_s2_p ip link set veth0_s2_p up ovs-vsctl set interface veth0_s2_p external_ids:iface-id=ls1p3 ovn-nbctl pg-add pg0 ls1p1 ls1p3 ovn-nbctl acl-add pg0 to-lport 1002 "(outport == @pg0 && ip4 && ip4.src == 0.0.0.0/0 && tcp)" allow-related ovn-nbctl acl-add pg0 to-lport 1002 "(outport == @pg0 && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst >= 30000 && tcp.dst <= 33000)" allow-related ovn-nbctl acl-list pg0 on ovn20.09.0-2: get following error in ovn-controller.log: 2020-11-04T05:36:14.960Z|00018|ofp_actions|WARN|"conjunction" actions may be used along with "note" but not any other kind of action (such as the "set_field" action used here) 2020-11-04T05:36:14.960Z|00019|ofctrl|INFO|OpenFlow error: OFPT_ERROR (OF1.5) (xid=0x1e4): NXBAC_BAD_CONJUNCTION OFPT_FLOW_MOD (OF1.5) (xid=0x1e4): ***decode error: NXBAC_BAD_CONJUNCTION*** 00000000 06 0e 00 c8 00 00 01 e4-00 00 00 00 00 00 00 00 |................| 00000010 00 00 00 00 00 00 00 00-2d 02 00 00 00 00 07 d2 |........-.......| 00000020 ff ff ff ff ff ff ff ff-ff ff ff ff 00 00 00 00 |................| 00000030 00 01 00 43 80 00 0a 02-08 00 80 00 14 01 06 80 |...C............| 00000040 01 01 10 00 00 00 80 00-00 00 00 00 00 00 80 00 |................| 00000050 00 00 00 80 01 0f 10 00-00 00 00 00 00 00 01 00 |................| 00000060 00 00 00 ff ff ff ff 80-00 04 08 00 00 00 00 00 |................| 00000070 00 00 01 00 00 00 00 00-00 04 00 50 00 00 00 00 |...........P....| 00000080 00 19 00 28 00 01 df 20-00 00 00 02 00 00 00 00 |...(... ........| 00000090 00 00 00 00 00 00 00 00-00 00 00 02 00 00 00 00 |................| 000000a0 00 00 00 00 00 00 00 00-ff ff 00 10 00 00 23 20 |..............# | 000000b0 00 0e ff f8 2e 00 00 00-ff ff 00 10 00 00 23 20 |..............# | 000000c0 00 22 00 02 00 00 00 02- |."...... | 2020-11-04T05:36:14.960Z|00020|ofp_actions|WARN|"conjunction" actions may be used along with "note" but not any other kind of action (such as the "set_field" action used here) 2020-11-04T05:36:14.960Z|00021|ofctrl|INFO|OpenFlow error: OFPT_ERROR (OF1.5) (xid=0x1eb): NXBAC_BAD_CONJUNCTION OFPT_FLOW_MOD (OF1.5) (xid=0x1eb): ***decode error: NXBAC_BAD_CONJUNCTION*** 00000000 06 0e 00 c8 00 00 01 eb-00 00 00 00 00 00 00 00 |................| 00000010 00 00 00 00 00 00 00 00-2d 02 00 00 00 00 07 d2 |........-.......| 00000020 ff ff ff ff ff ff ff ff-ff ff ff ff 00 00 00 00 |................| 00000030 00 01 00 43 80 00 0a 02-08 00 80 00 14 01 06 80 |...C............| 00000040 01 01 10 00 00 00 80 00-00 00 00 00 00 00 80 00 |................| 00000050 00 00 00 80 01 0f 10 00-00 00 00 00 00 00 04 00 |................| 00000060 00 00 00 ff ff ff ff 80-00 04 08 00 00 00 00 00 |................| 00000070 00 00 01 00 00 00 00 00-00 04 00 50 00 00 00 00 |...........P....| 00000080 00 19 00 28 00 01 df 20-00 00 00 02 00 00 00 00 |...(... ........| 00000090 00 00 00 00 00 00 00 00-00 00 00 02 00 00 00 00 |................| 000000a0 00 00 00 00 00 00 00 00-ff ff 00 10 00 00 23 20 |..............# | 000000b0 00 0e ff f8 2e 00 00 00-ff ff 00 10 00 00 23 20 |..............# | 000000c0 00 22 00 02 00 00 00 02- |."...... | Verified on ovn20.09.0-9: no error in ovn-controller.log [root@dell-per740-42 bz1871931]# rpm -qa | grep -E "openvswitch|ovn" openvswitch-selinux-extra-policy-1.0-23.el8fdp.noarch ovn2.13-20.09.0-9.el8fdp.x86_64 openvswitch2.13-2.13.0-65.el8fdp.x86_64 ovn2.13-central-20.09.0-9.el8fdp.x86_64 ovn2.13-host-20.09.0-9.el8fdp.x86_64
also verified on rhel7 version: ovn2.13.0-20.09.0-9.el7
[root@dell-per740-12 bz1871931]# rpm -qa | grep -E "openvswitch|ovn" openvswitch2.13-2.13.0-55.el7fdp.x86_64 ovn2.13-host-20.09.0-9.el7fdp.x86_64 openvswitch-selinux-extra-policy-1.0-15.el7fdp.noarch ovn2.13-central-20.09.0-9.el7fdp.x86_64 ovn2.13-20.09.0-9.el7fdp.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (ovn2.13 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:5308
*** Bug 1906932 has been marked as a duplicate of this bug. ***