Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 1919812

Summary: Traffic is broken for ACLs which results in conjunctive OF flows
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Numan Siddique <nusiddiq>
Component: ovn2.13Assignee: Numan Siddique <nusiddiq>
Status: CLOSED ERRATA QA Contact: Jianlin Shi <jishi>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: FDP 20.ICC: averi, ctrautma, dhill, jishi, ralongi
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-15 14:36:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Numan Siddique 2021-01-25 08:29:37 UTC
Description of problem:


Steps to reproduce

ovn-nbctl ls-add ls1

ovn-nbctl lsp-add ls1 ls1-lp1 \
-- lsp-set-addresses ls1-lp1 "f0:00:00:00:00:01 10.0.0.2"

ovn-nbctl lsp-add ls1 ls1-lp2 \
-- lsp-set-addresses ls1-lp2 "f0:00:00:00:00:02 10.0.0.3"


ovn-nbctl acl-add ls1 to-lport 2 'arp' allow
ovn-nbctl acl-add ls1 to-lport 1 'ip4' drop
ovn-nbctl acl-add ls1 to-lport 3 '(ip4.src==10.0.0.1 || ip4.src==10.0.0.2) && (ip4.dst == 10.0.0.3 || ip4.dst == 10.0.0.4)' allow


Bind ls1-lp1 and ls1-lp2 on same node.

Ping fromn 10.0.0.2 to 10.0.0.3.

Run -

ovn-appctl -t ovn-controller recompute
or
ovn-sbctl chassis-add foo geneve 127.0.0.3 (create a dummy chassis entry)


Ping again from 10.0.0.2 to 10.0.0.3. This doesn't work.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Numan Siddique 2021-01-25 08:30:25 UTC
Patch to fix the issue - https://patchwork.ozlabs.org/project/ovn/patch/20210122083351.1537586-1-numans@ovn.org/

Comment 3 Jianlin Shi 2021-01-29 05:57:40 UTC
tested with following script:

systemctl start openvswitch
systemctl start ovn-northd
ovn-nbctl set-connection ptcp:6641
ovn-sbctl set-connection ptcp:6642                                                                    
ovs-vsctl set open . external_ids:system-id=hv1 external_ids:ovn-remote=tcp:1.1.38.25:6642 external_ids:ovn-encap-type=geneve external_ids:ovn-encap-ip=1.1.38.25
systemctl restart ovn-controller                                                                      
                                                                                                      
ps aux | grep ovn-controller                                                                          

ovn-nbctl ls-add ls1
ovn-nbctl lsp-add ls1 ls1p1
#ovn-nbctl lsp-set-addresses ls1p1 "00:00:00:01:01:02 2001::1 192.168.1.1"                            
ovn-nbctl lsp-set-addresses ls1p1 "00:00:00:01:01:02 192.168.1.1 2001::1"                             
ovn-nbctl lsp-add ls1 ls1p2                                                                           
ovn-nbctl lsp-set-addresses ls1p2 "00:00:00:01:02:02 192.168.1.2 2001::2"                             

ovn-nbctl acl-add ls1 to-lport 2 'arp' allow
ovn-nbctl acl-add ls1 to-lport 1 'ip4' drop                                                           
ovn-nbctl acl-add ls1 to-lport 3 '(ip4.src==192.168.1.5 || ip4.src==192.168.1.1) && (ip4.dst == 192.168.1.2 || ip4.dst == 192.168.1.4)' allow
ovn-nbctl acl-add ls1 to-lport 3 '(ip4.src==192.168.1.4 || ip4.src==192.168.1.2) && (ip4.dst == 192.168.1.1 || ip4.dst == 192.168.1.5)' allow
                                                                                                      
ip netns add server0                                                                                  
ip link add veth0_s0 netns server0 type veth peer name veth0_s0_p                                     
ip netns exec server0 ip link set lo up                                                               
ip netns exec server0 ip link set veth0_s0 up                                                         
ip netns exec server0 ip link set veth0_s0 address 00:00:00:01:01:02                                  
ip netns exec server0 ip addr add 192.168.1.1/24 dev veth0_s0                                         
ip netns exec server0 ip -6 addr add 2001::1/64 dev veth0_s0                                          
ip netns exec server0 ip route add default via 192.168.1.254 dev veth0_s0                             
ip netns exec server0 ip -6 route add default via 2001::a dev veth0_s0                                
ovs-vsctl add-port br-int veth0_s0_p                                                                  
ip link set veth0_s0_p up                                                                             
ovs-vsctl set interface veth0_s0_p external_ids:iface-id=ls1p1                                        
                                                                                                      
ip netns add server1                                                                                  
ip link add veth0_s1 netns server1 type veth peer name veth0_s1_p                                     
ip netns exec server1 ip link set lo up                                                               
ip netns exec server1 ip link set veth0_s1 up                                                         
ip netns exec server1 ip link set veth0_s1 address 00:00:00:01:02:02                                  
ip netns exec server1 ip addr add 192.168.1.2/24 dev veth0_s1                                         
ip netns exec server1 ip -6 addr add 2001::2/64 dev veth0_s1                                          
ip netns exec server1 ip route add default via 192.168.1.254 dev veth0_s1                             
ip netns exec server1 ip -6 route add default via 2001::a dev veth0_s1                                
                                                                                                      
ovs-vsctl add-port br-int veth0_s1_p                                                                  
ip link set veth0_s1_p up                                                                             
ovs-vsctl set interface veth0_s1_p external_ids:iface-id=ls1p2                                        
                                                                                                      
ovn-nbctl --wait=hv sync                                                                              
ip netns exec server0 ping  192.168.1.2 -c 1                                                          
ovn-appctl -t ovn-controller recompute                                                                
ovn-nbctl --wait=hv sync                                                                              
ip netns exec server0 ping  192.168.1.2 -c 1

reproduced on 20.12.0-1:

[root@dell-per740-12 bz1919812]# rpm -qa | grep -E "openvswitch2.13|ovn2.13"
ovn2.13-central-20.12.0-1.el8fdp.x86_64                        
openvswitch2.13-2.13.0-82.el8fdp.x86_64                       
ovn2.13-20.12.0-1.el8fdp.x86_64                                            
ovn2.13-host-20.12.0-1.el8fdp.x86_64 

+ ip netns exec server0 ping 192.168.1.2 -c 1                                                         
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.                                                  
64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=1.45 ms

--- 192.168.1.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.451/1.451/1.451/0.000 ms
+ ovn-appctl -t ovn-controller recompute
+ ovn-nbctl --wait=hv sync
+ ip netns exec server0 ping 192.168.1.2 -c 1
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.

--- 192.168.1.2 ping statistics --- 
1 packets transmitted, 0 received, 100% packet loss, time 0ms
<=== failed

Verified on 20.12.0-8:

[root@dell-per740-12 bz1919812]# rpm -qa | grep -E "openvswitch2.13|ovn2.13"
ovn2.13-host-20.12.0-9.el8fdp.x86_64                                                                  
openvswitch2.13-2.13.0-82.el8fdp.x86_64                                                               
ovn2.13-central-20.12.0-9.el8fdp.x86_64                                                               
ovn2.13-20.12.0-9.el8fdp.x86_64

+ ip netns exec server0 ping 192.168.1.2 -c 1                                                         
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=1.19 ms
                                                                                                      
--- 192.168.1.2 ping statistics ---                                                                   
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.186/1.186/1.186/0.000 ms                                                     
+ ovn-appctl -t ovn-controller recompute                                                              
+ ovn-nbctl --wait=hv sync                                                                            
+ ip netns exec server0 ping 192.168.1.2 -c 1                                                         
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.088 ms
                                                                                                      
--- 192.168.1.2 ping statistics ---                                                                   
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.088/0.088/0.088/0.000 ms

<=== passed

Comment 6 Jianlin Shi 2021-02-18 00:59:26 UTC
set VERIFIED per comment 3

Comment 8 errata-xmlrpc 2021-03-15 14:36:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ovn2.13 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0836