This was added to OVN in this patch: https://github.com/ovn-org/ovn/commit/7e2c892c380aeddc4bbc9ceb5e759ee9ac62176d The change is present in OVN 21.09.
Changing back to MODIFIED so this gets QE attention.
reproduced on version: ovn-2021-host-21.06.0-29.el8fdp.x86_64 ovn-2021-central-21.06.0-29.el8fdp.x86_64 ovn-2021-21.06.0-29.el8fdp.x86_64 server: ovn-nbctl ls-add lsw1 ovn-nbctl --wait=sb add Logical-Switch lsw1 other_config vlan-passthru=true ovn-nbctl lsp-add lsw1 lp1 ovn-nbctl lsp-set-addresses lp1 "f0:00:00:00:00:01 10.0.0.1" ovn-nbctl lsp-add lsw1 lp2 ovn-nbctl lsp-set-addresses lp2 "f0:00:00:00:00:02 10.0.0.2" ovs-vsctl add-port br-int vm3 -- set interface vm3 type=internal ip netns add vm3 ip link set vm3 netns vm3 ip netns exec vm3 ip link set lo up ip netns exec vm3 ip link set vm3 up ip netns exec vm3 ip link set vm3 address f0:00:00:00:00:01 ip netns exec vm3 ip addr add 10.0.0.1/24 dev vm3 ovs-vsctl set Interface vm3 external_ids:iface-id=lp1 ovn-nbctl acl-add lsw1 to-lport 1000 udp drop client: ovs-vsctl add-port br-int vm4 -- set interface vm4 type=internal ip netns add vm4 ip link set vm4 netns vm4 ip netns exec vm4 ip link set lo up ip netns exec vm4 ip link set vm4 up ip netns exec vm4 ip link set vm4 address f0:00:00:00:00:02 ip netns exec vm4 ip addr add 10.0.0.2/24 dev vm4 ovs-vsctl set Interface vm4 external_ids:iface-id=lp2 from vm4 send packet: #! /usr/bin/python import sys from scapy.all import * def main(): conf.checkIPaddr = False fam,hw =get_if_raw_hwaddr(conf.iface) sendp(Ether(src="f0:00:00:00:00:02", dst="f0:00:00:00:00:01")/Dot1Q(vlan=1)/Dot1Q(vlan=2)/IP(src="10.0.0.2",dst="10.0.0.1")/UDP(sport=12345,dport=23456)/"aaaaaaaaaaaaaa",iface="vm4") if __name__ == "__main__": main() at this time ,vm3 also can recieve the udp packet. it didn't match acl. # tcpdump -r vm3.pcap -nnle reading from file vm3.pcap, link-type LINUX_SLL (Linux cooked v1) dropped privs to tcpdump 04:22:30.089222 In f0:00:00:00:00:02 ethertype 802.1Q (0x8100), length 66: vlan 1, p 0, ethertype 802.1Q, vlan 2, p 0, ethertype IPv4, 10.0.0.2.12345 > 10.0.0.1.23456: UDP, length 14 set vlan-limit=0.then send vlan packet again. at this time ,vm3 can't recieve the udp packet .it matched the acl. ip netns exec vm3 tcpdump -i any -w vm3.pcap ^C0 packets captured 0 packets received by filter 0 packets dropped by kernel verified on version: ovn-2021-21.09.0-20.el8fdp.x86_64 ovn-2021-host-21.09.0-20.el8fdp.x86_64 ovn-2021-central-21.09.0-20.el8fdp.x86_64 no need to set vlan-limit=0,send vlan packet ,vm3 can't recieve the udp packet .it matched the acl. ip netns exec vm3 tcpdump -i any -w vm3.pcap ^C0 packets captured 0 packets received by filter 0 packets dropped by kernel
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (ovn bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:5059