1955161 – OVN Expression parser generates repeated conjunctions

The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 1955161 - OVN Expression parser generates repeated conjunctions

Summary: OVN Expression parser generates repeated conjunctions

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux Fast Datapath
Classification:	Red Hat
Component:	OVN
Sub Component:
Version:	FDP 21.D
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	OVN Team
QA Contact:	Ehsan Elahi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1953613
TreeView+	depends on / blocked

Reported:	2021-04-29 14:53 UTC by Mark Michelson
Modified:	2021-06-21 14:46 UTC (History)
CC List:	2 users (show)
Fixed In Version:	ovn2.13-20.12.0-119
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-06-21 14:44:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2021:2507	0	None	None	None	2021-06-21 14:46:02 UTC

Description Mark Michelson 2021-04-29 14:53:03 UTC

ACLS and Router Policies afford users the ability to make creative decisions for the match. Consider the following logical router policy:

ovn-nbctl --id=@logical_router_policy -- create logical_router_policy priority=9999 "match=\"(ip4.dst == 192.168.0.1/32) && ip4.src == \$my_set && ip4.dst != 10.128.0.0/14\"" action=allow

When applied in a sandboxed environment, this ends up yielding the following OpenFlow:

 cookie=0x5b6b0dc3, duration=8.039s, table=20, n_packets=0, n_bytes=0, priority=9999,conj_id=2,ip,metadata=0x2 actions=load:0->OXM_OF_PKT_REG4[32..47],resubmit(,21)
 cookie=0x0, duration=8.028s, table=20, n_packets=0, n_bytes=0, priority=9999,ip,metadata=0x2,nw_dst=192.168.0.1 actions=conjunction(2,1/2),conjunction(2,1/2),conjunction(2,1/2),conjunction(2,1/2),conjunction(2,1/2),conjunction(2,1/2),conjunction(2,1/2)

(The address set portion of the conjunctive match is the 2/2 part, and has been redacted)

In this case, the resulting OpenFlow has the same conjunction action repeated 7 times. It should only be there once.

This appears to be related to the ip4.dst matches that contradict each other. THe positive match for 192.168.0.1 overrides the negative matches for 10.128.0.0/14. However, this somehow is generating extra conjunction matches. A few notes:

1) If you remove the positive ip4.dst match, then conjunctive match flows are created as expected.
2) If you remove the address set, then there is no conjunctive match created.
3) If you remove the negative ip4.dst match, then no conjunctive match is created.
4) The number of conjunction actions created has no relation to the size of the address set. Whether there are 5 or 500 addresses, we always see 7 conjunction actions in the generated OpenFlow.
5) If I mess with the netmask on the negative match, I can change the number of generated conjunction actions. /12 give 6 conjunctions, /18 gives 9 conjunctions, /24 gives 9 conjunctions.

To fix this, we should ensure that only a single conjunction action is generated in this situation.

Comment 1 Dan Williams 2021-05-07 14:54:14 UTC

v2 posted: http://patchwork.ozlabs.org/project/ovn/patch/20210506204922.2287892-1-mmichels@redhat.com/

Comment 2 Mark Michelson 2021-05-18 17:14:22 UTC

Updating to MODIFIED and updating fixed-in version to ovn2.13-20.12.0-119

Comment 3 Ehsan Elahi 2021-05-24 18:23:35 UTC

Reproduced in:

[root@dell-per740-30 ~]# rpm -qa | grep ovn2.13
ovn2.13-20.12.0-118.el8fdp.x86_64
ovn2.13-central-20.12.0-118.el8fdp.x86_64
ovn2.13-host-20.12.0-118.el8fdp.x86_64

The topo I used is:
vm1---42.42.42.2---LS1---42.42.42.1----RTR----66.66.66.1----LS3----66.66.66.2----vm3
                                                                  |
                                                            77.77.77.1
                                                                  |
                                                                 LS2----77.77.77.2 ----vm2

Policy setting used is:
ovn-nbctl --id=@logical_router_policy -- create logical_router_policy priority=9999 "match=\"(ip4.dst == 77.77.77.2/32) && ip4.src =={42.42.42.2/32,42.42.42.3/32} && ip4.dst != 66.66.66.2/32\"" action=allow -- add logical_router $uuid policies @logical_router_policy

[root@dell-per740-30 ~]# ovs-ofctl dump-flows br-int | grep priority=9999
 cookie=0x0, duration=31.520s, table=20, n_packets=0, n_bytes=0, idle_age=31, priority=9999,ip,metadata=0x1,nw_dst=77.77.77.2 actions=conjunction(2,1/2),conjunction(2,1/2),conjunction(2,1/2),conjunction(2,1/2),conjunction(2,1/2),conjunction(2,1/2),conjunction(2,1/2),conjunction(2,1/2),conjunction(2,1/2),conjunction(2,1/2),conjunction(2,1/2),conjunction(2,1/2)
 cookie=0xde1f257c, duration=31.520s, table=20, n_packets=3, n_bytes=294, idle_age=22, priority=9999,conj_id=2,ip,metadata=0x1 actions=load:0->OXM_OF_PKT_REG4[32..47],resubmit(,21)
 cookie=0x0, duration=31.520s, table=20, n_packets=0, n_bytes=0, idle_age=31, priority=9999,ip,metadata=0x1,nw_src=42.42.42.3 actions=conjunction(2,2/2)
 cookie=0x0, duration=31.520s, table=20, n_packets=0, n_bytes=0, idle_age=31, priority=9999,ip,metadata=0x1,nw_src=42.42.42.2 actions=conjunction(2,2/2)

<==== multiple conjunctions created

Verified in:
[root@dell-per740-81 ~]# rpm -qa | grep ovn2.13
ovn2.13-20.12.0-120.el8fdp.x86_64
ovn2.13-central-20.12.0-120.el8fdp.x86_64
ovn2.13-host-20.12.0-120.el8fdp.x86_64

same policy seeting

[root@dell-per740-81 ~]# ovs-ofctl dump-flows br-int | grep priority=9999
 cookie=0x5de3a816, duration=28.052s, table=20, n_packets=3, n_bytes=294, idle_age=3, priority=9999,ip,metadata=0x1,nw_src=42.42.42.2,nw_dst=77.77.77.2 actions=load:0->OXM_OF_PKT_REG4[32..47],resubmit(,21)
 cookie=0x5de3a816, duration=28.052s, table=20, n_packets=0, n_bytes=0, idle_age=28, priority=9999,ip,metadata=0x1,nw_src=42.42.42.3,nw_dst=77.77.77.2 actions=load:0->OXM_OF_PKT_REG4[32..47],resubmit(,21)

<==== No conjunction seen

Then if remove the positive ip4.dst match, conjunctive match created:
ovn-nbctl --id=@logical_router_policy -- create logical_router_policy priority=9999 "match=\"ip4.src =={42.42.42.2/32,42.42.42.3/32} && ip4.dst != 66.66.66.2/32\"" action=allow -- add logical_router 3e08bc1e-63a0-435c-b1de-548cc444aa50 policies @logical_router_policy

[root@dell-per740-81 ~]# ovs-ofctl dump-flows br-int | grep priority=9999
cookie=0x0, duration=16.726s, table=20, n_packets=0, n_bytes=0, idle_age=16, priority=9999,ip,metadata=0x1,nw_dst=0.0.0.64/0.0.0.64 actions=conjunction(2,1/2)
cookie=0x0, duration=16.726s, table=20, n_packets=0, n_bytes=0, idle_age=16, priority=9999,ip,metadata=0x1,nw_dst=0.0.0.0/0.64.0.0 actions=conjunction(2,1/2)
.....

Comment 6 Ehsan Elahi 2021-06-04 09:24:12 UTC

Verified on:
[root@dell-per740-30 ~]# rpm -qa | grep ovn
ovn2.13-20.12.0-135.el8fdp.x86_64
ovn2.13-central-20.12.0-135.el8fdp.x86_64
ovn2.13-host-20.12.0-135.el8fdp.x86_64

topo I used is:
vm1---42.42.42.2---LS1---42.42.42.1----RTR----66.66.66.1----LS3----66.66.66.2----vm3
                                        |
                                   77.77.77.1
                                        |
                                       LS2----77.77.77.2 ----vm2

Policy setting used is:
ovn-nbctl create Address_Set name=myset addresses="42.42.42.2/32 42.42.42.3/32 42.42.42.4/32"
ovn-nbctl --id=@logical_router_policy -- create logical_router_policy priority=9999 "match=\"(ip4.dst == 77.77.77.2/32) && ip4.src ==\$myset && ip4.dst != 66.66.0.0/16\"" action=allow -- add logical_router $rtr_uuid policies @logical_router_policy

[root@dell-per740-30 ~]# ovs-ofctl dump-flows br-int | grep priority=9999
 cookie=0x82c4cbec, duration=30.179s, table=20, n_packets=3, n_bytes=294, idle_age=17, priority=9999,ip,metadata=0x1,nw_src=42.42.42.2,nw_dst=77.77.77.2 actions=load:0->OXM_OF_PKT_REG4[32..47],resubmit(,21)
 cookie=0x82c4cbec, duration=30.179s, table=20, n_packets=0, n_bytes=0, idle_age=30, priority=9999,ip,metadata=0x1,nw_src=42.42.42.3,nw_dst=77.77.77.2 actions=load:0->OXM_OF_PKT_REG4[32..47],resubmit(,21)
 cookie=0x82c4cbec, duration=30.179s, table=20, n_packets=0, n_bytes=0, idle_age=30, priority=9999,ip,metadata=0x1,nw_src=42.42.42.4,nw_dst=77.77.77.2 actions=load:0->OXM_OF_PKT_REG4[32..47],resubmit(,21)

<======= No conjunctive matches found

Removing positive ip4.dst, conjunctive matches created:
ovn-nbctl lr-policy-del rtr 9999
ovn-nbctl --id=@logical_router_policy -- create logical_router_policy priority=9999 "match=\"ip4.src ==\$myset && ip4.dst != 66.66.0.0/16\"" action=allow -- add logical_router 0c73a602-d9e8-461c-9434-46722f8fbfd5 policies @logical_router_policy
ovs-ofctl dump-flows br-int | grep priority=9999
 cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=0.0.0.0/0.64.0.0 actions=conjunction(3,1/2)
 cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=1.0.0.0/1.0.0.0 actions=conjunction(3,1/2)
 cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=8.0.0.0/8.0.0.0 actions=conjunction(3,1/2)
 cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_src=42.42.42.2 actions=conjunction(3,2/2)
 cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_src=42.42.42.3 actions=conjunction(3,2/2)
 cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_src=42.42.42.4 actions=conjunction(3,2/2)
 cookie=0x5fb45c8a, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,conj_id=3,ip,metadata=0x1 actions=load:0->OXM_OF_PKT_REG4[32..47],resubmit(,21)
 cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=0.0.0.0/0.2.0.0 actions=conjunction(3,1/2)
 cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=0.128.0.0/0.128.0.0 actions=conjunction(3,1/2)
 cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=32.0.0.0/32.0.0.0 actions=conjunction(3,1/2)
 cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=0.0.0.0/64.0.0.0 actions=conjunction(3,1/2)
 cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=128.0.0.0/1 actions=conjunction(3,1/2)
 cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=0.0.0.0/2.0.0.0 actions=conjunction(3,1/2)
 cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=0.32.0.0/0.32.0.0 actions=conjunction(3,1/2)
 cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=16.0.0.0/16.0.0.0 actions=conjunction(3,1/2)
 cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=0.16.0.0/0.16.0.0 actions=conjunction(3,1/2)
 cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=0.4.0.0/0.4.0.0 actions=conjunction(3,1/2)
 cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=0.1.0.0/0.1.0.0 actions=conjunction(3,1/2)
 cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=0.8.0.0/0.8.0.0 actions=conjunction(3,1/2)
 cookie=0x0, duration=9.883s, table=20, n_packets=0, n_bytes=0, idle_age=9, priority=9999,ip,metadata=0x1,nw_dst=4.0.0.0/4.0.0.0 actions=conjunction(3,1/2)

<============== conjunctive matched found as expected

Also verified on:

[root@dell-per740-81 ~]# rpm -qa |grep ovn
ovn2.13-central-20.12.0-135.el7fdp.x86_64
ovn2.13-20.12.0-135.el7fdp.x86_64
ovn2.13-host-20.12.0-135.el7fdp.x86_64

AND

[root@dell-per730-40 ~]# rpm -qa |grep ovn
ovn-2021-21.03.0-40.el8fdp.x86_64
ovn-2021-central-21.03.0-40.el8fdp.x86_64
ovn-2021-host-21.03.0-40.el8fdp.x86_64

Comment 8 errata-xmlrpc 2021-06-21 14:44:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ovn2.13 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2507

Note You need to log in before you can comment on or make changes to this bug.