Description of problem: OVN logical flows for load balancers are not correctly differentiated by protocol of load balancer when port is not specified. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: # Create the first logical switch with one port ovn-nbctl ls-add sw0 ovn-nbctl lsp-add sw0 sw0-port1 ovn-nbctl lsp-set-addresses sw0-port1 "50:54:00:00:00:01 192.168.0.2" # Create the second logical switch with one port ovn-nbctl ls-add sw1 ovn-nbctl lsp-add sw1 sw1-port1 ovn-nbctl lsp-set-addresses sw1-port1 "50:54:00:00:00:03 11.0.0.2" # Create a logical router and attach both logical switches ovn-nbctl lr-add lr0 ovn-nbctl lrp-add lr0 lrp0 00:00:00:00:ff:01 192.168.0.1/24 ovn-nbctl lsp-add sw0 lrp0-attachment ovn-nbctl lsp-set-type lrp0-attachment router ovn-nbctl lsp-set-addresses lrp0-attachment 00:00:00:00:ff:01 ovn-nbctl lsp-set-options lrp0-attachment router-port=lrp0 ovn-nbctl lrp-add lr0 lrp1 00:00:00:00:ff:02 11.0.0.1/24 ovn-nbctl lsp-add sw1 lrp1-attachment ovn-nbctl lsp-set-type lrp1-attachment router ovn-nbctl lsp-set-addresses lrp1-attachment 00:00:00:00:ff:02 ovn-nbctl lsp-set-options lrp1-attachment router-port=lrp1 ovs-vsctl add-port br-int p1 -- \ set Interface p1 external_ids:iface-id=sw0-port1 ovs-vsctl add-port br-int p2 -- \ set Interface p2 external_ids:iface-id=sw1-port1 ovn-nbctl set Logical_Router lr0 options:chassis=hv1 ovn-nbctl lb-add lb0 11.0.0.200 192.168.0.2 ovn-nbctl lb-add lb1 11.0.0.200 192.168.0.2 ovn-nbctl set Load_Balancer lb0 protocol=tcp ovn-nbctl set Load_Balancer lb0 options=skip_snat=true ovn-nbctl set Load_Balancer lb1 protocol=udp ovn-nbctl lr-lb-add lr0 lb0 ovn-nbctl lr-lb-add lr0 lb1 Actual results: $ ovn-sbctl dump-flows | grep lr_in_dnat table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 && reg0 == 11.0.0.200 && ct_label.natted == 1), action=(flags.skip_snat_for_lb = 1; next;) table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 && reg0 == 11.0.0.200 && ct_label.natted == 1), action=(next;) table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 && reg0 == 11.0.0.200), action=(ct_lb(backends=192.168.0.2);) table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 && reg0 == 11.0.0.200), action=(flags.skip_snat_for_lb = 1; ct_lb(backends=192.168.0.2);) table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;) Expected results: $ ovn-sbctl dump-flows | grep lr_in_dnat table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 && reg0 == 11.0.0.200 && tcp && ct_label.natted == 1), action=(flags.skip_snat_for_lb = 1; next;) table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 && reg0 == 11.0.0.200 && udp && ct_label.natted == 1), action=(next;) table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 && reg0 == 11.0.0.200 && udp), action=(ct_lb(backends=192.168.0.2);) table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 && reg0 == 11.0.0.200 && tcp), action=(flags.skip_snat_for_lb = 1; ct_lb(backends=192.168.0.2);) table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;) Additional Info: This is similar to https://bugzilla.redhat.com/show_bug.cgi?id=1995326
Whoever will work on this should consider possible 2.5 times explosion of the number of logical flows in case protocol matches will be blindly added to all load balancer flows: https://mail.openvswitch.org/pipermail/ovs-dev/2021-August/387161.html This will hit performance of northd and all other OVN components.