Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 2057426

Summary: Allow conntrack for router ports
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Nadia Pinaeva <npinaeva>
Component: OVNAssignee: OVN Team <ovnteam>
Status: CLOSED NEXTRELEASE QA Contact: Jianlin Shi <jishi>
Severity: low Docs Contact:
Priority: low    
Version: RHEL 8.0CC: ctrautma, dceara, jiji, mmichels
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-02-14 21:14:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nadia Pinaeva 2022-02-23 11:48:01 UTC 
Description of problem:
Conntrack is disabled for router ports by default which results in dropped reply packets.
Would be nice to add an option for LSP to enable conntrack on that port (not connected to distributed router).
Comment 1 Dumitru Ceara 2022-02-25 13:50:17 UTC 
Just a bit more context:

Since https://github.com/ovn-org/ovn/commit/9653a4ec597779bf0fb8352437e7faa04f9f4111, for switches that have load balancers or stateful ACLs applied, traffic that is sent/received to/from a router port bypasses conntrack (it was already the case for switches with stateful ACLs since https://github.com/ovn-org/ovn/commit/fcdbb261a651d5a0882f25f463aa7fd3f7bb714a).

In specific cases, e.g., on the LSP connecting the join switch to the GW router in ovn-k8s, the CMS might wish to disable this functionality and use conntrack.  This BZ requests a new LSP config option to selectively do that.
Comment 2 Dumitru Ceara 2022-05-23 13:29:28 UTC 
As discussed on Slack, this is not really required for ovn-kubernetes anymore, lowering priority and severity.
Comment 3 OVN Bot 2024-02-14 21:14:22 UTC 
This issue is being closed as an automatic process due to the issue's age. If you wish to re-open this issue, please do so in Jira (https://issues.redhat.com) in the 'FDP' project. Please be sure to set the component to the latest OVN version where this issue is known to occur. If this is a feature request or improvement, please set the component to 'OVN'.
Comment 4 Dumitru Ceara 2024-02-15 09:44:06 UTC 
This is will actually be supported in OVN 24.03.0 since: https://github.com/ovn-org/ovn/commit/9a0f30756dab79ae34249ce8ee9334c63f6b6c16

A new option has been added to enable/disable the behavior (default disabled).
LSP.options:enable_router_port_acl=true/false