Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 2061619

Summary: snat-ct-zone doesn't work for distributed gateway router port
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Jianlin Shi <jishi>
Component: ovn-2021Assignee: Mark Michelson <mmichels>
Status: CLOSED ERRATA QA Contact: Jianlin Shi <jishi>
Severity: medium Docs Contact:
Priority: medium    
Version: FDP 22.BCC: ctrautma, jiji, mmichels
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-30 17:59:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jianlin Shi 2022-03-08 03:16:47 UTC 
Description of problem:
snat-ct-zone doesn't work for distributed gateway router port

Version-Release number of selected component (if applicable):
ovn-2021-21.12.0-30.el8

How reproducible:

Always

Steps to Reproduce:
systemctl start openvswitch                          
systemctl start ovn-northd                                                                            
ovn-nbctl set-connection ptcp:6641                                                                    
ovn-sbctl set-connection ptcp:6642
ovs-vsctl set open . external_ids:system-id=hv1 external_ids:ovn-remote=tcp:1.1.178.25:6642 external_ids:ovn-encap-type=geneve external_ids:ovn-encap-ip=1.1.178.25
systemctl restart ovn-controller

ovn-nbctl lr-add R1

ovn-nbctl ls-add sw0
ovn-nbctl ls-add public

ovn-nbctl lrp-add R1 rp-sw0 00:00:01:01:02:03 192.168.1.254/24
ovn-nbctl lrp-add R1 rp-public 00:00:02:01:02:03 172.16.1.254/24 1000::a/64 \
    -- lrp-set-gateway-chassis rp-public hv1
#ovn-nbctl set logical_router R1 options:chassis=hv1

ovs-vsctl add-br br-ext
ovn-nbctl lsp-add sw0 sw0-rp -- set Logical_Switch_Port sw0-rp \
    type=router options:router-port=rp-sw0 \
    -- lsp-set-addresses sw0-rp router

ovn-nbctl lsp-add public public-rp -- set Logical_Switch_Port public-rp \
    type=router options:router-port=rp-public \
    -- lsp-set-addresses public-rp router

ovs-vsctl add-port br-int sw01 -- set interface sw01 type=internal external_ids:iface-id=sw01
ip netns add sw01
ip link set sw01 netns sw01
ip netns exec sw01 ip link set sw01 address f0:00:00:01:02:03
ip netns exec sw01 ip link set sw01 up
ip netns exec sw01 ip addr add 192.168.1.1/24 dev sw01
ip netns exec sw01 ip route add default via 192.168.1.254 dev sw01
ovn-nbctl lsp-add sw0 sw01 \
    -- lsp-set-addresses sw01 "f0:00:00:01:02:03 192.168.1.1"

ovs-vsctl add-port br-ext server -- set interface server type=internal
ip netns add server
ip netns exec server ip link set lo up
ip link set server netns server
ip netns exec server ip link set server up
ip netns exec server ip addr add 172.16.1.50/24 dev server
ip netns exec server ip route add default via 172.16.1.254 dev server

ovs-vsctl set Open_vSwitch . external-ids:ovn-bridge-mappings=phynet:br-ext
ovn-nbctl lsp-add public public1 \
        -- lsp-set-addresses public1 unknown \
        -- lsp-set-type public1 localnet \
        -- lsp-set-options public1 network_name=phynet

ovn-nbctl --wait=hv set Logical_Router R1 options:snat-ct-zone=123
ovn-nbctl lr-nat-add R1 snat 172.16.1.1 192.168.1.1
ip netns exec server nc -k -l 10781 &
sleep 2
ip netns exec sw01 nc 172.16.1.50 10781 <<< hello
ovs-appctl dpctl/dump-flows -m
ip netns exec sw01 nc 172.16.1.50 10781 <<< hello
ovs-appctl dpctl/dump-flows -m | grep "zone=123.*nat(src=172.16.1.1"
ovs-appctl  dpctl/dump-conntrack -m

Actual results:

[root@wsfd-advnetlab16 nat_test]# ovs-vsctl list bridge br-int                                        
_uuid               : c190e888-32cf-4001-a5a3-d3bd1be65a0c
auto_attach         : []
controller          : []
datapath_id         : "0000623b88ef52ad"
datapath_type       : system
datapath_version    : "<unknown>"
external_ids        : {ct-zone-8141bd1f-da58-4c6b-a291-d35d729e682f_dnat="2", ct-zone-8141bd1f-da58-4c6b-a291-d35d729e682f_snat="123", ct-zone-d4b6908b-0acb-4512-be6f-a5b20380f96e_dnat="4", ct-zone-d4b6908b-0acb-4512-be6f-a5b20380f96e_snat="1", ct-zone-e3ff68b4-d976-46fc-b0d2-01c095d752bd_dnat="5", ct-zone-e3ff68b4-d976-46fc-b0d2-01c095d752bd_snat="3", ct-zone-sw01="6", ovn-nb-cfg="1", ovn-nb-cfg-ts="1646709118426", ovn-startup-ts="1646709117388"}
fail_mode           : secure
flood_vlans         : []
flow_tables         : {}
ipfix               : []
mcast_snooping_enable: false
mirrors             : []
name                : br-int
netflow             : []
other_config        : {disable-in-band="true", hwaddr="62:3b:88:ef:52:ad"}
ports               : [4e2dc1ce-4479-48de-822d-04c2a4094bb6, 8f402747-a220-4d9f-856e-cec5d8815c3d, e2e16e36-20b6-49f5-ac72-41c7a888986a]
protocols           : []
rstp_enable         : false
rstp_status         : {}
sflow               : []
status              : {}
stp_enable          : false


+ ip netns exec sw01 nc 172.16.1.50 10781
hello
+ ovs-appctl dpctl/dump-flows -m
ufid:df7ec8e6-598b-49f0-9a31-082db23880a6, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(server),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=9a:6c:27:95:d4:85,dst=ff:ff:ff:ff:ff:ff),eth_type(0x0806),arp(sip=172.16.1.50,tip=172.16.1.1,op=1/0xff,sha=9a:6c:27:95:d4:85,tha=00:00:00:00:00:00), packets:0, bytes:0, used:never, dp:ovs, actions:userspace(pid=3756559173,slow_path(action))
ufid:6ff540ba-9f0b-432b-8739-9ba12b48bf59, recirc_id(0xa),dp_hash(0/0),skb_priority(0/0),in_port(sw01),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=00:00:02:01:02:03,dst=9a:6c:27:95:d4:85),eth_type(0x0800),ipv4(src=0.0.0.0/0.0.0.0,dst=172.16.1.32/255.255.255.224,proto=0/0,tos=0/0,ttl=0/0,frag=no), packets:0, bytes:0, used:never, dp:ovs, actions:ct_clear,server
ufid:947334cf-75ba-4c1a-8597-91446b7431b9, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(server),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=9a:6c:27:95:d4:85,dst=33:33:ff:95:d4:85),eth_type(0x86dd),ipv6(src=::,dst=ff02::1:ff95:d485,label=0/0,proto=58,tclass=0/0,hlimit=255,frag=no),icmpv6(type=135,code=0),nd(target=fe80::986c:27ff:fe95:d485/::,sll=00:00:00:00:00:00/00:00:00:00:00:00,tll=00:00:00:00:00:00/00:00:00:00:00:00), packets:0, bytes:0, used:never, dp:ovs, actions:br-ext
ufid:fe04e532-f0cf-4289-8143-00e29ef896b6, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(server),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=9a:6c:27:95:d4:85,dst=00:00:02:01:02:03),eth_type(0x0806),arp(sip=172.16.1.50,tip=172.16.1.254,op=2/0xff,sha=9a:6c:27:95:d4:85,tha=00:00:00:00:00:00/00:00:00:00:00:00), packets:3, bytes:126, used:0.029s, dp:ovs, actions:drop
ufid:cab15c33-73d0-4907-9b9e-c20d9696c467, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(server),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=9a:6c:27:95:d4:85,dst=00:00:02:01:02:03),eth_type(0x0800),ipv4(src=172.16.1.32/255.255.255.224,dst=172.16.1.1,proto=6,tos=0/0,ttl=64,frag=no),tcp(src=0/0,dst=0/0),tcp_flags(0/0), packets:3, bytes:198, used:0.027s, flags:F., dp:ovs, actions:ct(zone=2,nat),recirc(0x6)
ufid:f4999ab0-fdeb-4f23-82ad-f0398f041a7c, recirc_id(0x6),dp_hash(0/0),skb_priority(0/0),in_port(server),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=9a:6c:27:95:d4:85,dst=00:00:02:01:02:03),eth_type(0x0800),ipv4(src=0.0.0.0/0.0.0.0,dst=192.168.1.1,proto=0/0,tos=0/0,ttl=64,frag=no), packets:3, bytes:198, used:0.027s, flags:F., dp:ovs, actions:ct_clear,set(eth(src=00:00:01:01:02:03,dst=f0:00:00:01:02:03)),set(ipv4(ttl=63)),sw01
ufid:6d8d5e04-0d20-4980-af84-7ad0e16e7771, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(sw01),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=f0:00:00:01:02:03,dst=ff:ff:ff:ff:ff:ff),eth_type(0x0806),arp(sip=192.168.1.1,tip=192.168.1.254,op=1/0xff,sha=f0:00:00:01:02:03,tha=00:00:00:00:00:00), packets:0, bytes:0, used:never, dp:ovs, actions:userspace(pid=3338936088,slow_path(action))
ufid:3e748f5b-9323-4dfd-89b4-b90aa2ba0e0a, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(sw01),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=f0:00:00:01:02:03,dst=00:00:01:01:02:03),eth_type(0x0800),ipv4(src=192.168.1.1,dst=172.16.1.50,proto=0/0,tos=0/0,ttl=64,frag=no), packets:0, bytes:0, used:never, dp:ovs, actions:set(eth(src=00:00:02:01:02:03,dst=9a:6c:27:95:d4:85)),set(ipv4(ttl=63)),ct(commit,zone=2,nat(src=172.16.1.1)),recirc(0xa)

<=== the zone is 2, it is using the zone for dnat

+ ip netns exec sw01 nc 172.16.1.50 10781
hello
+ ovs-appctl dpctl/dump-flows -m
+ grep 'zone=123.*nat(src=172.16.1.1'
+ ovs-appctl dpctl/dump-conntrack -m
udp,orig=(src=10.19.128.35,dst=10.19.42.41,sport=37904,dport=53),reply=(src=10.19.42.41,dst=10.19.128.35,sport=53,dport=37904),id=2576819503,status=SEEN_REPLY|ASSURED|CONFIRMED
tcp,orig=(src=10.72.12.93,dst=10.19.128.35,sport=58009,dport=22),reply=(src=10.19.128.35,dst=10.72.12.93,sport=22,dport=58009),id=3648235236,status=SEEN_REPLY|ASSURED|CONFIRMED,protoinfo=(state_orig=ESTABLISHED,state_reply=ESTABLISHED,wscale_orig=6,wscale_reply=7,flags_orig=WINDOW_SCALE|SACK_PERM|MAXACK_SET,flags_reply=WINDOW_SCALE|SACK_PERM|MAXACK_SET)
tcp,orig=(src=10.0.110.173,dst=10.19.128.35,sport=56166,dport=22),reply=(src=10.19.128.35,dst=10.0.110.173,sport=22,dport=56166),id=1302531474,status=SEEN_REPLY|ASSURED|CONFIRMED,protoinfo=(state_orig=ESTABLISHED,state_reply=ESTABLISHED,wscale_orig=7,wscale_reply=7,flags_orig=WINDOW_SCALE|SACK_PERM|MAXACK_SET,flags_reply=WINDOW_SCALE|SACK_PERM|MAXACK_SET)
igmp,orig=(src=10.19.129.254,dst=224.0.0.1,sport=0,dport=0),reply=(src=224.0.0.1,dst=10.19.129.254,sport=0,dport=0),id=1710357234,status=CONFIRMED
udp,orig=(src=0.0.0.0,dst=255.255.255.255,sport=68,dport=67),reply=(src=255.255.255.255,dst=0.0.0.0,sport=67,dport=68),id=3730249008,status=CONFIRMED
tcp,orig=(src=1.1.178.25,dst=1.1.178.25,sport=44834,dport=6642),reply=(src=1.1.178.25,dst=1.1.178.25,sport=6642,dport=44834),id=3119656307,status=SEEN_REPLY|ASSURED|CONFIRMED,protoinfo=(state_orig=ESTABLISHED,state_reply=ESTABLISHED,wscale_orig=7,wscale_reply=7,flags_orig=WINDOW_SCALE|SACK_PERM|MAXACK_SET,flags_reply=WINDOW_SCALE|SACK_PERM|MAXACK_SET)
tcp,orig=(src=10.0.110.173,dst=10.19.128.35,sport=56156,dport=22),reply=(src=10.19.128.35,dst=10.0.110.173,sport=22,dport=56156),id=3012406203,status=SEEN_REPLY|ASSURED|CONFIRMED,protoinfo=(state_orig=ESTABLISHED,state_reply=ESTABLISHED,wscale_orig=7,wscale_reply=7,flags_orig=WINDOW_SCALE|SACK_PERM|MAXACK_SET,flags_reply=WINDOW_SCALE|SACK_PERM|DATA_UNACKNOWLEDGED|MAXACK_SET)
tcp,orig=(src=2620:52:0:1380:e643:4bff:fe17:da84,dst=2620:52:0:1380:e643:4bff:fe17:e16c,sport=50084,dport=22),reply=(src=2620:52:0:1380:e643:4bff:fe17:e16c,dst=2620:52:0:1380:e643:4bff:fe17:da84,sport=22,dport=50084),id=921522652,status=SEEN_REPLY|ASSURED|CONFIRMED,protoinfo=(state_orig=ESTABLISHED,state_reply=ESTABLISHED,wscale_orig=7,wscale_reply=7,flags_orig=WINDOW_SCALE|SACK_PERM|MAXACK_SET,flags_reply=WINDOW_SCALE|SACK_PERM|MAXACK_SET)                                                                  
tcp,orig=(src=192.168.1.1,dst=172.16.1.50,sport=45666,dport=10781),reply=(src=172.16.1.50,dst=172.16.1.1,sport=10781,dport=45666),id=876151640,zone=2,status=SEEN_REPLY|ASSURED|CONFIRMED|SRC_NAT|SRC_NAT_DONE,protoinfo=(state_orig=TIME_WAIT,state_reply=TIME_WAIT,wscale_orig=7,wscale_reply=7,flags_orig=WINDOW_SCALE|SACK_PERM|BE_LIBERAL|MAXACK_SET,flags_reply=WINDOW_SCALE|SACK_PERM|CLOSE_INIT|BE_LIBERAL|MAXACK_SET)
udp,orig=(src=10.19.128.35,dst=10.19.42.41,sport=57080,dport=53),reply=(src=10.19.42.41,dst=10.19.128.35,sport=53,dport=57080),id=1350023826,status=SEEN_REPLY|ASSURED|CONFIRMED
tcp,orig=(src=192.168.1.1,dst=172.16.1.50,sport=45668,dport=10781),reply=(src=172.16.1.50,dst=172.16.1.1,sport=10781,dport=45668),id=4045793011,zone=2,status=SEEN_REPLY|ASSURED|CONFIRMED|SRC_NAT|SRC_NAT_DONE,protoinfo=(state_orig=TIME_WAIT,state_reply=TIME_WAIT,wscale_orig=7,wscale_reply=7,flags_orig=WINDOW_SCALE|SACK_PERM|CLOSE_INIT|BE_LIBERAL|MAXACK_SET,flags_reply=WINDOW_SCALE|SACK_PERM|BE_LIBERAL|MAXACK_SET)

Expected results:
zone should use 123 for snat

Additional info:


[root@wsfd-advnetlab16 nat_test]# rpm -qa | grep -E "openvswitch2.15|ovn-2021"
ovn-2021-central-21.12.0-30.el8fdp.x86_64                                                             
ovn-2021-21.12.0-30.el8fdp.x86_64
ovn-2021-host-21.12.0-30.el8fdp.x86_64
openvswitch2.15-2.15.0-80.el8fdp.x86_64                                                               
[root@wsfd-advnetlab16 nat_test]# uname -a                                                            
Linux wsfd-advnetlab16.anl.lab.eng.bos.redhat.com 4.18.0-348.12.2.el8_5.x86_64 #1 SMP Mon Jan 17 07:06:06 EST 2022 x86_64 x86_64 x86_64 GNU/Linux

the issue doesn't exist on ovn-2021-21.09.1-24:

[root@wsfd-advnetlab16 21.09.1-24]# rpm -qa | grep -E "openvswitch2.15|ovn-2021"
ovn-2021-host-21.09.1-24.el8fdp.x86_64
ovn-2021-central-21.09.1-24.el8fdp.x86_64
openvswitch2.15-2.15.0-80.el8fdp.x86_64
ovn-2021-21.09.1-24.el8fdp.x86_64

+ ovs-appctl dpctl/dump-flows -m                                                                                                                                                                            
ufid:7ee3293c-b29c-456c-bb48-b5fc45fca2ec, recirc_id(0x9),dp_hash(0/0),skb_priority(0/0),in_port(sw01),skb_mark(0/0),ct_state(0x20/0x21),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=00:00:00:00:00:00/0
0:00:00:00:00:00,dst=00:00:00:00:00:00/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=192.168.1.1,dst=0.0.0.0/0.0.0.0,proto=0/0,tos=0/0,ttl=0/0,frag=no), packets:1, bytes:66, used:0.027s, flags:., dp:ovs, a
ctions:ct(commit,zone=123,nat(src=172.16.1.1)),recirc(0xa)                                                                                                                                                  
ufid:e73f3ebb-22f1-4240-a6da-b9e4bf964222, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(sw01),skb_mark(0/0),ct_state(0/0x21),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=f0:00:00:01:02:03,dst=00
:00:01:01:02:03),eth_type(0x0800),ipv4(src=192.168.1.0/255.255.255.128,dst=172.16.1.50,proto=0/0,tos=0/0,ttl=64,frag=no), packets:5, bytes:336, used:0.027s, flags:FP., dp:ovs, actions:set(eth(src=00:00:02
:01:02:03,dst=7e:80:bf:6e:22:5d)),set(ipv4(ttl=63)),ct(zone=4,nat),recirc(0x9)                                                                                                                              
ufid:c8ecd110-8e1a-4815-9ce2-3114448a66be, recirc_id(0x6),dp_hash(0/0),skb_priority(0/0),in_port(sw01),skb_mark(0/0),ct_state(0x21/0x21),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=00:00:02:01:02:03,d
st=7e:80:bf:6e:22:5d),eth_type(0x0800),ipv4(src=0.0.0.0/0.0.0.0,dst=172.16.1.32/255.255.255.224,proto=0/0,tos=0/0,ttl=0/0,frag=no), packets:0, bytes:0, used:never, dp:ovs, actions:ct_clear,server         
ufid:8bce1994-ae2f-4430-bdc0-5d2985390311, recirc_id(0x7),dp_hash(0/0),skb_priority(0/0),in_port(server),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=7e:80:bf:6e:22:5d,dst=0
0:00:02:01:02:03),eth_type(0x0800),ipv4(src=0.0.0.0/0.0.0.0,dst=192.168.1.1,proto=0/0,tos=0/0,ttl=64,frag=no), packets:2, bytes:156, used:0.027s, flags:F., dp:ovs, actions:set(eth(src=00:00:01:01:02:03,ds
t=f0:00:00:01:02:03)),set(ipv4(ttl=63)),ct(zone=4,nat),recirc(0x8)                                                                                                                                          
ufid:0cb75fd2-65cf-460e-9f74-9dcd002a9a02, recirc_id(0x8),dp_hash(0/0),skb_priority(0/0),in_port(server),skb_mark(0/0),ct_state(0x20/0x21),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=00:00:01:01:02:03
,dst=f0:00:00:01:02:03),eth_type(0x0800),ipv4(src=0.0.0.0/0.0.0.0,dst=0.0.0.0/0.0.0.0,proto=0/0,tos=0/0,ttl=0/0,frag=no), packets:2, bytes:156, used:0.027s, flags:F., dp:ovs, actions:ct_clear,sw01        
ufid:e330a12c-210c-4942-b8e4-50b23de62fe4, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(server),skb_mark(0/0),ct_state(0/0x21),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=7e:80:bf:6e:22:5d,dst=
00:00:02:01:02:03),eth_type(0x0806),arp(sip=172.16.1.50,tip=172.16.1.254,op=2/0xff,sha=7e:80:bf:6e:22:5d,tha=00:00:00:00:00:00/00:00:00:00:00:00), packets:3, bytes:126, used:0.038s, dp:ovs, actions:drop  
ufid:a0609fa4-6542-4ffb-aa65-5885f668bf94, recirc_id(0xa),dp_hash(0/0),skb_priority(0/0),in_port(sw01),skb_mark(0/0),ct_state(0x20/0x21),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=00:00:02:01:02:03,d
st=7e:80:bf:6e:22:5d),eth_type(0x0800),ipv4(src=0.0.0.0/0.0.0.0,dst=172.16.1.32/255.255.255.224,proto=0/0,tos=0/0,ttl=0/0,frag=no), packets:1, bytes:66, used:0.027s, flags:., dp:ovs, actions:ct_clear,serv
er                                                                                                                                                                                                          
ufid:44548d21-35dc-4294-83b2-0519c97722b7, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(server),skb_mark(0/0),ct_state(0/0x21),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=7e:80:bf:6e:22:5d,dst=
ff:ff:ff:ff:ff:ff),eth_type(0x0806),arp(sip=172.16.1.50,tip=172.16.1.1,op=1/0xff,sha=7e:80:bf:6e:22:5d,tha=00:00:00:00:00:00), packets:0, bytes:0, used:never, dp:ovs, actions:userspace(pid=2925955368,slow
_path(action))                                                                                                                                                                                              
ufid:e0f51ea5-2e5c-43c1-baec-7360e33f8b76, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(server),skb_mark(0/0),ct_state(0/0x21),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=7e:80:bf:6e:22:5d,dst=
00:00:02:01:02:03),eth_type(0x0800),ipv4(src=172.16.1.32/255.255.255.224,dst=172.16.1.1,proto=6,tos=0/0,ttl=64,frag=no),tcp(src=0/0,dst=0/0),tcp_flags(0/0), packets:2, bytes:156, used:0.027s, flags:F., dp
:ovs, actions:ct(zone=123,nat),recirc(0x7)                                                                                                                                                                  
ufid:0eee14d4-1d7d-4197-8064-b225c8e4aecb, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(sw01),skb_mark(0/0),ct_state(0/0x21),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=f0:00:00:01:02:03,dst=ff
:ff:ff:ff:ff:ff),eth_type(0x0806),arp(sip=192.168.1.1,tip=192.168.1.254,op=1/0xff,sha=f0:00:00:01:02:03,tha=00:00:00:00:00:00), packets:0, bytes:0, used:never, dp:ovs, actions:userspace(pid=2180092079,slo
w_path(action))                                                                                                                                                                                             
+ ip netns exec sw01 nc 172.16.1.50 10781                                                                                                                                                                   
hello                                                                                                                                                                                                       
+ ovs-appctl dpctl/dump-flows -m                                                                                                                                                                            
+ grep 'zone=123.*nat(src=172.16.1.1'                                                                                                                                                                       
ufid:7ee3293c-b29c-456c-bb48-b5fc45fca2ec, recirc_id(0x9),dp_hash(0/0),skb_priority(0/0),in_port(sw01),skb_mark(0/0),ct_state(0x20/0x21),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=00:00:00:00:00:00/0
0:00:00:00:00:00,dst=00:00:00:00:00:00/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=192.168.1.1,dst=0.0.0.0/0.0.0.0,proto=0/0,tos=0/0,ttl=0/0,frag=no), packets:5, bytes:336, used:0.024s, flags:FP., dp:ovs
, actions:ct(commit,zone=123,nat(src=172.16.1.1)),recirc(0xa)                                                                                                                                               
ufid:7e3cb309-a6a0-4e2d-8fc1-ca8e8a13f42f, recirc_id(0x9),dp_hash(0/0),skb_priority(0/0),in_port(sw01),skb_mark(0/0),ct_state(0x21/0x21),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=00:00:00:00:00:00/0
0:00:00:00:00:00,dst=00:00:00:00:00:00/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=192.168.1.1,dst=0.0.0.0/0.0.0.0,proto=0/0,tos=0/0,ttl=0/0,frag=no), packets:0, bytes:0, used:never, dp:ovs, actions:ct(c
ommit,zone=4,nat(src)),ct(commit,zone=123,nat(src=172.16.1.1)),recirc(0xa)

<==== it is using zone 123

+ ovs-appctl dpctl/dump-conntrack -m
udp,orig=(src=10.19.128.35,dst=10.5.26.10,sport=50684,dport=123),reply=(src=10.5.26.10,dst=10.19.128.35,sport=123,dport=50684),id=1254031538,status=SEEN_REPLY|CONFIRMED
tcp,orig=(src=192.168.1.1,dst=172.16.1.50,sport=45672,dport=10781),reply=(src=172.16.1.50,dst=172.16.1.1,sport=10781,dport=45672),id=2644641369,zone=123,status=SEEN_REPLY|CONFIRMED|SRC_NAT|SRC_NAT_DONE,pr
otoinfo=(state_orig=TIME_WAIT,state_reply=TIME_WAIT,wscale_orig=7,wscale_reply=7,flags_orig=WINDOW_SCALE|SACK_PERM|CLOSE_INIT|DATA_UNACKNOWLEDGED|MAXACK_SET,flags_reply=WINDOW_SCALE|SACK_PERM|MAXACK_SET)
tcp,orig=(src=192.168.1.1,dst=172.16.1.50,sport=45672,dport=10781),reply=(src=172.16.1.50,dst=192.168.1.1,sport=10781,dport=45672),id=1744591447,zone=4,status=SEEN_REPLY|CONFIRMED|SRC_NAT_DONE,protoinfo=(
state_orig=TIME_WAIT,state_reply=TIME_WAIT,wscale_orig=7,wscale_reply=7,flags_orig=WINDOW_SCALE|SACK_PERM|CLOSE_INIT|DATA_UNACKNOWLEDGED|MAXACK_SET,flags_reply=WINDOW_SCALE|SACK_PERM|MAXACK_SET)
tcp,orig=(src=10.72.12.93,dst=10.19.128.35,sport=58009,dport=22),reply=(src=10.19.128.35,dst=10.72.12.93,sport=22,dport=58009),id=3648235236,status=SEEN_REPLY|ASSURED|CONFIRMED,protoinfo=(state_orig=ESTAB
LISHED,state_reply=ESTABLISHED,wscale_orig=6,wscale_reply=7,flags_orig=WINDOW_SCALE|SACK_PERM|MAXACK_SET,flags_reply=WINDOW_SCALE|SACK_PERM|MAXACK_SET)
tcp,orig=(src=10.0.110.173,dst=10.19.128.35,sport=56166,dport=22),reply=(src=10.19.128.35,dst=10.0.110.173,sport=22,dport=56166),id=1302531474,status=SEEN_REPLY|ASSURED|CONFIRMED,protoinfo=(state_orig=EST
ABLISHED,state_reply=ESTABLISHED,wscale_orig=7,wscale_reply=7,flags_orig=WINDOW_SCALE|SACK_PERM|MAXACK_SET,flags_reply=WINDOW_SCALE|SACK_PERM|MAXACK_SET)
igmp,orig=(src=10.19.129.254,dst=224.0.0.1,sport=0,dport=0),reply=(src=224.0.0.1,dst=10.19.129.254,sport=0,dport=0),id=1710357234,status=CONFIRMED
udp,orig=(src=10.19.128.35,dst=10.19.42.41,sport=34736,dport=53),reply=(src=10.19.42.41,dst=10.19.128.35,sport=53,dport=34736),id=625219153,status=SEEN_REPLY|ASSURED|CONFIRMED
tcp,orig=(src=1.1.178.25,dst=1.1.178.25,sport=44834,dport=6642),reply=(src=1.1.178.25,dst=1.1.178.25,sport=6642,dport=44834),id=3119656307,status=SEEN_REPLY|ASSURED|CONFIRMED,protoinfo=(state_orig=TIME_WA
IT,state_reply=TIME_WAIT,wscale_orig=7,wscale_reply=7,flags_orig=WINDOW_SCALE|SACK_PERM|CLOSE_INIT|MAXACK_SET,flags_reply=WINDOW_SCALE|SACK_PERM|MAXACK_SET)
tcp,orig=(src=1.1.178.25,dst=1.1.178.25,sport=44840,dport=6642),reply=(src=1.1.178.25,dst=1.1.178.25,sport=6642,dport=44840),id=2238771101,status=SEEN_REPLY|ASSURED|CONFIRMED,protoinfo=(state_orig=ESTABLI
SHED,state_reply=ESTABLISHED,wscale_orig=7,wscale_reply=7,flags_orig=WINDOW_SCALE|SACK_PERM|MAXACK_SET,flags_reply=WINDOW_SCALE|SACK_PERM|MAXACK_SET)
tcp,orig=(src=192.168.1.1,dst=172.16.1.50,sport=45674,dport=10781),reply=(src=172.16.1.50,dst=172.16.1.1,sport=10781,dport=45674),id=146080379,zone=123,status=SEEN_REPLY|ASSURED|CONFIRMED|SRC_NAT|SRC_NAT_
DONE,protoinfo=(state_orig=TIME_WAIT,state_reply=TIME_WAIT,wscale_orig=7,wscale_reply=7,flags_orig=WINDOW_SCALE|SACK_PERM|CLOSE_INIT|BE_LIBERAL|MAXACK_SET,flags_reply=WINDOW_SCALE|SACK_PERM|BE_LIBERAL|MAX
ACK_SET)                                           
tcp,orig=(src=192.168.1.1,dst=172.16.1.50,sport=45674,dport=10781),reply=(src=172.16.1.50,dst=192.168.1.1,sport=10781,dport=45674),id=2212574473,zone=4,status=SEEN_REPLY|ASSURED|CONFIRMED|SRC_NAT_DONE,pro
toinfo=(state_orig=TIME_WAIT,state_reply=TIME_WAIT,wscale_orig=7,wscale_reply=7,flags_orig=WINDOW_SCALE|SACK_PERM|CLOSE_INIT|BE_LIBERAL|MAXACK_SET,flags_reply=WINDOW_SCALE|SACK_PERM|BE_LIBERAL|MAXACK_SET)
tcp,orig=(src=10.0.110.173,dst=10.19.128.35,sport=56156,dport=22),reply=(src=10.19.128.35,dst=10.0.110.173,sport=22,dport=56156),id=3012406203,status=SEEN_REPLY|ASSURED|CONFIRMED,protoinfo=(state_orig=EST
ABLISHED,state_reply=ESTABLISHED,wscale_orig=7,wscale_reply=7,flags_orig=WINDOW_SCALE|SACK_PERM|MAXACK_SET,flags_reply=WINDOW_SCALE|SACK_PERM|DATA_UNACKNOWLEDGED|MAXACK_SET)
tcp,orig=(src=2620:52:0:1380:e643:4bff:fe17:da84,dst=2620:52:0:1380:e643:4bff:fe17:e16c,sport=50084,dport=22),reply=(src=2620:52:0:1380:e643:4bff:fe17:e16c,dst=2620:52:0:1380:e643:4bff:fe17:da84,sport=22,
dport=50084),id=921522652,status=SEEN_REPLY|ASSURED|CONFIRMED,protoinfo=(state_orig=ESTABLISHED,state_reply=ESTABLISHED,wscale_orig=7,wscale_reply=7,flags_orig=WINDOW_SCALE|SACK_PERM|MAXACK_SET,flags_repl
y=WINDOW_SCALE|SACK_PERM|MAXACK_SET)
udp,orig=(src=10.19.128.35,dst=10.19.42.41,sport=39425,dport=53),reply=(src=10.19.42.41,dst=10.19.128.35,sport=53,dport=39425),id=1799142061,status=SEEN_REPLY|ASSURED|CONFIRMED
Comment 1 Mark Michelson 2022-03-09 21:11:48 UTC 
This is a side-effect of commit 4deac4509abbedd6ffaecf27eed01ddefccea40a. This commit changed OVN to try to use a single CT zone for SNAT and DNAT when possible. However, the common zone that OVN uses is the DNAT zone. Therefore, the snat-ct-zone option ends up having no effect.
Comment 2 Mark Michelson 2022-05-06 18:59:39 UTC 
Upstream patch: https://patchwork.ozlabs.org/project/ovn/patch/20220506134701.2208689-1-mmichels@redhat.com/
Comment 5 Jianlin Shi 2022-06-06 07:06:06 UTC 
Verified on ovn-2021-21.12.0-73.el8:

[root@dell-per740-12 bz2061619]# rpm -qa | grep -E "ovn-2021|openvswitch2.15"
ovn-2021-21.12.0-73.el8fdp.x86_64
ovn-2021-host-21.12.0-73.el8fdp.x86_64
openvswitch2.15-2.15.0-104.el8fdp.x86_64
ovn-2021-central-21.12.0-73.el8fdp.x86_64

+ ip netns exec sw01 nc 172.16.1.50 10781                                                             
+ ovs-appctl dpctl/dump-flows -m    
ufid:37eb780d-251c-4dfd-8236-6d35ca24d6ff, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(server),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=aa:00:f7:f0:45:66,dst=33:33:ff:f0:45:66),eth_type(0x86dd),ipv6(src=::,dst=ff02::1:fff0:4566,label=0/0,proto=58,tclass=0/0,hlimit=255,frag=no),icmpv6(type=135,code=0),nd(target=fe80::a800:f7ff:fef0:4566/::,sll=00:00:00:00:00:00/00
:00:00:00:00:00,tll=00:00:00:00:00:00/00:00:00:00:00:00), packets:0, bytes:0, used:never, dp:ovs, actions:br-ext                                                                 
ufid:64f35d6f-e230-4c29-b246-3ba58d9ef8e3, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(sw01),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=f0:00:00:01:02:03,dst=00:00
:01:01:02:03),eth_type(0x0800),ipv4(src=192.168.1.1,dst=172.16.1.50,proto=0/0,tos=0/0,ttl=64,frag=no), packets:1, bytes:66, used:0.028s, flags:., dp:ovs, actions:set(eth(src=00:00:02:01:02:03,dst=aa:00:f7:f0:45:66)),set(ipv4(ttl=63)),ct(commit,zone=123,nat(src=172.16.1.1)),recirc(0x8) 

<=== the zone used is 123
                                                                                                                          
ufid:0914376d-4499-45dc-8a5b-e2641ddffa59, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(server),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=aa:00:f7:f0:45:66,dst=00:
00:02:01:02:03),eth_type(0x0806),arp(sip=172.16.1.50,tip=172.16.1.254,op=2/0xff,sha=aa:00:f7:f0:45:66,tha=00:00:00:00:00:00/00:00:00:00:00:00), packets:3, bytes:126, used:0.037s, dp:ovs, actions:drop
ufid:dc2838a7-7bfb-4635-ad7d-64ef19cff1f3, recirc_id(0x8),dp_hash(0/0),skb_priority(0/0),in_port(sw01),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=00:00:02:01:02:03,dst=aa:
00:f7:f0:45:66),eth_type(0x0800),ipv4(src=0.0.0.0/0.0.0.0,dst=172.16.1.32/255.255.255.224,proto=0/0,tos=0/0,ttl=0/0,frag=no), packets:1, bytes:66, used:0.028s, flags:., dp:ovs, actions:ct_clear,server    ufid:d768ba0f-a216-4fe9-96c6-a2ea510d7b7f, recirc_id(0x6),dp_hash(0/0),skb_priority(0/0),in_port(server),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=aa:00:f7:f0:45:66,dst=0
0:00:02:01:02:03),eth_type(0x0800),ipv4(src=0.0.0.0/0.0.0.0,dst=192.168.1.1,proto=0/0,tos=0/0,ttl=64,frag=no), packets:2, bytes:156, used:0.028s, flags:F., dp:ovs, actions:ct_clear,set(eth(src=00:00:01:01:02:03,dst=f0:00:00:01:02:03)),set(ipv4(ttl=63)),sw01                                                                                                                                                       
ufid:b35259de-ae73-4522-bf22-98d267f11a61, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(server),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=aa:00:f7:f0:45:66,dst=ff:ff:ff:ff:ff:ff),eth_type(0x0806),arp(sip=172.16.1.50,tip=172.16.1.1,op=1/0xff,sha=aa:00:f7:f0:45:66,tha=00:00:00:00:00:00), packets:0, bytes:0, used:never, dp:ovs, actions:userspace(pid=3641232741,slow_pa
th(action))                                                                                                                                                                                                 ufid:e31aa703-681c-4d6b-b70e-c4379f8f753b, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(sw01),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=f0:00:00:01:02:03,dst=ff:ff
:ff:ff:ff:ff),eth_type(0x0806),arp(sip=192.168.1.1,tip=192.168.1.254,op=1/0xff,sha=f0:00:00:01:02:03,tha=00:00:00:00:00:00), packets:0, bytes:0, used:never, dp:ovs, actions:userspace(pid=2284688102,slow_p
ath(action))                                                                                                                                                                                                
ufid:ce21e1ec-7885-4f72-a10a-0ffac923dcc1, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(server),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=aa:00:f7:f0:45:66,dst=00:
00:02:01:02:03),eth_type(0x0800),ipv4(src=172.16.1.32/255.255.255.224,dst=172.16.1.1,proto=6,tos=0/0,ttl=64,frag=no),tcp(src=0/0,dst=0/0),tcp_flags(0/0), packets:2, bytes:156, used:0.029s, flags:F., dp:ov
s, actions:ct(zone=123,nat),recirc(0x6)

+ ip netns exec sw01 nc 172.16.1.50 10781
hello
+ ovs-appctl dpctl/dump-flows -m
+ grep 'zone=123.*nat(src=172.16.1.1'
ufid:64f35d6f-e230-4c29-b246-3ba58d9ef8e3, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(sw01),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=f0:00:00:01:02:03,dst=00:00:01:01:02:03),eth_type(0x0800),ipv4(src=192.168.1.1,dst=172.16.1.50,proto=0/0,tos=0/0,ttl=64,frag=no), packets:6, bytes:410, used:0.027s, flags:SFP., dp:ovs, actions:set(eth(src=00:00:02:01:02:03,dst=aa:00:f7:f0:45:66)),set(ipv4(ttl=63)),ct(commit,zone=123,nat(src=172.16.1.1)),recirc(0x8)
+ ovs-appctl dpctl/dump-conntrack -m
tcp,orig=(src=1.1.39.25,dst=1.1.39.25,sport=43118,dport=6642),reply=(src=1.1.39.25,dst=1.1.39.25,sport=6642,dport=43118),id=2272758555,status=SEEN_REPLY|ASSURED|CONFIRMED,protoinfo=(state_orig=ESTABLISHED,state_reply=ESTABLISHED,wscale_orig=7,wscale_reply=7,flags_orig=WINDOW_SCALE|SACK_PERM|MAXACK_SET,flags_reply=WINDOW_SCALE|SACK_PERM|MAXACK_SET)
udp,orig=(src=10.73.130.205,dst=10.73.2.107,sport=45231,dport=53),reply=(src=10.73.2.107,dst=10.73.130.205,sport=53,dport=45231),id=384011378,status=SEEN_REPLY|ASSURED|CONFIRMED
igmp,orig=(src=10.73.130.5,dst=224.0.0.1,sport=0,dport=0),reply=(src=224.0.0.1,dst=10.73.130.5,sport=0,dport=0),id=2788897292,status=CONFIRMED
tcp,orig=(src=192.168.1.1,dst=172.16.1.50,sport=45896,dport=10781),reply=(src=172.16.1.50,dst=172.16.1.1,sport=10781,dport=45896),id=957289477,zone=123,status=SEEN_REPLY|CONFIRMED|SRC_NAT|SRC_NAT_DONE,protoinfo=(state_orig=TIME_WAIT,state_reply=TIME_WAIT,wscale_orig=7,wscale_reply=7,flags_orig=WINDOW_SCALE|SACK_PERM|CLOSE_INIT|DATA_UNACKNOWLEDGED|MAXACK_SET,flags_reply=WINDOW_SCALE|SACK_PERM|MAXACK_SET)


udp,orig=(src=0.0.0.0,dst=255.255.255.255,sport=68,dport=67),reply=(src=255.255.255.255,dst=0.0.0.0,sport=67,dport=68),id=3704033016,status=CONFIRMED
udp,orig=(src=10.73.130.205,dst=10.66.127.10,sport=38124,dport=123),reply=(src=10.66.127.10,dst=10.73.130.205,sport=123,dport=38124),id=3895249593,status=CONFIRMED
udp,orig=(src=10.73.130.205,dst=10.5.26.10,sport=34932,dport=123),reply=(src=10.5.26.10,dst=10.73.130.205,sport=123,dport=34932),id=2002101204,status=SEEN_REPLY|CONFIRMED
tcp,orig=(src=1.1.39.25,dst=1.1.39.25,sport=43106,dport=6642),reply=(src=1.1.39.25,dst=1.1.39.25,sport=6642,dport=43106),id=135228605,status=SEEN_REPLY|ASSURED|CONFIRMED,protoinfo=(state_orig=TIME_WAIT,state_reply=TIME_WAIT,wscale_orig=7,wscale_reply=7,flags_orig=WINDOW_SCALE|SACK_PERM|CLOSE_INIT|MAXACK_SET,flags_reply=WINDOW_SCALE|SACK_PERM|MAXACK_SET)
tcp,orig=(src=10.73.130.205,dst=10.19.43.3,sport=51118,dport=80),reply=(src=10.19.43.3,dst=10.73.130.205,sport=80,dport=51118),id=2621868458,status=SEEN_REPLY|ASSURED|CONFIRMED,protoinfo=(state_orig=TIME_WAIT,state_reply=TIME_WAIT,wscale_orig=7,wscale_reply=9,flags_orig=WINDOW_SCALE|SACK_PERM|MAXACK_SET,flags_reply=WINDOW_SCALE|SACK_PERM|CLOSE_INIT|MAXACK_SET)
tcp,orig=(src=10.73.130.205,dst=10.19.43.3,sport=51120,dport=80),reply=(src=10.19.43.3,dst=10.73.130.205,sport=80,dport=51120),id=3066485801,status=SEEN_REPLY|ASSURED|CONFIRMED,protoinfo=(state_orig=TIME_WAIT,state_reply=TIME_WAIT,wscale_orig=7,wscale_reply=9,flags_orig=WINDOW_SCALE|SACK_PERM|MAXACK_SET,flags_reply=WINDOW_SCALE|SACK_PERM|CLOSE_INIT|MAXACK_SET)
tcp,orig=(src=10.73.130.205,dst=10.73.130.133,sport=22,dport=36502),reply=(src=10.73.130.133,dst=10.73.130.205,sport=36502,dport=22),id=1568875127,status=SEEN_REPLY|ASSURED|CONFIRMED,protoinfo=(state_orig=ESTABLISHED,state_reply=ESTABLISHED,flags_orig=SACK_PERM|BE_LIBERAL|MAXACK_SET,flags_reply=SACK_PERM|BE_LIBERAL|MAXACK_SET)
igmp,orig=(src=0.0.0.0,dst=224.0.0.1,sport=0,dport=0),reply=(src=224.0.0.1,dst=0.0.0.0,sport=0,dport=0),id=3178612588,status=CONFIRMED
udp,orig=(src=10.73.130.205,dst=134.226.81.3,sport=38719,dport=123),reply=(src=134.226.81.3,dst=10.73.130.205,sport=123,dport=38719),id=1359002393,status=CONFIRMED
udp,orig=(src=10.73.130.205,dst=10.73.2.107,sport=34725,dport=53),reply=(src=10.73.2.107,dst=10.73.130.205,sport=53,dport=34725),id=930333151,status=SEEN_REPLY|ASSURED|CONFIRMED
udp,orig=(src=10.73.130.205,dst=10.73.2.107,sport=58571,dport=53),reply=(src=10.73.2.107,dst=10.73.130.205,sport=53,dport=58571),id=3021404091,status=SEEN_REPLY|ASSURED|CONFIRMED
udp,orig=(src=10.73.130.205,dst=10.73.2.107,sport=49890,dport=53),reply=(src=10.73.2.107,dst=10.73.130.205,sport=53,dport=49890),id=3144121843,status=SEEN_REPLY|ASSURED|CONFIRMED
tcp,orig=(src=192.168.1.1,dst=172.16.1.50,sport=45898,dport=10781),reply=(src=172.16.1.50,dst=172.16.1.1,sport=10781,dport=45898),id=1429837737,zone=123,status=SEEN_REPLY|ASSURED|CONFIRMED|SRC_NAT|SRC_NAT_DONE,protoinfo=(state_orig=TIME_WAIT,state_reply=TIME_WAIT,wscale_orig=7,wscale_reply=7,flags_orig=WINDOW_SCALE|SACK_PERM|CLOSE_INIT|BE_LIBERAL|MAXACK_SET,flags_reply=WINDOW_SCALE|SACK_PERM|BE_LIBERAL|MAXACK_SET)
tcp,orig=(src=10.73.130.205,dst=10.19.43.3,sport=51122,dport=80),reply=(src=10.19.43.3,dst=10.73.130.205,sport=80,dport=51122),id=3322052199,status=SEEN_REPLY|ASSURED|CONFIRMED,protoinfo=(state_orig=TIME_WAIT,state_reply=TIME_WAIT,wscale_orig=7,wscale_reply=9,flags_orig=WINDOW_SCALE|SACK_PERM|MAXACK_SET,flags_reply=WINDOW_SCALE|SACK_PERM|CLOSE_INIT|MAXACK_SET)
Comment 6 Jianlin Shi 2022-06-06 07:16:45 UTC 
Verified on ovn22.03-22.03.0-52.el8fdp:

[root@dell-per740-12 bz2061619]# rpm -qa | grep -E "openvswitch2.15|ovn22.03"
ovn22.03-22.03.0-52.el8fdp.x86_64
ovn22.03-central-22.03.0-52.el8fdp.x86_64
openvswitch2.15-2.15.0-104.el8fdp.x86_64
ovn22.03-host-22.03.0-52.el8fdp.x86_64

+ ovs-appctl dpctl/dump-flows -m                                                                                                                                                                            ufid:1b734cf8-e74e-4fca-adb2-1829e69b1992, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(sw01),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=f0:00:00:01:02:03,dst=00:00
:01:01:02:03),eth_type(0x0800),ipv4(src=192.168.1.1,dst=172.16.1.50,proto=0/0,tos=0/0,ttl=64,frag=no), packets:0, bytes:0, used:never, dp:ovs, actions:set(eth(src=00:00:02:01:02:03,dst=96:8b:d6:df:55:fc)),set(ipv4(ttl=63)),ct(commit,zone=123,nat(src=172.16.1.1)),recirc(0xb)   

<==== zone used is 123
                                                                                                                                   
ufid:79278efc-cf3a-4fec-bd04-99ac94621b08, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(server),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=96:8b:d6:df:55:fc,dst=ff:ff:ff:ff:ff:ff),eth_type(0x0806),arp(sip=172.16.1.50,tip=172.16.1.1,op=1/0xff,sha=96:8b:d6:df:55:fc,tha=00:00:00:00:00:00), packets:0, bytes:0, used:never, dp:ovs, actions:userspace(pid=2723165060,slow_pa
th(action))                                                                                                                                                                                                 ufid:e0c93c03-b963-468b-b5a5-f9f54f1155c7, recirc_id(0xb),dp_hash(0/0),skb_priority(0/0),in_port(sw01),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=00:00:02:01:02:03,dst=96:
8b:d6:df:55:fc),eth_type(0x0800),ipv4(src=0.0.0.0/0.0.0.0,dst=172.16.1.32/255.255.255.224,proto=0/0,tos=0/0,ttl=0/0,frag=no), packets:0, bytes:0, used:never, dp:ovs, actions:ct_clear,server
ufid:e74667a2-7e05-4aa0-874d-1259aa6447db, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(sw01),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=f0:00:00:01:02:03,dst=ff:ff:ff:ff:ff:ff),eth_type(0x0806),arp(sip=192.168.1.1,tip=192.168.1.254,op=1/0xff,sha=f0:00:00:01:02:03,tha=00:00:00:00:00:00), packets:0, bytes:0, used:never, dp:ovs, actions:userspace(pid=2603075085,slow_p
ath(action))                                                                                                                                                                                                
ufid:2b400bd4-a15f-4eb1-aa6b-f84d13220699, recirc_id(0x6),dp_hash(0/0),skb_priority(0/0),in_port(server),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=96:8b:d6:df:55:fc,dst=0
0:00:02:01:02:03),eth_type(0x0800),ipv4(src=0.0.0.0/0.0.0.0,dst=192.168.1.1,proto=0/0,tos=0/0,ttl=64,frag=no), packets:3, bytes:198, used:0.026s, flags:F., dp:ovs, actions:ct_clear,set(eth(src=00:00:01:01
:02:03,dst=f0:00:00:01:02:03)),set(ipv4(ttl=63)),sw01                                                                                                                                                       
ufid:ffb01365-9746-46aa-9e0a-b763de0c0cb1, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(server),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=96:8b:d6:df:55:fc,dst=00:
00:02:01:02:03),eth_type(0x0806),arp(sip=172.16.1.50,tip=172.16.1.254,op=2/0xff,sha=96:8b:d6:df:55:fc,tha=00:00:00:00:00:00/00:00:00:00:00:00), packets:3, bytes:126, used:0.029s, dp:ovs, actions:drop
ufid:b24c2849-6d70-49ff-bcd3-6380bca84f98, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(server),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=96:8b:d6:df:55:fc,dst=00:
00:02:01:02:03),eth_type(0x0800),ipv4(src=172.16.1.32/255.255.255.224,dst=172.16.1.1,proto=6,tos=0/0,ttl=64,frag=no),tcp(src=0/0,dst=0/0),tcp_flags(0/0), packets:3, bytes:198, used:0.027s, flags:F., dp:ov
s, actions:ct(zone=123,nat),recirc(0x6)                                                                                                                                                                     
+ ip netns exec sw01 nc 172.16.1.50 10781                                                                                                                                                                   
hello                                                                                                                                                                                                       
+ ovs-appctl dpctl/dump-flows -m                                                                                                                                                                            
+ grep 'zone=123.*nat(src=172.16.1.1'                                                                                                                                                                       
ufid:1b734cf8-e74e-4fca-adb2-1829e69b1992, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(sw01),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=f0:00:00:01:02:03,dst=00:00
:01:01:02:03),eth_type(0x0800),ipv4(src=192.168.1.1,dst=172.16.1.50,proto=0/0,tos=0/0,ttl=64,frag=no), packets:5, bytes:344, used:0.026s, flags:SFP., dp:ovs, actions:set(eth(src=00:00:02:01:02:03,dst=96:8
b:d6:df:55:fc)),set(ipv4(ttl=63)),ct(commit,zone=123,nat(src=172.16.1.1)),recirc(0xb)
Comment 7 Jianlin Shi 2022-06-07 07:09:58 UTC 
Verified on ovn22.03-22.03.0-52.el9:

+ ip netns exec sw01 nc 172.16.1.50 10781
hello
+ ovs-appctl dpctl/dump-flows -m
ufid:24a0dc34-86ff-4b7d-a1f8-53bd0970c970, recirc_id(0xb),dp_hash(0/0),skb_priority(0/0),in_port(sw01),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=00:00:02:01:02:03,dst=e2:c9:23:86:e2:15),eth_type(0x0800),ipv4(src=0.0.0.0/0.0.0.0,dst=172.16.1.32/255.255.255.224,proto=0/0,tos=0/0,ttl=0/0,frag=no), packets:0, bytes:0, used:never, dp:ovs, actions:ct_clear,server
ufid:ac031e76-40e4-4aca-b7fc-f0fb82f00902, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(server),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=e2:c9:23:86:e2:15,dst=00:00:02:01:02:03),eth_type(0x0806),arp(sip=172.16.1.50,tip=172.16.1.254,op=2/0xff,sha=e2:c9:23:86:e2:15,tha=00:00:00:00:00:00/00:00:00:00:00:00), packets:3, bytes:126, used:0.023s, dp:ovs, actions:drop
ufid:aa5ab85a-1973-49cc-a748-a2c35606c208, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(server),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=e2:c9:23:86:e2:15,dst=ff:ff:ff:ff:ff:ff),eth_type(0x0806),arp(sip=172.16.1.50,tip=172.16.1.1,op=1/0xff,sha=e2:c9:23:86:e2:15,tha=00:00:00:00:00:00), packets:0, bytes:0, used:never, dp:ovs, actions:userspace(pid=4294967295,slow_path(action))
ufid:bede45cc-d0a9-4fd0-8c50-db6e4cb845c7, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(sw01),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=f0:00:00:01:02:03,dst=00:00:01:01:02:03),eth_type(0x0800),ipv4(src=192.168.1.1,dst=172.16.1.50,proto=0/0,tos=0/0,ttl=64,frag=no), packets:0, bytes:0, used:never, dp:ovs, actions:set(eth(src=00:00:02:01:02:03,dst=e2:c9:23:86:e2:15)),set(ipv4(ttl=63)),ct(commit,zone=123,nat(src=172.16.1.1)),recirc(0xb)
ufid:e6f43fc5-1ed4-4f41-9f16-6de3f3d65854, recirc_id(0x6),dp_hash(0/0),skb_priority(0/0),in_port(server),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=e2:c9:23:86:e2:15,dst=00:00:02:01:02:03),eth_type(0x0800),ipv4(src=0.0.0.0/0.0.0.0,dst=192.168.1.1,proto=0/0,tos=0/0,ttl=64,frag=no), packets:3, bytes:198, used:0.022s, flags:F., dp:ovs, actions:ct_clear,set(eth(src=00:00:01:01:02:03,dst=f0:00:00:01:02:03)),set(ipv4(ttl=63)),sw01                                                 
ufid:a5ede68f-b788-4342-9e55-aae93a56aa16, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(server),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=e2:c9:23:86:e2:15,dst=00:00:02:01:02:03),eth_type(0x0800),ipv4(src=172.16.1.32/255.255.255.224,dst=172.16.1.1,proto=6,tos=0/0,ttl=64,frag=no),tcp(src=0/0,dst=0/0),tcp_flags(0/0), packets:3, bytes:198, used:0.022s, flags:F., dp:ovs, actions:ct(zone=123,nat),recirc(0x6)                                                               
ufid:4b1e1c18-262b-40fe-ad5b-485826f9c2b4, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(sw01),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=f0:00:00:01:02:03,dst=ff:ff:ff:ff:ff:ff),eth_type(0x0806),arp(sip=192.168.1.1,tip=192.168.1.254,op=1/0xff,sha=f0:00:00:01:02:03,tha=00:00:00:00:00:00), packets:0, bytes:0, used:never, dp:ovs, actions:userspace(pid=4294967295,slow_path(action))
+ ip netns exec sw01 nc 172.16.1.50 10781
hello
+ ovs-appctl dpctl/dump-flows -m
+ grep 'zone=123.*nat(src=172.16.1.1'                                                                 
ufid:bede45cc-d0a9-4fd0-8c50-db6e4cb845c7, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(sw01),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=f0:00:00:01:02:03,dst=00:00:01:01:02:03),eth_type(0x0800),ipv4(src=192.168.1.1,dst=172.16.1.50,proto=0/0,tos=0/0,ttl=64,frag=no), packets:5, bytes:344, used:0.018s, flags:SFP., dp:ovs, actions:set(eth(src=00:00:02:01:02:03,dst=e2:c9:23:86:e2:15)),set(ipv4(ttl=63)),ct(commit,zone=123,nat(src=172.16.1.1)),recirc(0xb)
+ ovs-appctl dpctl/dump-conntrack -m
tcp,orig=(src=192.168.1.1,dst=172.16.1.50,sport=42924,dport=10781),reply=(src=172.16.1.50,dst=172.16.1.1,sport=10781,dport=42924),id=3404560826,zone=123,status=SEEN_REPLY|ASSURED|CONFIRMED|SRC_NAT|SRC_NAT_DONE,protoinfo=(state_orig=TIME_WAIT,state_reply=TIME_WAIT,wscale_orig=7,wscale_reply=7,flags_orig=WINDOW_SCALE|SACK_PERM|CLOSE_INIT|BE_LIBERAL|MAXACK_SET,flags_reply=WINDOW_SCALE|SACK_PERM|BE_LIBERAL|MAXACK_SET)
tcp,orig=(src=2620:52:0:1380:e643:4bff:fe17:f554,dst=2620:52:0:4982:42f2:e9ff:fe32:5d52,sport=22,dport=58084),reply=(src=2620:52:0:4982:42f2:e9ff:fe32:5d52,dst=2620:52:0:1380:e643:4bff:fe17:f554,sport=58084,dport=22),id=481711660,status=SEEN_REPLY|ASSURED|CONFIRMED,protoinfo=(state_orig=ESTABLISHED,state_reply=ESTABLISHED,flags_orig=SACK_PERM|BE_LIBERAL|DATA_UNACKNOWLEDGED|MAXACK_SET,flags_reply=SACK_PERM|BE_LIBERAL|MAXACK_SET)
udp,orig=(src=10.19.128.39,dst=10.19.42.41,sport=47516,dport=53),reply=(src=10.19.42.41,dst=10.19.128.39,sport=53,dport=47516),id=2937945075,status=SEEN_REPLY|CONFIRMED
tcp,orig=(src=192.168.1.1,dst=172.16.1.50,sport=42920,dport=10781),reply=(src=172.16.1.50,dst=172.16.1.1,sport=10781,dport=42920),id=2525783425,zone=123,status=SEEN_REPLY|ASSURED|CONFIRMED|SRC_NAT|SRC_NAT_DONE,protoinfo=(state_orig=TIME_WAIT,state_reply=TIME_WAIT,wscale_orig=7,wscale_reply=7,flags_orig=WINDOW_SCALE|SACK_PERM|CLOSE_INIT|BE_LIBERAL|MAXACK_SET,flags_reply=WINDOW_SCALE|SACK_PERM|BE_LIBERAL|MAXACK_SET)
tcp,orig=(src=1.1.184.25,dst=1.1.184.25,sport=49730,dport=6642),reply=(src=1.1.184.25,dst=1.1.184.25,sport=6642,dport=49730),id=2048177315,status=SEEN_REPLY|ASSURED|CONFIRMED,protoinfo=(state_orig=ESTABLISHED,state_reply=ESTABLISHED,wscale_orig=7,wscale_reply=7,flags_orig=WINDOW_SCALE|SACK_PERM|MAXACK_SET,flags_reply=WINDOW_SCALE|SACK_PERM|MAXACK_SET)
[root@wsfd-advnetlab18 bz2061619]# rpm -qa | grep -E "openvswitch|ovn"
ovn22.03-22.03.0-52.el9fdp.x86_64
openvswitch-selinux-extra-policy-1.0-31.el9fdp.noarch
openvswitch2.17-2.17.0-21.el9fdp.x86_64
ovn22.03-central-22.03.0-52.el9fdp.x86_64
ovn22.03-host-22.03.0-52.el9fdp.x86_64
Comment 9 errata-xmlrpc 2022-06-30 17:59:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ovn bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:5446