Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 2182399

Summary: Packet is sent to conntrack for some scenarios when outport is a peer of logical router port
Product: Red Hat Enterprise Linux Fast Datapath Reporter: OVN Bot <ovn-bot>
Component: ovn22.12Assignee: xsimonar
Status: CLOSED ERRATA QA Contact: Ehsan Elahi <eelahi>
Severity: urgent Docs Contact:
Priority: urgent    
Version: FDP 21.KCC: anusaxen, cgoncalves, ctrautma, ealcaniz, eglottma, fpaoline, jiji, jishi, mcambria, mkennell, mwasher, nusiddiq, openshift-bugs-escalate, rkhan, rravaiol, surya, xsimonar, xzhou
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovn22.12-22.12.0-35.el8fdp Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-18 00:16:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OVN Bot 2023-03-28 14:56:17 UTC 
This is an automatically-generated clone of issue https://bugzilla.redhat.com/show_bug.cgi?id=2062431
Comment 3 Ehsan Elahi 2023-05-07 21:55:25 UTC 
Reproduced On:
[root@wsfd-advnetlab155 xs]# rpm -qa | grep -E 'ovn|openvswitch'
ovn22.12-central-22.12.0-34.el8fdp.x86_64
openvswitch-selinux-extra-policy-1.0-30.el8fdp.noarch
ovn22.12-host-22.12.0-34.el8fdp.x86_64
openvswitch2.17-2.17.0-95.el8fdp.x86_64
ovn22.12-22.12.0-34.el8fdp.x86_64

Here is the reproducer:

systemctl start ovn-northd
ovn-nbctl set-connection ptcp:6641
ovn-sbctl set-connection ptcp:6642
systemctl start openvswitch
ovs-vsctl set open . external_ids:system-id=hv1
# IP address configuration to physical interface
ifconfig ens1f0 42.42.42.2 netmask 255.0.0.0
ovs-vsctl set open . external_ids:ovn-remote=tcp:42.42.42.2:6642
ovs-vsctl set open . external_ids:ovn-encap-type=geneve
ovs-vsctl set open . external_ids:ovn-encap-ip=42.42.42.2
systemctl restart ovn-controller
 
ovn-nbctl lr-add rtr
ovn-nbctl lrp-add rtr rtr-ls1 00:00:00:00:01:00 42.42.42.1/24 2001::1/64
ovn-nbctl lrp-add rtr rtr-ls2 00:00:00:00:02:00 77.77.77.1/24 2002::1/64
 
ovn-nbctl ls-add ls1
ovn-nbctl lsp-add ls1 ls1-rtr
ovn-nbctl lsp-set-addresses ls1-rtr 00:00:00:00:01:00
ovn-nbctl lsp-set-type ls1-rtr router
ovn-nbctl lsp-set-options ls1-rtr router-port=rtr-ls1
ovn-nbctl ls-add ls2
ovn-nbctl lsp-add ls2 ls2-rtr
ovn-nbctl lsp-set-addresses ls2-rtr 00:00:00:00:02:00
ovn-nbctl lsp-set-type ls2-rtr router
ovn-nbctl lsp-set-options ls2-rtr router-port=rtr-ls2
 
ovn-nbctl lsp-add ls1 vm1
ovn-nbctl lsp-set-addresses vm1 "00:00:00:00:01:01 42.42.42.2 2001::2"
ovn-nbctl lsp-add ls2 vm2
ovn-nbctl lsp-set-addresses vm2 "00:00:00:00:02:01 77.77.77.2 2002::2"
ovn-nbctl lsp-add ls2 vm3
ovn-nbctl lsp-set-addresses vm3 "00:00:00:00:03:01 77.77.77.3 2002::3"
 
ip netns add vm1
ovs-vsctl add-port br-int vm1 -- set interface vm1 type=internal
ip link set vm1 netns vm1
ip netns exec vm1 ip link set vm1 address 00:00:00:00:01:01
ip netns exec vm1 ip addr add 42.42.42.2/24 dev vm1
ip netns exec vm1 ip -6 addr add 2001::2/64 dev vm1
ip netns exec vm1 ip link set vm1 up
ip netns exec vm1 ip route add default via 42.42.42.1
ip netns exec vm1 ip -6 route add default via 2001::1
ovs-vsctl set Interface vm1 external_ids:iface-id=vm1
ip netns add vm2
ovs-vsctl add-port br-int vm2 -- set interface vm2 type=internal
ip link set vm2 netns vm2
ip netns exec vm2 ip link set vm2 address 00:00:00:00:02:01
ip netns exec vm2 ip addr add 77.77.77.2/24 dev vm2
ip netns exec vm2 ip -6 addr add 2002::2/64 dev vm2
ip netns exec vm2 ip link set vm2 up
ip netns exec vm2 ip link set lo up
ip netns exec vm2 ip route add default via 77.77.77.1
ip netns exec vm2 ip -6 route add default via 2002::1
ovs-vsctl set Interface vm2 external_ids:iface-id=vm2
ip netns add vm3
ovs-vsctl add-port br-int vm3 -- set interface vm3 type=internal
ip link set vm3 netns vm3
ip netns exec vm3 ip link set vm3 address 00:00:00:00:03:01
ip netns exec vm3 ip addr add 77.77.77.3/24 dev vm3
ip netns exec vm3 ip -6 addr add 2002::3/64 dev vm3
ip netns exec vm3 ip link set vm3 up
ip netns exec vm3 ip link set lo up
ip netns exec vm3 ip route add default via 77.77.77.1
ip netns exec vm3 ip -6 route add default via 2002::1
ovs-vsctl set Interface vm3 external_ids:iface-id=vm3
 
ovn-nbctl lb-add lb1 30.0.0.1:80 77.77.77.2:80 udp
ovn-nbctl lb-add lb2 20.0.0.1:80 42.42.42.2:80 udp
ovn-nbctl lb-add lb1 30.0.0.1 77.77.77.2
ovn-nbctl lb-add lb2 77.77.77.100 42.42.42.3
ovn-nbctl ls-lb-add ls1 lb1
ovn-nbctl ls-lb-add ls2 lb2
 
ovn-nbctl acl-add ls1 from-lport 1001 "ip" allow
ovn-nbctl acl-add ls1 to-lport 1002 "ip" allow
ovn-nbctl acl-add ls2 from-lport 1003 "ip" allow
ovn-nbctl acl-add ls2 to-lport 1004 "ip" allow
ovn-nbctl --wait=hv sync
 
ip netns exec vm1 ping 30.0.0.1 -c 10000 > icmp.txt &
 
zone_id=$(ovn-appctl -t ovn-controller ct-zone-list | grep vm1 | cut -d ' ' -f2)
while : ; do
	ovs-appctl dpctl/dump-flows | grep "commit,zone=$zone_id"
        n=$(ovs-appctl dpctl/dump-flows | grep "commit,zone=$zone_id" | wc -l)
	echo "$n commit flows"
	[[ $n < 1 ]] || break
done

########### non Fixed OUTPUT: (commit twice (or zero) to conntrack)
0 commit flows
0 commit flows
0 commit flows
recirc_id(0x4),in_port(2),ct_state(+new-est-rel-rpl-inv+trk),ct_mark(0x2/0x3),eth(src=00:00:00:00:01:01,dst=00:00:00:00:01:00),eth_type(0x0800),ipv4(src=42.42.42.2,dst=77.77.77.2,proto=1,ttl=64,frag=no), packets:0, bytes:0, used:never, actions:ct(commit,zone=2,mark=0/0x1,nat(src)),set(eth(src=00:00:00:00:02:00,dst=00:00:00:00:02:01)),set(ipv4(ttl=63)),ct(zone=1,nat),recirc(0x5)
recirc_id(0x3),dp_hash(0x7/0xf),in_port(2),eth(),eth_type(0x0800),ipv4(frag=no), packets:0, bytes:0, used:never, actions:ct(commit,zone=2,mark=0x2/0x2,nat(dst=77.77.77.2)),recirc(0x4)
2 commit flows


Verified on:
[root@wsfd-advnetlab155 xs]# rpm -qa | grep -E 'ovn|openvswitch'
ovn22.12-central-22.12.0-51.el8fdp.x86_64
openvswitch-selinux-extra-policy-1.0-30.el8fdp.noarch
openvswitch2.17-2.17.0-95.el8fdp.x86_64
ovn22.12-22.12.0-51.el8fdp.x86_64
ovn22.12-host-22.12.0-51.el8fdp.x86_64

########### Fixed OUTPUT: (commit once to conntrack)
0 commit flows
0 commit flows
0 commit flows
recirc_id(0x15),dp_hash(0x7/0xf),in_port(2),eth(),eth_type(0x0800),ipv4(frag=no), packets:0, bytes:0, used:never, actions:ct(commit,zone=3,mark=0x2/0x2,nat(dst=77.77.77.2)),recirc(0x16)
1 commit flows
Comment 5 errata-xmlrpc 2023-05-18 00:16:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ovn22.12 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:3203