Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 2182403

Summary: Router load balancers with no backends and event=false,reject=false should silently drop traffic.
Product: Red Hat Enterprise Linux Fast Datapath Reporter: OVN Bot <ovn-bot>
Component: ovn23.03Assignee: Ales Musil <amusil>
Status: CLOSED CURRENTRELEASE QA Contact: ying xu <yinxu>
Severity: medium Docs Contact:
Priority: high    
Version: FDP 23.ACC: amusil, apanatto, ctrautma, dcbw, jiji, jishi, mmichels
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovn23.03-23.03.0-16.el9fdp Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-03-08 14:02:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OVN Bot 2023-03-28 14:56:38 UTC 
This is an automatically-generated clone of issue https://bugzilla.redhat.com/show_bug.cgi?id=2177173
Comment 3 ying xu 2023-04-23 08:04:39 UTC 
# ovn-nbctl list load_balancer
_uuid               : f013c802-5d5c-4150-889a-0c2939eac44f
external_ids        : {}
health_check        : []
ip_port_mappings    : {}
name                : lb2
options             : {reject="true"}
protocol            : udp
selection_fields    : []
vips                : {"172.16.103.10:8000"="", "172.16.103.20:8000"="172.16.102.12:80,172.16.103.12:80", "[2001:db8:103::10]:8000"="", "[2001:db8:103::20]:8000"="[2001:db8:102::12]:80,[2001:db8:103::12]:80"}


test on old verson:
# rpm -qa|grep ovn
ovn22.12-host-22.12.0-4.el8fdp.x86_64
ovn23.03-central-23.03.0-4.el8fdp.x86_64
ovn23.03-23.03.0-4.el8fdp.x86_64

when set reject=true
# ovn-sbctl dump-flows s3 | grep "ls_in_lb "|grep 172.16.103.10
  table=12(ls_in_lb           ), priority=120  , match=(ct.new && ip4.dst == 172.16.103.10 && udp.dst == 8000), action=(reg0 = 0; reject { outport <-> inport; next(pipeline=egress,table=5);};)
reject=false event=false

then set reject=false and event=false
ovn-nbctl set load_balancer $uuid options:reject=false
ovn-nbctl set load_balancer $uuid options:event=false

# ovn-sbctl dump-flows s3 | grep "ls_in_lb "|grep 172.16.103.10
  table=12(ls_in_lb           ), priority=120  , match=(ct.new && ip4.dst == 172.16.103.10 && udp.dst == 8000), action=(reg0[1] = 0; ct_lb_mark(backends=);)


tested on new version:
# rpm -qa|grep ovn
ovn23.03-23.03.0-24.el9fdp.x86_64
ovn23.03-central-23.03.0-24.el9fdp.x86_64
ovn23.03-host-23.03.0-24.el9fdp.x86_64


after set reject=false and event=false
ovn-nbctl set load_balancer $uuid options:reject=false
ovn-nbctl set load_balancer $uuid options:event=false

# ovn-sbctl dump-flows s3 | grep "ls_in_lb "|grep 172.16.103.10
  table=12(ls_in_lb           ), priority=120  , match=(ct.new && ip4.dst == 172.16.103.10 && udp.dst == 8000), action=(drop;)  -----------drop

# ip netns exec vm10 ncat --udp 172.16.103.10 8000 <<< h ----------------send packet to vip, no reply ,only drop.
02:03:38.811858 Out 00:de:ad:01:00:01 ethertype IPv4 (0x0800), length 46: 172.16.102.11.48982 > 172.16.103.10.8000: UDP, length 2


set verified.
Comment 4 Mark Michelson 2024-03-08 14:02:24 UTC 
I am closing this issue. It was initially attached to the following dropped errata: https://errata.devel.redhat.com/advisory/112892 . This errata was not published because there was one issue that failed verification. The rest of the issues were verified, though. However, since the issues were never included in a published errata, they have remained in the "VERIFIED" state. These issues have been fixed for a long time, and QE has verification set up for these issues, so I am closing these issues as "CURRENTRELEASE".