FYI the backport landed in 22.12 upstream 4 days ago: https://github.com/ovn-org/ovn/commit/6be84b57732d1756f5970e267581e691543be936
There's already a build for this in brew.
ovn22.12 fast-datapath-rhel-9 clone created at https://bugzilla.redhat.com/show_bug.cgi?id=2216315
use this topo and config to test this bug: # Logical network: # One LR R1 with switches foo (192.168.1.0/24), bar (192.168.2.0/24), # # foo -- R1 -- bar # ovn-nbctl show switch 9f9d8463-f970-47e4-a232-8688e1b3a438 (foo) port foo1 addresses: ["f0:00:00:01:02:03 192.168.1.2"] port rp-foo type: router router-port: foo switch ca7616b3-b116-4ae4-a7e9-ac24ea3db536 (bar) port rp-bar type: router router-port: bar port bar1 addresses: ["f0:00:00:01:02:04 192.168.2.2"] router 8502a562-b934-43e5-8b79-b53bafb886d0 (R1) port bar mac: "00:00:01:01:02:04" networks: ["192.168.2.1/24"] port foo mac: "00:00:01:01:02:03" networks: ["192.168.1.1/24"] [root@dell-per740-54 load_balance]# ovn-nbctl list load_balancer _uuid : 30199a7b-1f3b-426a-8d58-b4c270eb8dce external_ids : {} health_check : [] ip_port_mappings : {} name : lb1 options : {} protocol : tcp selection_fields : [] vips : {"30.30.30.30:80"="192.168.2.2:80"} [root@dell-per740-54 load_balance]# ovn-nbctl list acl _uuid : 8c9a48ac-87ae-43c4-a2e8-ec90a61349a5 action : allow-stateless direction : from-lport external_ids : {} label : 0 log : false match : "1" meter : [] name : [] options : {} priority : 1 severity : [] _uuid : 6af28809-8b49-470b-a078-473fd5c0e1c3 action : allow-stateless direction : to-lport external_ids : {} label : 0 log : false match : "1" meter : [] name : [] options : {} priority : 1 severity : [] on old version: traffic sent to server and get conntrack entry :: [ 04:28:20 ] :: [ BEGIN ] :: Running 'ip netns exec foo1 ncat 30.30.30.30 80 <<< d' :: [ 04:28:21 ] :: [ FAIL ] :: Command 'ip netns exec foo1 ncat 30.30.30.30 80 <<< d' (Expected 1, got 0) :: [ 04:28:21 ] :: [ BEGIN ] :: Running 'ovs-appctl dpctl/dump-conntrack zone=7|grep 30.30.30.30' tcp,orig=(src=192.168.1.2,dst=30.30.30.30,sport=46782,dport=80),reply=(src=192.168.2.2,dst=192.168.1.2,sport=80,dport=46782),zone=7,mark=2,protoinfo=(state=TIME_WAIT) :: [ 04:28:21 ] :: [ FAIL ] :: Command 'ovs-appctl dpctl/dump-conntrack zone=7|grep 30.30.30.30' (Expected 1, got 0) on fixed version: traffic fail ,and no conntrack . # rpm -qa|grep ovn22 ovn22.12-22.12.0-94.el8fdp.x86_64 ovn22.12-central-22.12.0-94.el8fdp.x86_64 ovn22.12-host-22.12.0-94.el8fdp.x86_64 :: [ 04:28:20 ] :: [ BEGIN ] :: Running 'ip netns exec foo1 ncat 30.30.30.30 80 <<< d' Ncat: Connection timed out. :: [ 04:28:30 ] :: [ PASS ] :: Command 'ip netns exec foo1 ncat 30.30.30.30 80 <<< d' (Expected 1, got 1) :: [ 04:28:30 ] :: [ BEGIN ] :: Running 'ovs-appctl dpctl/dump-conntrack zone=7|grep 30.30.30.30' :: [ 04:28:30 ] :: [ PASS ] :: Command 'ovs-appctl dpctl/dump-conntrack zone=7|grep 30.30.30.30' (Expected 1, got 1) set verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (ovn22.12 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:3992