Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 2238507

Summary: Rate and burst limits are not consistent on stateful and stateless ACL logging
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Elvira <egarciar>
Component: ovn23.03Assignee: OVN Team <ovnteam>
Status: CLOSED WONTFIX QA Contact: Jianlin Shi <jishi>
Severity: unspecified Docs Contact:
Priority: high    
Version: FDP 23.ECC: ctrautma, ekuris, i.maximets, jiji, mblue, mmichels
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-21 18:31:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1883298, 2241184    

Description Elvira 2023-09-12 10:06:42 UTC 
Description of problem:

This is a follow up of the previously closed https://bugzilla.redhat.com/show_bug.cgi?id=2212952.

After the consensus of fixing this issue on the Neutron side since it was not something controlled by OVN, I proposed and merged a patch that fixed this inconsistency for Openstack alone [1]. However, latest testing discovered that the problem varies depending on the OSP (and therefore RHEL) version.

- For OSP 17.1 (RHEL 9.2) the problem was that rate and burst limit was doubled in stateless ACLs. [2]

- For OSP 16.2 (RHEL 8.4) the problem is the exact opposite, rate and burst limit is double than expected in stateful ACLs [3]

With the change we submitted, OSP17.1 rate and burst is now consistent, but we won't apply it to 16.2 since the problem is the inverse one. We are concerned that this might keep on changing in the future, making the changes unstable.

[1] https://review.opendev.org/c/openstack/neutron/+/892648/

[2] https://rhos-ci-jenkins.lab.eng.tlv2.redhat.com/view/DFG/view/network/view/networking-ovn/job/DFG-network-neutron-17.1_director-rhel-virthost-3cont_2comp-ipv4-geneve-gate-ovn/501/testReport/neutron_plugin.tests.scenario.test_security_group_logging/StatelessSecGroupLoggingTest/test_only_accepted_traffic_logged_id_9aaf65b7_fd9e_43a1_b750_4230fbb2095c_/

[3] https://rhos-ci-jenkins.lab.eng.tlv2.redhat.com/view/DFG/view/network/view/networking-ovn/job/DFG-network-networking-ovn-16.2_director-rhel-virthost-3cont_2comp_3net-ipv4-geneve-composable-vlan-provider-network/lastCompletedBuild/testReport/neutron_plugin.tests.scenario.test_security_group_logging/StatefulSecGroupLoggingTest/test_only_accepted_traffic_logged_id_92c2ed54_f7f2_4fc0_ae93_ade8f988826a_/

How reproducible:
100%

Actual results:
Consistent rate and burst limit enforcement independently of the version and of the ACL type. 


Just as explained on the previous BZ, we understand that this is not something that can be fixed by OVN, but we would still like to know in more detail what part of the kernel is the one that affects this and if there is any possibility of filing this problem there. At least it would be good to have more information about this so that we can better document it for our users.
Comment 1 Mark Michelson 2023-10-13 13:36:39 UTC 
I'm prioritizing this as "high" so the OVN team will look into this and determine if the problem is in OVN or a different layer. If it's in OVN, the actual fix of the issue is not as high a priority. However, let's try to get the root cause determined in a timely manner.