The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.
Bug 2238507 - Rate and burst limits are not consistent on stateful and stateless ACL logging
Summary: Rate and burst limits are not consistent on stateful and stateless ACL logging
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux Fast Datapath
Classification: Red Hat
Component: ovn23.03
Version: FDP 23.E
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: ---
: ---
Assignee: OVN Team
QA Contact: Jianlin Shi
URL:
Whiteboard:
Depends On:
Blocks: 1883298 2241184
TreeView+ depends on / blocked
 
Reported: 2023-09-12 10:06 UTC by Elvira
Modified: 2023-11-21 18:31 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-11-21 18:31:36 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 2213126 0 high CLOSED OVN security group logging - burst limit unexpected value 2024-05-16 04:28:12 UTC
Red Hat Issue Tracker FD-3151 0 None None None 2023-09-12 10:07:30 UTC

Description Elvira 2023-09-12 10:06:42 UTC 
Description of problem:

This is a follow up of the previously closed https://bugzilla.redhat.com/show_bug.cgi?id=2212952.

After the consensus of fixing this issue on the Neutron side since it was not something controlled by OVN, I proposed and merged a patch that fixed this inconsistency for Openstack alone [1]. However, latest testing discovered that the problem varies depending on the OSP (and therefore RHEL) version.

- For OSP 17.1 (RHEL 9.2) the problem was that rate and burst limit was doubled in stateless ACLs. [2]

- For OSP 16.2 (RHEL 8.4) the problem is the exact opposite, rate and burst limit is double than expected in stateful ACLs [3]

With the change we submitted, OSP17.1 rate and burst is now consistent, but we won't apply it to 16.2 since the problem is the inverse one. We are concerned that this might keep on changing in the future, making the changes unstable.

[1] https://review.opendev.org/c/openstack/neutron/+/892648/

[2] https://rhos-ci-jenkins.lab.eng.tlv2.redhat.com/view/DFG/view/network/view/networking-ovn/job/DFG-network-neutron-17.1_director-rhel-virthost-3cont_2comp-ipv4-geneve-gate-ovn/501/testReport/neutron_plugin.tests.scenario.test_security_group_logging/StatelessSecGroupLoggingTest/test_only_accepted_traffic_logged_id_9aaf65b7_fd9e_43a1_b750_4230fbb2095c_/

[3] https://rhos-ci-jenkins.lab.eng.tlv2.redhat.com/view/DFG/view/network/view/networking-ovn/job/DFG-network-networking-ovn-16.2_director-rhel-virthost-3cont_2comp_3net-ipv4-geneve-composable-vlan-provider-network/lastCompletedBuild/testReport/neutron_plugin.tests.scenario.test_security_group_logging/StatefulSecGroupLoggingTest/test_only_accepted_traffic_logged_id_92c2ed54_f7f2_4fc0_ae93_ade8f988826a_/

How reproducible:
100%

Actual results:
Consistent rate and burst limit enforcement independently of the version and of the ACL type. 


Just as explained on the previous BZ, we understand that this is not something that can be fixed by OVN, but we would still like to know in more detail what part of the kernel is the one that affects this and if there is any possibility of filing this problem there. At least it would be good to have more information about this so that we can better document it for our users.
Comment 1 Mark Michelson 2023-10-13 13:36:39 UTC 
I'm prioritizing this as "high" so the OVN team will look into this and determine if the problem is in OVN or a different layer. If it's in OVN, the actual fix of the issue is not as high a priority. However, let's try to get the root cause determined in a timely manner.
Note You need to log in before you can comment on or make changes to this bug.