Folks,
Has anyone seen this os is it a know bug.
I have an ACLs on an "external"/"provider" local net switch that my DR
port uses, when I run an ovn-trace on it
the trace says the pkt will be dropped, but in reality it is not dropped
as expected and designed.
My Gateway is doing an SNAT:
router ed432a94-99b3-4f2e-be15-3d6bf10b2ec1 (lr_vcn8124626_igw)
port lr_vcn8124626_igw-ls_vcn8124626_external_igw
mac: "00:13:97:9a:ff:71"
networks: ["253.255.80.20/16"]
gateway chassis: [pcacn002 pcacn001 pcacn003]
port lr_vcn8124626_igw-lsb_vcn8124626_igw
mac: "00:13:97:44:35:c5"
networks: ["253.255.28.4/25"]
nat ae98281a-16bb-479a-be49-451830cac9d5
external ip: "10.68.50.38"
logical ip: "10.226.110.3"
type: "dnat_and_snat"
So 10.226.110.3 should be changed to 10.68.50.38 before it reaches the
localnet switch.
The ACL on the localnet switch is:
ovn-nbctl acl-list ls_vcn8124626_external_igw
to-lport 32767 (inport ==
"ls_vcn8124626_external_igw-lr_vcn8124626_igw" && ip4.dst ==
$vcn8124626_allowed_underlay) allow-related
to-lport 32766 (inport ==
"ls_vcn8124626_external_igw-lr_vcn8124626_igw" && ip4.dst ==
253.255.0.0/16) drop
to-lport 1002 (inport ==
"ls_vcn8124626_external_igw-lr_vcn8124626_igw" && ip4.src ==
$vcn8124626_igw) allow-related
to-lport 1001 (inport ==
"ls_vcn8124626_external_igw-lr_vcn8124626_igw" && ip) drop
Where:
ovn-nbctl list Address_Set vcn8124626_igw
_uuid : 3060caa9-0e93-44f0-88f3-f8e9296076cf
addresses : ["10.68.50.38"]
external_ids : {}
name : vcn8124626_igw
So the 1002 priority rule should and does allow this, I verified by
recreating the rule with severity
debug:
2021-01-08T18:23:08.825Z|00106|acl_log(ovn_pinctrl0)|INFO|name="ls_vcn8124626_external_igw-3",
verdict=allow, severity=debug:
tcp,vlan_tci=0x0000,dl_src=00:13:97:9a:ff:71,dl_dst=00:00:0c:07:ac:01,nw_src=10.68.50.38,nw_dst=10.68.48.206,nw_tos=0,nw_ecn=0,nw_ttl=62,tp_src=37132,tp_dst=22,tcp_flags=syn
Yet, when I do a trace it says that the pkt is dropped by the 1001 rule
above:
ingress(dp="lr_vcn8124626_igw",
inport="lr_vcn8124626_igw-lsb_vcn8124626_igw")
------------------------------------------------------------------------------
0. lr_in_admission (ovn-northd.c:7854): eth.dst == 00:13:97:44:35:c5
&& inport == "lr_vcn8124626_igw-lsb_vcn8124626_igw", priority 50, uuid
af2b728a
next;
1. lr_in_lookup_neighbor (ovn-northd.c:7903): 1, priority 0, uuid 3a491137
reg9[3] = 1;
next;
2. lr_in_learn_neighbor (ovn-northd.c:7909): reg9[3] == 1 || reg9[2]
== 1, priority 100, uuid cbcc1aad
next;
9. lr_in_ip_routing (ovn-northd.c:7508): ip4.dst == 0.0.0.0/0,
priority 1, uuid a1a4b2dd
ip.ttl--;
reg8[0..15] = 0;
reg0 = 253.255.0.1;
reg1 = 253.255.80.20;
eth.src = 00:13:97:9a:ff:71;
outport = "lr_vcn8124626_igw-ls_vcn8124626_external_igw";
flags.loopback = 1;
next;
10. lr_in_ip_routing_ecmp (ovn-northd.c:9392): reg8[0..15] == 0,
priority 150, uuid b0ccc5db
next;
12. lr_in_arp_resolve (ovn-northd.c:9859): ip4, priority 0, uuid 08c7cc77
get_arp(outport, reg0);
/* MAC binding to 00:00:0c:07:ac:01. */
next;
15. lr_in_gw_redirect (ovn-northd.c:9978): outport ==
"lr_vcn8124626_igw-ls_vcn8124626_external_igw", priority 50, uuid cf2e8dc7
outport = "cr-lr_vcn8124626_igw-ls_vcn8124626_external_igw";
next;
16. lr_in_arp_request (ovn-northd.c:10059): 1, priority 0, uuid d815320c
output;
/* Replacing type "chassisredirect" outport
"cr-lr_vcn8124626_igw-ls_vcn8124626_external_igw" with distributed port
"lr_vcn8124626_igw-ls_vcn8124626_external_igw". */
egress(dp="lr_vcn8124626_igw",
inport="lr_vcn8124626_igw-lsb_vcn8124626_igw",
outport="lr_vcn8124626_igw-ls_vcn8124626_external_igw")
-------------------------------------------------------------------------------------------------------------------------------------
3. lr_out_delivery (ovn-northd.c:10105): outport ==
"lr_vcn8124626_igw-ls_vcn8124626_external_igw", priority 100, uuid 93cfd886
output;
/* output to "lr_vcn8124626_igw-ls_vcn8124626_external_igw", type
"patch" */
ingress(dp="ls_vcn8124626_external_igw",
inport="ls_vcn8124626_external_igw-lr_vcn8124626_igw")
-----------------------------------------------------------------------------------------------
0. ls_in_port_sec_l2 (ovn-northd.c:4505): inport ==
"ls_vcn8124626_external_igw-lr_vcn8124626_igw", priority 50, uuid b9322886
next;
3. ls_in_pre_acl (ovn-northd.c:4646): ip && inport ==
"ls_vcn8124626_external_igw-lr_vcn8124626_igw", priority 110, uuid 511a04ba
next;
19. ls_in_l2_lkup (ovn-northd.c:6893): 1, priority 0, uuid 7f03d594
outport = "_MC_unknown";
output;
multicast(dp="ls_vcn8124626_external_igw", mcgroup="_MC_unknown")
-----------------------------------------------------------------
egress(dp="ls_vcn8124626_external_igw",
inport="ls_vcn8124626_external_igw-lr_vcn8124626_igw",
outport="ln-ls_vcn8124626_external_igw")
---------------------------------------------------------------------------------------------------------------------------------------
1. ls_out_pre_acl (ovn-northd.c:4667): ip && outport ==
"ln-ls_vcn8124626_external_igw", priority 110, uuid 28eefe23
next;
4. ls_out_acl (ovn-northd.c:5132): ct.est && ct_label.blocked
== 0 && (inport == "ls_vcn8124626_external_igw-lr_vcn8124626_igw" &&
ip), priority 2001, uuid 091b3960
ct_commit(ct_label=0x1/0x1);
Odd?
Brendan
_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
