[ovs-discuss] Regression in latest LTS - ACLs for ports in multiple Port Groups not working

Brendan Doyle via discuss Tue, 07 May 2024 03:39:00 -0700

Hi,

Seems there is a regression with the latest LTS release in terms of PortGroupACLs when ports are in multiple Port Groups. As an example I have 3ports in aPort Group, and two of them in another Port Group, that has an ACL toallow

IP protocol 112, and this use to work, but now I am seeing lots of:

2024-05-07T05:24:06.692Z|01357|acl_log(ovn_pinctrl0)|INFO|name="def-10",verdict=drop, severity=info, direction=to-lport:ip,vlan_tci=0x0000,dl_src=00:13:97:ec:6a:3d,dl_dst=01:00:5e:00:00:12,nw_src=10.1.2.21,nw_dst=224.0.0.18,nw_proto=112,nw_tos=192,nw_ecn=0,nw_ttl=255,nw_frag=no

If I place the ACL in the PG that has all ports then the 112 pkts areallowed.


Here are the details (an example of just one)

The PG with all ports:

ovn-nbctl list Port_Group pg_vcn4958117_net72295_sl42074
_uuid               : a928b8f5-3fce-4d32-afaa-8a9cc46ac902
acls                : [29cd825f-73c5-461d-8603-c78a1e89e799,
                       30971674-3471-49aa-ab55-8df17528b250,
                       4f311ad6-0eae-4e23-aea8-a48ac8d503af,
                       6d142bf8-30fc-46df-adde-2318c55a62f2,
                       6d448692-ac65-4d40-aa30-c87fa478ed96,
                       a647d19a-eaf6-4240-a323-0065d3fc8b4e,
                       c323482c-b748-41f3-85a9-de67aa541ff5,
                       d3d923d1-0e89-4165-a747-05a5908e5f08]
external_ids        : {}
name                : pg_vcn4958117_net72295_sl42074

ports : [192c7921-8091-4008-878a-5b2f6ae7aadf,lbv4958117L650B a3e67f89-a989-469d-b7f2-a01631ad4f46, 766e9eda-0943-11ef-9ba6-0010e0daa67a ee13c9d9-576b-4fa7-9c5b-c2accbc0a811]lbv4958117L650A


The Port Group that has just two Ports (which are also in the other PG)

ovn-nbctl list Port_Group lb_pg_vcn4958117_L650

_uuid               : 4b04b824-7d27-4a9d-addc-818919544b0f

acls : [444c209a-8ef6-41c7-97d7-aa66a9c38d66,6b76680a-395c-4be1-80df-dcde36426acd]

external_ids        : {}
name                : lb_pg_vcn4958117_L650
ports               : [192c7921-8091-4008-878a-5b2f6ae7aadf, lbv4958117L650B

ee13c9d9-576b-4fa7-9c5b-c2accbc0a811]lbv4958117L650A



The ACL associated with the PG:

ovn-nbctl acl-list lb_pg_vcn4958117_L650

from-lport 32000 (inport == @lb_pg_vcn4958117_L650 && (ip4.dst ==224.0.0.18 && ip.proto == 112)) allow-related to-lport 32000 (outport == @lb_pg_vcn4958117_L650 && (ip4.dst ==224.0.0.18 && ip.proto == 112)) allow-related

That should allow IP 112, but it does not (anymore, like I said it useto work)!


The ACL associated with pg_vcn4958117_net72295_sl42074:

from-lport 16000 (inport == @pg_vcn4958117_net72295_sl42074) allow-related

So Even though the lb_pg_vcn4958117_L650 allows 112, we are hitting thedrop in the ACL above!



I looked at the sbflows and it seems to have flows for the 112 ACL entry:

ovn-sbctl lflow-list
--------------------

Datapath: "ls_vcn4958117_net72295"(7bba2e8d-6612-487b-8f1e-f2e98d281a85) Pipeline: ingress

table=9 (ls_in_acl ), priority=33000, match=(reg0[7] == 1 &&(inport == @lb_pg_vcn4958117_L650 && (ip4.dst == 224.0.0.18 && ip.proto== 112))), action=(reg0[1] = 1; next;) table=9 (ls_in_acl ), priority=33000, match=(reg0[8] == 1 &&(inport == @lb_pg_vcn4958117_L650 && (ip4.dst == 224.0.0.18 && ip.proto== 112))), action=(next;)

Datapath: "ls_vcn4958117_net72295"(7bba2e8d-6612-487b-8f1e-f2e98d281a85) Pipeline: egress

table=4 (ls_out_acl ), priority=33000, match=(reg0[7] == 1 &&(outport == @lb_pg_vcn4958117_L650 && (ip4.dst == 224.0.0.18 && ip.proto== 112))), action=(reg0[1] = 1; next;) table=4 (ls_out_acl ), priority=33000, match=(reg0[8] == 1 &&(outport == @lb_pg_vcn4958117_L650 && (ip4.dst == 224.0.0.18 && ip.proto== 112))), action=(next;)


And OVS flows also seem to have entries:
ovs-ofctl dump-flows br-int

cookie=0x48b6ec2c, table=17,priority=33000,ip,reg0=0x100/0x100,reg14=0x5,metadata=0x7,nw_dst=224.0.0.18,nw_proto=112actions=resubmit(,18) cookie=0xbb05b3e, table=17,priority=33000,ip,reg0=0x100/0x100,reg14=0x26,metadata=0x7,nw_dst=224.0.0.18,nw_proto=112actions=resubmit(,18) cookie=0x45ade6ea, table=17,priority=33000,ip,reg0=0x100/0x100,reg14=0x28,metadata=0x7,nw_dst=224.0.0.18,nw_proto=112actions=resubmit(,18) cookie=0x9ea8bc7e, table=17,priority=33000,ip,reg0=0x100/0x100,reg14=0x7,metadata=0x7,nw_dst=224.0.0.18,nw_proto=112actions=resubmit(,18) cookie=0xc3b6660c, table=17,priority=33000,ip,reg0=0x100/0x100,reg14=0x31,metadata=0x7,nw_dst=224.0.0.18,nw_proto=112actions=resubmit(,18) cookie=0x1574390e, table=17,priority=33000,ip,reg0=0x100/0x100,reg14=0x32,metadata=0x7,nw_dst=224.0.0.18,nw_proto=112actions=resubmit(,18) cookie=0xba0820b4, table=17,priority=33000,ip,reg0=0x100/0x100,reg14=0x4,metadata=0x61,nw_dst=224.0.0.18,nw_proto=112actions=resubmit(,18) cookie=0x3ab5481d, table=17,priority=33000,ip,reg0=0x80/0x80,reg14=0x5,metadata=0x7,nw_dst=224.0.0.18,nw_proto=112actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,18) cookie=0x246464a0, table=17,priority=33000,ip,reg0=0x80/0x80,reg14=0x26,metadata=0x7,nw_dst=224.0.0.18,nw_proto=112actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,18) cookie=0xb7597534, table=17,priority=33000,ip,reg0=0x80/0x80,reg14=0x28,metadata=0x7,nw_dst=224.0.0.18,nw_proto=112actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,18) cookie=0xa39db4b2, table=17,priority=33000,ip,reg0=0x80/0x80,reg14=0x7,metadata=0x7,nw_dst=224.0.0.18,nw_proto=112actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,18) cookie=0x1ba59849, table=17,priority=33000,ip,reg0=0x80/0x80,reg14=0x31,metadata=0x7,nw_dst=224.0.0.18,nw_proto=112actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,18) cookie=0x845680ed, table=17,priority=33000,ip,reg0=0x80/0x80,reg14=0x32,metadata=0x7,nw_dst=224.0.0.18,nw_proto=112actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,18) cookie=0x5b88a1c8, table=17,priority=33000,ip,reg0=0x80/0x80,reg14=0x4,metadata=0x61,nw_dst=224.0.0.18,nw_proto=112actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,18)

cookie=0x43eec225, table=44,priority=33000,ip,reg0=0x80/0x80,reg15=0x5,metadata=0x7,nw_dst=224.0.0.18,nw_proto=112actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,45) cookie=0xb2e98e98, table=44,priority=33000,ip,reg0=0x80/0x80,reg15=0x26,metadata=0x7,nw_dst=224.0.0.18,nw_proto=112actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,45) cookie=0x22d2bdce, table=44,priority=33000,ip,reg0=0x80/0x80,reg15=0x28,metadata=0x7,nw_dst=224.0.0.18,nw_proto=112actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,45) cookie=0xcbc86a80, table=44,priority=33000,ip,reg0=0x80/0x80,reg15=0x7,metadata=0x7,nw_dst=224.0.0.18,nw_proto=112actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,45) cookie=0x788cf92d, table=44,priority=33000,ip,reg0=0x80/0x80,reg15=0x31,metadata=0x7,nw_dst=224.0.0.18,nw_proto=112actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,45) cookie=0x93fc9ed, table=44,priority=33000,ip,reg0=0x80/0x80,reg15=0x32,metadata=0x7,nw_dst=224.0.0.18,nw_proto=112actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,45) cookie=0xa41bd3e7, table=44,priority=33000,ip,reg0=0x80/0x80,reg15=0x4,metadata=0x61,nw_dst=224.0.0.18,nw_proto=112actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,45) cookie=0xb0c3031a, table=44,priority=33000,ip,reg0=0x100/0x100,reg15=0x5,metadata=0x7,nw_dst=224.0.0.18,nw_proto=112actions=resubmit(,45) cookie=0x13552aa4, table=44,priority=33000,ip,reg0=0x100/0x100,reg15=0x26,metadata=0x7,nw_dst=224.0.0.18,nw_proto=112actions=resubmit(,45) cookie=0xda88db5f, table=44,priority=33000,ip,reg0=0x100/0x100,reg15=0x28,metadata=0x7,nw_dst=224.0.0.18,nw_proto=112actions=resubmit(,45) cookie=0xf29c5f9c, table=44,priority=33000,ip,reg0=0x100/0x100,reg15=0x7,metadata=0x7,nw_dst=224.0.0.18,nw_proto=112actions=resubmit(,45) cookie=0x73e20386, table=44,priority=33000,ip,reg0=0x100/0x100,reg15=0x31,metadata=0x7,nw_dst=224.0.0.18,nw_proto=112actions=resubmit(,45) cookie=0xe72b74cd, table=44,priority=33000,ip,reg0=0x100/0x100,reg15=0x32,metadata=0x7,nw_dst=224.0.0.18,nw_proto=112actions=resubmit(,45) cookie=0x302c1113, table=44,priority=33000,ip,reg0=0x100/0x100,reg15=0x4,metadata=0x61,nw_dst=224.0.0.18,nw_proto=112actions=resubmit(,45)

And as I said if I add the rule to the PG that has all the ports in it,then things work:



ovn-nbctl acl-list pg_vcn4958117_net72295_sl42074

from-lport 32767 (inport == @pg_vcn4958117_net72295_sl42074 && (arp ||udp.dst == 67 || udp.dst == 68)) allow-relatedfrom-lport 32767 (inport == @pg_vcn4958117_net72295_sl42074 && (ip4.dst== 169.254.0.2 && tcp.dst == 3260)) rejectlog(name=pg_vcn4958117_net72295_sl42074_reject,severity=info)from-lport 32766 (inport == @pg_vcn4958117_net72295_sl42074 && (ip4.src== 169.254.0.0/16 ||ip4.dst == 169.254.0.0/16)) allow-relatedfrom-lport 32000 (inport == @lb_pg_vcn4958117_L650 && (ip.proto == 112))allow-related log(name=BJD)from-lport 32000 (inport == @pg_vcn4958117_net72295_sl42074 && (ip4.dst== 224.0.0.18 && ip.proto == 112)) allow-related log(name=BJD)

from-lport 16000 (inport == @pg_vcn4958117_net72295_sl42074) allow-related

from-lport 0 (inport == @pg_vcn4958117_net72295_sl42074) droplog(name=def-4,severity=info) to-lport 32767 (outport == @pg_vcn4958117_net72295_sl42074 && (arp ||udp.dst == 67 || udp.dst == 68)) allow-related to-lport 32767 (outport == @pg_vcn4958117_net72295_sl42074 &&(ip4.src == 169.254.0.0/16 ||ip4.dst == 169.254.0.0/16)) allow-related to-lport 32000 (outport == @lb_pg_vcn4958117_L650 && (ip.proto ==112)) allow-related log(name=BJD) to-lport 32000 (outport == @pg_vcn4958117_net72295_sl42074 &&(ip4.dst == 224.0.0.18 && ip.proto == 112)) allow-related log(name=BJD) to-lport 0 (outport == @pg_vcn4958117_net72295_sl42074) droplog(name=def-10,severity=info)



Brendan

_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

[ovs-discuss] Regression in latest LTS - ACLs for ports in multiple Port Groups not working

Reply via email to