Hi, Recently, we encountered an issue when assigning some ACLs to two port groups. When configuring the first ACL, everything looks correct. However, after creating the second ACL and assigning it to the second port group, the ACL does not appear in the Logical_Flow table, until we continue to perform some other operations in the northbound or restart ovn-northd. I wonder if this is a bug or a known limitation.
We installed ovn-central 24.09.0 through apt in a Debian Sid host. The following logs are the steps to reproduce the issue: # Setup: 2 switches, 2 ports and 2 port groups root@38469380e572:/# ovn-nbctl ls-add test1 root@38469380e572:/# ovn-nbctl ls-add test2 root@38469380e572:/# ovn-nbctl lsp-add test1 p1 root@38469380e572:/# ovn-nbctl lsp-add test2 p2 root@38469380e572:/# ovn-nbctl pg-add g1 root@38469380e572:/# ovn-nbctl pg-add g2 p1 p2 # Assign acl1 first to g1, then to g2 root@334a6440dc45:/# ovn-nbctl --name=rule1 acl-add g1 from-lport 100 "foo1" drop root@334a6440dc45:/# ovn-nbctl list acl rule1 | grep uuid _uuid : fa7caa68-d4fa-4e69-8274-c5e5b57490aa root@334a6440dc45:/# ovn-nbctl add port_group g2 acls fa7caa68-d4fa-4e69-8274-c5e5b57490aa # Northbound results: Correct root@334a6440dc45:/# ovn-nbctl acl-list g1 from-lport 100 (foo1) drop log(name=rule1) root@334a6440dc45:/# ovn-nbctl acl-list g2 from-lport 100 (foo1) drop log(name=rule1) # Southbound results: Correct root@334a6440dc45:/# ovn-sbctl dump-flows | grep foo table=8 (ls_in_acl_eval ), priority=1100 , match=((foo1)), action=(log(name="rule1", severity=info, verdict=drop); reg8[17] = 1; next;) table=8 (ls_in_acl_eval ), priority=1100 , match=((foo1)), action=(log(name="rule1", severity=info, verdict=drop); reg8[17] = 1; next;) # Assign acl2 first to g1, then to g2 root@334a6440dc45:/# ovn-nbctl --name=rule2 acl-add g1 from-lport 100 "foo2" drop root@334a6440dc45:/# ovn-nbctl list acl rule2 | grep uuid _uuid : 6b6080e5-1ecf-4d1d-bb86-8eb487c622c0 root@334a6440dc45:/# ovn-nbctl add port_group g2 acls 6b6080e5-1ecf-4d1d-bb86-8eb487c622c0 # Northbound results: Correct root@334a6440dc45:/# ovn-nbctl acl-list g1 from-lport 100 (foo1) drop log(name=rule1) from-lport 100 (foo2) drop log(name=rule2) root@334a6440dc45:/# ovn-nbctl acl-list g2 from-lport 100 (foo1) drop log(name=rule1) from-lport 100 (foo2) drop log(name=rule2) # Southbound results: Incorrect - Second ACL does not show root@334a6440dc45:/# ovn-sbctl dump-flows | grep foo table=8 (ls_in_acl_eval ), priority=1100 , match=((foo1)), action=(log(name="rule1", severity=info, verdict=drop); reg8[17] = 1; next;) table=8 (ls_in_acl_eval ), priority=1100 , match=((foo1)), action=(log(name="rule1", severity=info, verdict=drop); reg8[17] = 1; next;) # Remove acl1 from g2 root@334a6440dc45:/# ovn-nbctl acl-del g2 from-lport 100 "foo1" # Northbound results: Correct root@334a6440dc45:/# ovn-nbctl acl-list g1 from-lport 100 (foo1) drop log(name=rule1) from-lport 100 (foo2) drop log(name=rule2) root@334a6440dc45:/# ovn-nbctl acl-list g2 from-lport 100 (foo2) drop log(name=rule2) # Southbound results: Incorrect - first ACL not removed root@334a6440dc45:/# ovn-sbctl dump-flows | grep foo table=8 (ls_in_acl_eval ), priority=1100 , match=((foo1)), action=(log(name="rule1", severity=info, verdict=drop); reg8[17] = 1; next;) table=8 (ls_in_acl_eval ), priority=1100 , match=((foo1)), action=(log(name="rule1", severity=info, verdict=drop); reg8[17] = 1; next;) # Restart OVN can fix the inconsistency: acl1 removed, acl2 appears root@334a6440dc45:/# ovn-ctl restart_northd root@334a6440dc45:/# ovn-sbctl dump-flows | grep foo table=8 (ls_in_acl_eval ), priority=1100 , match=((foo2)), action=(log(name="rule2", severity=info, verdict=drop); reg8[17] = 1; next;) table=8 (ls_in_acl_eval ), priority=1100 , match=((foo2)), action=(log(name="rule2", severity=info, verdict=drop); reg8[17] = 1; next;) When we assigned each ACL to only one port group, we did not observe the same issue. When we assigned ACLs to (either one or more) logical switches instead of port groups, this issue also did not happen. Thanks, Qiaofeng
_______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
