On Wed, Oct 30, 2024 at 2:31 AM Qin, Qiaofeng via discuss <ovs-discuss@openvswitch.org> wrote: > > Hi Numan, > > Thank you for the reply. Yes, The given command (ovn-appctl -t ovn-northd > inc-engine/recompute) can fix the issue without restarting. Besides, we also > found that creating a logical switch (ovn-nbctl ls-add test3) can make the > missing ACL appear in SB.
One work around before this issue is fixed is to create a separate ACLs for each port group rather than sharing across pgs. Thanks Numan > > > Thanks, > Qiaofeng > ________________________________ > From: Numan Siddique <num...@ovn.org> > Sent: Tuesday, October 29, 2024 7:41 PM > To: Qin, Qiaofeng <qiaofeng....@intel.com> > Cc: b...@openvswitch.org <b...@openvswitch.org> > Subject: Re: [ovs-discuss] [OVN] ACLs not translated to SB when added to > multiple port groups > > On Tue, Oct 29, 2024 at 8:47 PM Qin, Qiaofeng via discuss > <ovs-discuss@openvswitch.org> wrote: > > > > Hi, > > > > Recently, we encountered an issue when assigning some ACLs to two port > > groups. When configuring the first ACL, everything looks correct. However, > > after creating the second ACL and assigning it to the second port group, > > the ACL does not appear in the Logical_Flow table, until we continue to > > perform some other operations in the northbound or restart ovn-northd. I > > wonder if this is a bug or a known limitation. > > > > We installed ovn-central 24.09.0 through apt in a Debian Sid host. The > > following logs are the steps to reproduce the issue: > > > > > > # Setup: 2 switches, 2 ports and 2 port groups > > root@38469380e572:/# ovn-nbctl ls-add test1 > > root@38469380e572:/# ovn-nbctl ls-add test2 > > root@38469380e572:/# ovn-nbctl lsp-add test1 p1 > > root@38469380e572:/# ovn-nbctl lsp-add test2 p2 > > root@38469380e572:/# ovn-nbctl pg-add g1 > > root@38469380e572:/# ovn-nbctl pg-add g2 p1 p2 > > > > # Assign acl1 first to g1, then to g2 > > root@334a6440dc45:/# ovn-nbctl --name=rule1 acl-add g1 from-lport 100 > > "foo1" drop > > root@334a6440dc45:/# ovn-nbctl list acl rule1 | grep uuid > > _uuid : fa7caa68-d4fa-4e69-8274-c5e5b57490aa > > root@334a6440dc45:/# ovn-nbctl add port_group g2 acls > > fa7caa68-d4fa-4e69-8274-c5e5b57490aa > > > > # Northbound results: Correct > > root@334a6440dc45:/# ovn-nbctl acl-list g1 > > from-lport 100 (foo1) drop log(name=rule1) > > root@334a6440dc45:/# ovn-nbctl acl-list g2 > > from-lport 100 (foo1) drop log(name=rule1) > > > > # Southbound results: Correct > > root@334a6440dc45:/# ovn-sbctl dump-flows | grep foo > > table=8 (ls_in_acl_eval ), priority=1100 , match=((foo1)), > > action=(log(name="rule1", severity=info, verdict=drop); reg8[17] = 1; next;) > > table=8 (ls_in_acl_eval ), priority=1100 , match=((foo1)), > > action=(log(name="rule1", severity=info, verdict=drop); reg8[17] = 1; next;) > > > > # Assign acl2 first to g1, then to g2 > > root@334a6440dc45:/# ovn-nbctl --name=rule2 acl-add g1 from-lport 100 > > "foo2" drop > > root@334a6440dc45:/# ovn-nbctl list acl rule2 | grep uuid > > _uuid : 6b6080e5-1ecf-4d1d-bb86-8eb487c622c0 > > root@334a6440dc45:/# ovn-nbctl add port_group g2 acls > > 6b6080e5-1ecf-4d1d-bb86-8eb487c622c0 > > > > # Northbound results: Correct > > root@334a6440dc45:/# ovn-nbctl acl-list g1 > > from-lport 100 (foo1) drop log(name=rule1) > > from-lport 100 (foo2) drop log(name=rule2) > > root@334a6440dc45:/# ovn-nbctl acl-list g2 > > from-lport 100 (foo1) drop log(name=rule1) > > from-lport 100 (foo2) drop log(name=rule2) > > > > # Southbound results: Incorrect - Second ACL does not show > > root@334a6440dc45:/# ovn-sbctl dump-flows | grep foo > > table=8 (ls_in_acl_eval ), priority=1100 , match=((foo1)), > > action=(log(name="rule1", severity=info, verdict=drop); reg8[17] = 1; next;) > > table=8 (ls_in_acl_eval ), priority=1100 , match=((foo1)), > > action=(log(name="rule1", severity=info, verdict=drop); reg8[17] = 1; next;) > > > > # Remove acl1 from g2 > > root@334a6440dc45:/# ovn-nbctl acl-del g2 from-lport 100 "foo1" > > > > # Northbound results: Correct > > root@334a6440dc45:/# ovn-nbctl acl-list g1 > > from-lport 100 (foo1) drop log(name=rule1) > > from-lport 100 (foo2) drop log(name=rule2) > > root@334a6440dc45:/# ovn-nbctl acl-list g2 > > from-lport 100 (foo2) drop log(name=rule2) > > > > # Southbound results: Incorrect - first ACL not removed > > root@334a6440dc45:/# ovn-sbctl dump-flows | grep foo > > table=8 (ls_in_acl_eval ), priority=1100 , match=((foo1)), > > action=(log(name="rule1", severity=info, verdict=drop); reg8[17] = 1; next;) > > table=8 (ls_in_acl_eval ), priority=1100 , match=((foo1)), > > action=(log(name="rule1", severity=info, verdict=drop); reg8[17] = 1; next;) > > > > # Restart OVN can fix the inconsistency: acl1 removed, acl2 appears > > root@334a6440dc45:/# ovn-ctl restart_northd > > root@334a6440dc45:/# ovn-sbctl dump-flows | grep foo > > table=8 (ls_in_acl_eval ), priority=1100 , match=((foo2)), > > action=(log(name="rule2", severity=info, verdict=drop); reg8[17] = 1; next;) > > table=8 (ls_in_acl_eval ), priority=1100 , match=((foo2)), > > action=(log(name="rule2", severity=info, verdict=drop); reg8[17] = 1; next;) > > > > > > When we assigned each ACL to only one port group, we did not observe the > > same issue. When we assigned ACLs to (either one or more) logical switches > > instead of port groups, this issue also did not happen. > > Thanks for reporting the issue. Looks like a bug to me in ovn-northd. > > Can you please run the below command instead of restarting and see if > it fixes the issue ? If so, it seems like an incremental processing > bug in ovn-northd. > > ovn-appctl -t ovn-northd inc-engine/recompute > > Thanks > Numan > > > > > > Thanks, > > Qiaofeng > > _______________________________________________ > > discuss mailing list > > disc...@openvswitch.org > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss > _______________________________________________ > discuss mailing list > disc...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss _______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
