From: shylou <[email protected]> Consider the case of stateful Firewall for N-S traffic:
PUBLIC---S1-(S1-R1)---------(R1-S1)-R1 -------- S2 ---- VM1 Configuration: ovn-nbctl pg-add pg_dgw ovn-nbctl pg-set-ports pg_dgw S1-R1 ovn-nbctl acl-add pg_dgw from-lport 2000 "inport == @pg_dgw && ip4 && icmp4" allow-related ovn-nbctl acl-add pg_dgw from-lport 1000 "outport == @pg_dgw && ip4" drop ovn-nbctl acl-add pg_dgw to-lport 1000 "outport == @pg_dgw && ip4" drop ovn-nbctl lsp-set-options S1-R1 router-port=R1-S1 enable_router_port_acl=true VM1 pings external network. Through this patch[1], the ovn-controller assigned a CT zone ID to the localnet LSP but not the dgw LSP. This caused ACL failures: ICMP reply packets from external networks performed CT lookups in the wrong zone, couldn't match established connections, and were incorrectly dropped. Fix by ensuring ports without CT zone allocation use default zone 0, preventing incorrect zone inheritance and restoring proper ACL behavior for distributed gateway scenarios. [1]https://github.com/shylou/ovn/commit/5ae7d2cb60a50541e88e8f5c74a669e2aa7acdda Reported-at: https://github.com/ovn-org/ovn/issues/264 Signed-off-by: Xie Liu <[email protected]> --- controller/physical.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/controller/physical.c b/controller/physical.c index 6ac5dcd3f..d1d007790 100644 --- a/controller/physical.c +++ b/controller/physical.c @@ -1143,6 +1143,9 @@ put_zones_ofpacts(const struct zone_ids *zone_ids, struct ofpbuf *ofpacts_p) if (zone_ids) { if (zone_ids->ct) { put_load(zone_ids->ct, MFF_LOG_CT_ZONE, 0, 16, ofpacts_p); + } else { + /* Reset to default zone 0 for ports without CT zone allocation */ + put_load(0, MFF_LOG_CT_ZONE, 0, 16, ofpacts_p); } if (zone_ids->dnat) { put_load(zone_ids->dnat, MFF_LOG_DNAT_ZONE, 0, 32, ofpacts_p); -- 2.46.0.windows.1 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
