Hi,
I have a simple network, two Subnets and VM in each with PortGroup ACLs
that
should allow ssh traffic from VM1 (192.16.1.6) in net1 to VM2
(192.16.2.5) in net2
as follows:
net1 (192.16.1.0/24) vm1 --> ssh --> net2 (192.16.2.0/24) vm2
However when I create these ACLs with a mix of stateful and stateless rules
(It's a test case) then traffic is blocked AND no drop message is seen
in the
ovn-controller logs (have checked looking at the right logs this time)!
Running tcpdump on the VMs I can see the pkt sent from VM1, being received
by VM2, and the reply sent by VM2, but not received by VM1.
North DB config:
================
switch 17a5ca86-2b1c-4610-9b2a-ea5be37b46a2 (ls1)
port net2-lr1
type: router
addresses: ["40:44:00:00:00:40"]
router-port: lr1-net2
port net1-lr1
type: router
addresses: ["40:44:00:00:00:30"]
router-port: lr1-net1
port 1cb7d760-90b0-4201-9517-88cb2de31c79
addresses: ["52:54:00:80:d0:c8 192.16.2.5"]
port 47433b54-ac10-42f1-ae84-cc6fbb580297
addresses: ["52:54:00:be:06:16 192.16.1.6"]
router bb3ef25f-cfeb-4265-ae54-3872bc61972b (lr1)
port lr1-net1
mac: "40:44:00:00:00:30"
networks: ["192.16.1.1/24"]
port lr1-net2
mac: "40:44:00:00:00:40"
networks: ["192.16.2.1/24"]
Port Groups with acls uuids removed for brevity
=====================================
ovn-nbctl list Port_Group
_uuid : 3bb56a59-bcd2-486a-b86b-25b19f2bf6cf
name : pg2
ports : [6d14a050-675f-4522-a013-19f701f82e39]
_uuid : 59fc542a-daab-449f-9e01-de6bee816770
name : pg1
ports : [10f2ace1-a1bc-4e8e-9694-dbc3f91412a5]
VM1 is in pg1 & VM2 is in pg2
Now the ACLs which should allow VM1 to ssh to VM2
=============================================
# ovn-nbctl acl-list pg1
from-lport 32767 (inport == @pg1 && (arp || udp.dst == 67 || udp.dst ==
68)) allow-related
from-lport 27000 (inport == @pg1 && ip.proto == 6 && (tcp.dst == 22))
allow-stateless
from-lport 0 (inport == @pg1) drop
log(name=net1_egress_drop,severity=debug)
to-lport 32767 (outport == @pg1 && (arp || udp.dst == 67 || udp.dst
== 68)) allow-related
to-lport 11000 (outport == @pg1 && ip.proto == 6 && (tcp.src == 22))
allow-related
to-lport 0 (outport == @pg1) drop
log(name=net1_ingress_drop,severity=debug)
# ovn-nbctl acl-list pg2
from-lport 32767 (inport == @pg2 && (arp || udp.dst == 67 || udp.dst ==
68)) allow-related
from-lport 27000 (inport == @pg2 && ip.proto == 6 && (tcp.src == 22))
allow-stateless
from-lport 0 (inport == @pg2) drop
log(name=net2_egress_drop,severity=debug)
to-lport 32767 (outport == @pg2 && (arp || udp.dst == 67 || udp.dst
== 68)) allow-related
to-lport 11000 (outport == @pg2 && ip.proto == 6 && (tcp.dst == 22))
allow-related
to-lport 0 (outport == @pg2) drop
log(name=net2_ingress_drop,severity=debug)
Brendan
_______________________________________________
discuss mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
