On Fri, Jan 21, 2022 at 1:06 PM Brendan Doyle <[email protected]> wrote: > > Just wondering if there was any update on this? >
I've not tested this scenario. And I'm not too well versed with the allow-stateless. My guess here is that since you're mixing both stateful and stateless, the packet is getting dropped due to high priority flows which ovn-northd generates to drop packets with ct.inv. Can you verify if that is the case ? When there are stateful ACLs, you'd see logical flows like ----- table=9 (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;) ... ... table=4 (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_label.blocked == 1)), action=(drop;) --- I'd suggest checking if these flows are hit in openflow table 17 or 44 on the compute node where the traffic is dropped. I'm not sure if we support mixing both stateful and stateless. I need to check the code though, Numan > > On 19/01/2022 10:47, Brendan Doyle wrote: > > Hi, > > > > I have a simple network, two Subnets and VM in each with PortGroup > > ACLs that > > should allow ssh traffic from VM1 (192.16.1.6) in net1 to VM2 > > (192.16.2.5) in net2 > > as follows: > > > > net1 (192.16.1.0/24) vm1 --> ssh --> net2 (192.16.2.0/24) vm2 > > > > However when I create these ACLs with a mix of stateful and stateless > > rules > > (It's a test case) then traffic is blocked AND no drop message is seen > > in the > > ovn-controller logs (have checked looking at the right logs this time)! > > > > Running tcpdump on the VMs I can see the pkt sent from VM1, being > > received > > by VM2, and the reply sent by VM2, but not received by VM1. > > > > North DB config: > > ================ > > switch 17a5ca86-2b1c-4610-9b2a-ea5be37b46a2 (ls1) > > port net2-lr1 > > type: router > > addresses: ["40:44:00:00:00:40"] > > router-port: lr1-net2 > > port net1-lr1 > > type: router > > addresses: ["40:44:00:00:00:30"] > > router-port: lr1-net1 > > port 1cb7d760-90b0-4201-9517-88cb2de31c79 > > addresses: ["52:54:00:80:d0:c8 192.16.2.5"] > > port 47433b54-ac10-42f1-ae84-cc6fbb580297 > > addresses: ["52:54:00:be:06:16 192.16.1.6"] > > > > router bb3ef25f-cfeb-4265-ae54-3872bc61972b (lr1) > > port lr1-net1 > > mac: "40:44:00:00:00:30" > > networks: ["192.16.1.1/24"] > > port lr1-net2 > > mac: "40:44:00:00:00:40" > > networks: ["192.16.2.1/24"] > > > > Port Groups with acls uuids removed for brevity > > ===================================== > > ovn-nbctl list Port_Group > > _uuid : 3bb56a59-bcd2-486a-b86b-25b19f2bf6cf > > name : pg2 > > ports : [6d14a050-675f-4522-a013-19f701f82e39] > > > > _uuid : 59fc542a-daab-449f-9e01-de6bee816770 > > name : pg1 > > ports : [10f2ace1-a1bc-4e8e-9694-dbc3f91412a5] > > > > VM1 is in pg1 & VM2 is in pg2 > > > > Now the ACLs which should allow VM1 to ssh to VM2 > > ============================================= > > # ovn-nbctl acl-list pg1 > > from-lport 32767 (inport == @pg1 && (arp || udp.dst == 67 || udp.dst > > == 68)) allow-related > > from-lport 27000 (inport == @pg1 && ip.proto == 6 && (tcp.dst == 22)) > > allow-stateless > > from-lport 0 (inport == @pg1) drop > > log(name=net1_egress_drop,severity=debug) > > to-lport 32767 (outport == @pg1 && (arp || udp.dst == 67 || udp.dst > > == 68)) allow-related > > to-lport 11000 (outport == @pg1 && ip.proto == 6 && (tcp.src == 22)) > > allow-related > > to-lport 0 (outport == @pg1) drop > > log(name=net1_ingress_drop,severity=debug) > > > > > > # ovn-nbctl acl-list pg2 > > from-lport 32767 (inport == @pg2 && (arp || udp.dst == 67 || udp.dst > > == 68)) allow-related > > from-lport 27000 (inport == @pg2 && ip.proto == 6 && (tcp.src == 22)) > > allow-stateless > > from-lport 0 (inport == @pg2) drop > > log(name=net2_egress_drop,severity=debug) > > to-lport 32767 (outport == @pg2 && (arp || udp.dst == 67 || udp.dst > > == 68)) allow-related > > to-lport 11000 (outport == @pg2 && ip.proto == 6 && (tcp.dst == 22)) > > allow-related > > to-lport 0 (outport == @pg2) drop > > log(name=net2_ingress_drop,severity=debug) > > > > > > # ovn-controller --version > > ovn-controller 21.12.90 > > Open vSwitch Library 2.16.90 > > OpenFlow versions 0x6:0x6 > > SB DB Schema 20.21.0 > > > > > > # git rev-parse HEAD > > a906960af63118fe3bceb0a25c3ad2c85340b359 > > > > > > cat /proc/version > > Linux version 4.14.35-1902.8.4.el7uek.x86_64 > > (mockbuild@jenkins-10-147-72-125-e2b44982-16a5-48fe-95be-08a1e4c8f805) > > (gcc version 4.8.5 20150623 (Red Hat 4.8.5-16.0.3) (GCC)) #2 SMP Mon > > Dec 9 11:39:31 PST 2019 > > > > > > _______________________________________________ > > discuss mailing list > > [email protected] > > https://urldefense.com/v3/__https://mail.openvswitch.org/mailman/listinfo/ovs-discuss__;!!ACWV5N9M2RV99hQ!dMJPhYubaa3ZDEu7J6_F-Bc3VVvsv2q5w0_xM_dFTa2k-3PhcsGO98kJxABMyoWP5PM$ > > > _______________________________________________ > discuss mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss _______________________________________________ discuss mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
