<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Dec 15, 2020, at 9:42 AM, Daniel Alvarez Sanchez <<a href="mailto:dalvarez@redhat.com" class="">dalvarez@redhat.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><br class="Apple-interchange-newline"><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><div class="gmail_quote" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><div dir="ltr" class="gmail_attr">On Tue, Dec 15, 2020 at 2:58 PM Krzysztof Klimonda <<a href="mailto:kklimonda@syntaxhighlighted.com" class="">kklimonda@syntaxhighlighted.com</a>> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: 1ex;"><u class=""></u><div class=""><div class="">Hi Flavio, Dumitru<br class=""></div><div class=""><br class=""></div><div class="">See inline for replies<br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">On Tue, Dec 15, 2020, at 12:37, Flavio Fernandes wrote:<br class=""></div><blockquote type="cite" id="gmail-m_1015827249715712601qt" style="overflow-wrap: break-word;" class=""><div class=""><br class=""></div><div class=""><div class=""><br class=""></div><blockquote type="cite" class=""><div class="">On Dec 15, 2020, at 6:20 AM, Dumitru Ceara <<a href="mailto:dceara@redhat.com" target="_blank" class="">dceara@redhat.com</a>> wrote:<br class=""></div><div class=""><br class=""></div><div class=""><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class="">On 12/15/20 12:02 PM, Krzysztof Klimonda wrote:</span></span></span><br class=""></div><blockquote type="cite" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none;" class=""><div class="">Hi Dumitru,<br class=""></div><div class=""><br class=""></div><div class="">Thanks for checking it out.<br class=""></div><div class=""><br class=""></div><div class="">On Tue, Dec 15, 2020, at 10:45, Dumitru Ceara wrote:<br class=""></div><blockquote type="cite" class=""><div class="">Hi Krzysztof,<br class=""></div><div class=""><br class=""></div><div class="">Thanks for the DBs and all the details.<br class=""></div><div class=""><br class=""></div><div class="">I gave it a try on my local setup, using your DBs.  The behavior below<br class=""></div><div class="">is identical on v20.06.2, branch-20.12 and current master.<br class=""></div></blockquote><div class=""><br class=""></div><div class="">I have to admit I'm not sure why in your tests the behaviour is the same in 20.06.2 - unfortunately I no longer have access to the environment with that version, so I can't re-verify that on my end and I based it on the fact that this SG was created by magnum for kubernetes cluster deployed on top of openstack, and the cluster was being tested successfully. The earliest I can try recreating this with 20.06.2 release is next year, so I'm not sure if this will be of any help.<br class=""></div><div class=""><br class=""></div></blockquote><div class=""><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class="">I just rechecked with 20.06.2 and I'm 100% sure that with the DBs you</span></span></span><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class="">provided and the behavior is exactly the same as with newer branches</span></span></span><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class="">(including latest master).</span></span></span><br class=""></div><div class=""><br class=""></div><blockquote type="cite" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none;" class=""><div class="">[...]<br class=""></div><blockquote type="cite" class=""><div class=""><br class=""></div><div class="">For TCP traffic 172.16.0.11 -> 172.16.0.10 we don't hit any of the<br class=""></div><div class="">allow-related ACLs.  172.16.0.11 is not set as a port address on port<br class=""></div><div class="">81d23182-37ac-4d3d-815e-4c25d26fe154 so it will not be included in the<br class=""></div><div class="">auto-generated address_set pg_ed081ef3_754a_492f_80b2_fb73cd2dceed_ip4.<br class=""></div><div class=""><br class=""></div><div class="">On the other hand, for TCP traffic 10.0.0.11 -> 172.16.0.10 we hit the<br class=""></div><div class="">4th allow-related ACL:<br class=""></div><div class="">to-lport  1002 (outport == @pg_ed081ef3_754a_492f_80b2_fb73cd2dceed &&<br class=""></div><div class="">ip4 && ip4.src == $pg_ed081ef3_754a_492f_80b2_fb73cd2dceed_ip4 && tcp)<br class=""></div><div class="">allow-related<br class=""></div><div class=""><br class=""></div><div class="">ICMP traffic matches the 5th allow-related ACL which doesn't check<br class=""></div><div class="">source IPs:<br class=""></div><div class="">to-lport  1002 (outport == @pg_ed081ef3_754a_492f_80b2_fb73cd2dceed &&<br class=""></div><div class="">ip4 && ip4.src ==<span class="Apple-converted-space"> </span><a href="http://0.0.0.0/0" target="_blank" class="">0.0.0.0/0</a><span class="Apple-converted-space"> </span>&& icmp4) allow-related<br class=""></div><div class=""><br class=""></div><div class="">So, unless I'm missing something, OVN is doing what it's supposed to do<br class=""></div><div class="">based on the current configuration.  To avoid adding a new ACL, one<br class=""></div><div class="">option would be to add the 172.16.0.10 and 172.16.0.11 IPs to the<br class=""></div><div class="">corresponding logical_switch_ports "addresses" column, i.e., something like:<br class=""></div></blockquote><div class=""><br class=""></div><div class="">The problem with adding those addresses to LSP is that they are outside of OVN/neutron control - this is a kubernetes cluster deployed with magnum, where CNI plugin (calico) doesn't use any tunneling between k8s nodes, each pod has address in<span class="Apple-converted-space"> </span><a href="http://172.16.0.0/16" target="_blank" class="">172.16.0.0/16</a><span class="Apple-converted-space"> </span>subnet and uses addresses from<span class="Apple-converted-space"> </span><a href="http://172.16.0.0/16" target="_blank" class="">172.16.0.0/16</a><span class="Apple-converted-space"> </span>to communicate witch other pods. To accomodate that ports have<span class="Apple-converted-space"> </span><a href="http://172.16.0.0/16" target="_blank" class="">172.16.0.0/16</a><span class="Apple-converted-space"> </span>added to their allowed addresses.<br class=""></div><div class=""><br class=""></div><div class="">I'm assuming that, if OVN is doing what it's supposed to be doing based on the configuration[1], then there is a mismatch between neutron and OVN behaviour in regards to SG with allowed address pairs? I guess someone from neutron team would have to comment whether it's<span class=""> </span><br class=""></div></blockquote><div class=""><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class="">I agree, some input from neutron would be great. (cc-ing Daniel).</span></span></span><br class=""></div></div></blockquote><div class=""><br class=""></div><div class="">Hi folks. I'm caching up on this thread and have a follow up question/request.<br class=""></div><div class=""><br class=""></div><div class="">@Krzysztof: can you tell me a little more about how the ips 172.16.0.10 and 172.16.0.11 are added as<br class=""></div><div class="">secondary on the neutron ports? Are you using multiple fixed ip addresses? Do you have 2 neutron subnets configured<br class=""></div><div class="">on the same neutron network?<br class=""></div><div class=""><br class=""></div><div class="">The reason I ask is because a neutron network and its associated neutron subnet(s) are "aggregated" into a single logical switch<br class=""></div><div class="">in OVN. In fact, neutron subnets have no corresponding row in OVN. So I wonder if what you really want are 2 separate neutron<br class=""></div><div class="">ports for each vm, instead of a single port with overlapping subnets.<br class=""></div></div></blockquote><div class=""><br class=""></div><div class="">Not sure what do you mean by overlapping subnets - the subnets in question are<span class="Apple-converted-space"> </span><a href="http://10.0.0.0/8" target="_blank" class="">10.0.0.0/8</a><span class="Apple-converted-space"> </span>and<span class="Apple-converted-space"> </span><a href="http://172.16.0.0/16" target="_blank" class="">172.16.0.0/16</a>.<br class=""></div></div></blockquote></div></div></blockquote><div><br class=""></div><div>My bad. I meant to say 2 neutron subnets on the same neutron network. So the work I meant to use was "IP Multinetting".</div><br class=""><blockquote type="cite" class=""><div class=""><div class="gmail_quote" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: 1ex;"><div class=""><div class=""><br class=""></div><div class="">The IP addresses are added either as secondary IP addresses set on the interface inside VM (in my manual testing), or are result of calico CNI using "physical" interface (as opposed to IPIP tunnel) for pod-to-pod communication - in that case each pod gets IP address from<span class="Apple-converted-space"> </span><a href="http://172.16.0.0/16" target="_blank" class="">172.16.0.0/16</a><span class="Apple-converted-space"> </span>and Linux just pushes packets based on routing rules (internally<span class="Apple-converted-space"> </span><a href="http://172.16.0.0/16" target="_blank" class="">172.16.0.0/16</a><span class="Apple-converted-space"> </span>is split into smaller networks allocated to each k8s node, and each network receives an entry in routing table that push packets to a specific node).</div></div></blockquote></div></div></blockquote><div><br class=""></div><div>Ack. If you were adding secondary address via openstack, I think the address would have been populated in OVN in the way you wanted.</div><div>Look here as an example for having a port with multiple fixed addresses (using same subnet in this case, but you can have different subnet):</div><div>        <a href="https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/755760/5/neutron_tempest_plugin/scenario/test_port_forwardings.py#249" class="">https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/755760/5/neutron_tempest_plugin/scenario/test_port_forwardings.py#249</a></div><div><br class=""></div><br class=""><blockquote type="cite" class=""><div class=""><div class="gmail_quote" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: 1ex;"><div class=""><div class=""><br class=""></div><div class="">Whether it should be a separate neutron port is an excellent question - this security group configuration comes from magnum, which configures port with Pod/service(?) network added to allowed address on all kubernetes nodes, and security group being configured to allow for all TCP/UDP traffic between ports with that SG attached. There is entire separate kuryr-kubernetes project that tries to marry kubernetes CNI with neutron directly, but in our very limited testing it requires more work to be stable in our deployments.<br class=""></div><div class=""><br class=""></div><div class="">See <a href="https://github.com/openstack/magnum/blob/c556b8964fab129f33e766b1c33908b2eb001df4/magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml" target="_blank" class="">https://github.com/openstack/magnum/blob/c556b8964fab129f33e766b1c33908b2eb001df4/magnum/drivers/k8s_fedora_coreos_v1/templates/kubeminion.yaml</a> for where magnum sets up the allowed_address_pairs attribute on the port, and <a href="https://github.com/openstack/magnum/blob/c556b8964fab129f33e766b1c33908b2eb001df4/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml#L1038" target="_blank" class="">https://github.com/openstack/magnum/blob/c556b8964fab129f33e766b1c33908b2eb001df4/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml#L1038</a> for where security group is defined.<br class=""></div><div class=""><br class=""></div><blockquote type="cite" id="gmail-m_1015827249715712601qt" style="overflow-wrap: break-word;" class=""><div class=""><div class=""><br class=""></div><div class="">Thanks,<br class=""></div><div class=""><br class=""></div><div class="">-- flaviof<br class=""></div><div class=""><br class=""></div><blockquote type="cite" class=""><div class=""><div class=""><br class=""></div><blockquote type="cite" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none;" class=""><div class=""><br class=""></div><div class="">[1] I'm not entirely convinced that's the case given that ICMP traffic is being forwarded - I see how it's doing what programmed flows are telling it to do, but that doesn't seem to be expected result.<br class=""></div></blockquote><div class=""><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class="">I'm confused, why wouldn't this be expected?</span></span></span><br class=""></div></div></blockquote></div></blockquote><div class=""><br class=""></div><div class="">From (openstack) user's perspective if there are two security groups:<br class=""></div><div class="">- allow for ICMP traffic between ports in the same security group<br class=""></div><div class="">- allow for TCP traffic between ports in the same security group<br class=""></div><div class=""><br class=""></div><div class="">and one of the rules is working, but the other one is not, then this is not an expected behaviour (again, from openstack user perspective). It's definitely possible that there is a disconnect between what's expected in that case between neutron and ovn - perhaps neutron should add additional entries to OVN's northbound db to support that specific security group feature? <br class=""></div></div></blockquote><div class=""><br class=""></div><div class=""><br class=""></div><div class="">I agree with everybody here but... :)</div><div class=""><br class=""></div><div class="">- Does it work with ML2/OVS? Are addresses in the allowed-address pairs accounted for remote groups (for example, Floating IPs are not).</div><div class="">- If the answer to the above is yes, then I'd agree that we need to fix it in OpenStack by:</div><div class="">a) Adding the allowed-address pairs to the 'addresses' column of the Logical_Switch_Port row assuming that this doesn't break DHCP</div><div class="">b) Adding more conditions to the ACL to match not only on the $pg_xxx Address_Set but also on each and every IP address of the allowed-addresses.</div><div class="">- If the answer to the above is yes, we need to add coverage in OpenStack as CI is clearly not testing this path</div><div class="">- If the answer to the above is no, then you need to add explicit Neutron Security Group rules to allow traffic originated from the allowed-address pairs (you can do this for now as a workaround)</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Chris, are you able to test this with ML2/OVS and report back the results?</div><div class=""><br class=""></div><div class="">Either way I don't think there's anything wrong with OVN and we can move this discussion to the openstack-discuss ML :)</div><div class=""><br class=""></div></div></div></blockquote><div><br class=""></div><div>Agree. This was my last msg here on this, if that is okay with y'all.</div><div><br class=""></div><div>-- flaviof</div><br class=""><blockquote type="cite" class=""><div class=""><div class="gmail_quote" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><div class="">Thanks,</div><div class="">daniel</div><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); padding-left: 1ex;"><div class=""><div class=""></div><div class=""><br class=""></div><blockquote type="cite" id="gmail-m_1015827249715712601qt" style="overflow-wrap: break-word;" class=""><div class=""><blockquote type="cite" class=""><div class=""><div class=""><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class="">The ICMP ACL explicitly allows traffic to any port in the port group if</span></span></span><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class="">it's ICMP and comes from any IP source:</span></span></span><br class=""></div><div class=""><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class="">to-lport  1002 (outport == @pg_ed081ef3_754a_492f_80b2_fb73cd2dceed &&</span></span></span><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class="">ip4 && ip4.src ==<span class="Apple-converted-space"> </span><a href="http://0.0.0.0/0" target="_blank" class="">0.0.0.0/0</a><span class="Apple-converted-space"> </span>&& icmp4) allow-related</span></span></span><br class=""></div><div class=""><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class="">For TCP the match is more restrictive:</span></span></span><br class=""></div><div class=""><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class="">The TCP ACL allows traffic to any port in the port group if the IP</span></span></span><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class="">source is part of the addresses defined on the logical ports that are</span></span></span><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class="">part of the port group:</span></span></span><br class=""></div><div class=""><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class="">to-lport  1002 (outport == @pg_ed081ef3_754a_492f_80b2_fb73cd2dceed</span></span></span><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class="">&&ip4 && ip4.src == $pg_ed081ef3_754a_492f_80b2_fb73cd2dceed_ip4 && tcp)</span></span></span><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class="">allow-related</span></span></span><br class=""></div><div class=""><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class="">But the traffic comes from 172.16.0.11 which is not an address on the</span></span></span><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class="">logical switch port.  So traffic doesn't match the allow ACL and instead</span></span></span><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class="">matches the deny-all ACL.</span></span></span><br class=""></div><div class=""><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class="">OVN cannot automatically deduce anything from the fact that</span></span></span><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class="">port_security includes<span class="Apple-converted-space"> </span><a href="http://172.16.0.0/16" target="_blank" class="">172.16.0.0/16</a><span class="Apple-converted-space"> </span>and without help from the CMS it</span></span></span><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class="">cannot decide to allow traffic from 172.16.0.11.</span></span></span><br class=""></div><div class=""><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class="">Regards,</span></span></span><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class="">Dumitru</span></span></span><br class=""></div><div class=""><br class=""></div><blockquote type="cite" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none;" class=""><div class="">Best Regards,<br class=""></div><div class=""> Chris<br class=""></div><div class=""><br class=""></div><blockquote type="cite" class=""><div class=""><br class=""></div><div class="">Thanks,<br class=""></div><div class="">Dumitru<br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">On 12/14/20 4:43 PM, Krzysztof Klimonda wrote:<br class=""></div><blockquote type="cite" class=""><div class="">Hi Numan,<br class=""></div><div class=""><br class=""></div><div class=""><a href="https://signal.klimonda.com/ovnnb.db-broken.txt" target="_blank" class="">https://signal.klimonda.com/ovnnb.db-broken.txt</a><span class="Apple-converted-space"> </span>- this is the "initial" state where TCP is not being established (but ping works)<br class=""></div><div class=""><a href="https://signal.klimonda.com/ovnnb.db-working.txt" target="_blank" class="">https://signal.klimonda.com/ovnnb.db-working.txt</a><span class="Apple-converted-space"> </span>- this is after I create a separate IP-based rule to allow TCP traffic<br class=""></div><div class=""><br class=""></div><div class="">In both examples, security group in question is ed081ef3-754a-492f-80b2-fb73cd2dceed which is mapped to pg_ed081ef3_754a_492f_80b2_fb73cd2dceed port group.<br class=""></div><div class=""><br class=""></div><div class="">In the second ovnnb.db (ovnnb.db-working.txt), there is an extra ACL fb464efc-f63b-494b-b59b-6c2860dcecba added from CLI via:<br class=""></div><div class=""><br class=""></div><div class="">`openstack security group rule create --ingress --protocol tcp --remote-ip<span class="Apple-converted-space"> </span><a href="http://172.16.0.0/24" target="_blank" class="">172.16.0.0/24</a><span class="Apple-converted-space"> </span>default`<br class=""></div><div class=""><br class=""></div><div class="">-- Krzysztof Klimonda<span class="Apple-converted-space"> </span><a href="mailto:kklimonda@syntaxhighlighted.com" target="_blank" class="">kklimonda@syntaxhighlighted.com</a><span class="Apple-converted-space"> </span>On Mon, Dec 14,<br class=""></div><div class="">2020, at 14:14, Numan Siddique wrote:<br class=""></div><blockquote type="cite" class=""><div class="">On Mon, Dec 14, 2020 at 4:01 PM Krzysztof Klimonda<br class=""></div><div class=""><<a href="mailto:kklimonda@syntaxhighlighted.com" target="_blank" class="">kklimonda@syntaxhighlighted.com</a>> wrote:<br class=""></div><blockquote type="cite" class=""><div class="">Hi,<br class=""></div><div class=""><br class=""></div><div class="">After upgrading to OVN 20.12.0 snapshot d8bc0377c I've noticed a problem in communication between VMs that use allowed address pairs and remote group id in security groups. I believe it has worked properly with OVN 20.06.2 release (although I have no way of verifying it right now).<br class=""></div></blockquote><div class="">Thanks for reporting the issue.<br class=""></div><div class=""><br class=""></div><div class="">Is it possible for you to share the OVN NB DB somewhere ?<br class=""></div><div class=""><br class=""></div><div class="">It would be easier to reproduce the issue with the DB.<br class=""></div><div class=""><br class=""></div><div class="">Thanks<br class=""></div><div class="">Numan<br class=""></div><div class=""><br class=""></div><blockquote type="cite" class=""><div class="">Given the following scenario:<br class=""></div><div class=""><br class=""></div><div class="">- 2 VMs with IP addresses: vm-a with IP addresses 10.0.0.10 and 172.16.0.10 and vm-b with IP addresses 10.0.0.11 and 172.16.0.11 where<span class="Apple-converted-space"> </span><a href="http://10.0.0.0/8" target="_blank" class="">10.0.0.0/8</a><span class="Apple-converted-space"> </span>addresses are set on ports, and<span class="Apple-converted-space"> </span><a href="http://172.16.0.0/16" target="_blank" class="">172.16.0.0/16</a><span class="Apple-converted-space"> </span>addresses are set in allowed-address for on ports<br class=""></div><div class="">- There is single security group attached to both ports allowing for ingress tcp traffic coming from the same security group (remote-group)<br class=""></div><div class="">- There is a TCP service listening on 10.0.0.10 on port 8000<br class=""></div><div class=""><br class=""></div><div class="">When I try accessing service from vm-b using 10.0.0.10 address, ovn forwards traffic properly. However, when I try accessing same service via 172.16.0.10 traffic is dropped.<br class=""></div><div class=""><br class=""></div><div class="">When I trace packets between VMs using ovn-trace, for first scenario the last step is:<br class=""></div><div class=""><br class=""></div><div class="">----8<----8<----<br class=""></div><div class="">ct_next(ct_state=est|trk /* default (use --ct to customize) */)<br class=""></div><div class="">---------------------------------------------------------------<br class=""></div><div class="">4. ls_out_acl_hint (ovn-northd.c:5292): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0, priority 4, uuid ab5a233e<br class=""></div><div class="">   reg0[8] = 1;<br class=""></div><div class="">   reg0[10] = 1;<br class=""></div><div class="">   next;<br class=""></div><div class="">5. ls_out_acl (ovn-northd.c:5498): reg0[8] == 1 && (outport == @pg_ed081ef3_754a_492f_80b2_fb73cd2dceed && ip4 && ip4.src == $pg_ed081ef3_754a_492f_80b2_fb73cd2dceed_ip4 && tcp), priority 2002, uuid d92706d4<br class=""></div><div class="">   next;<br class=""></div><div class="">9. ls_out_port_sec_ip (ovn-northd.c:4525): outport == "864929" && eth.dst == fa:16:3e:bc:20:10 && ip4.dst == {255.255.255.255,<span class="Apple-converted-space"> </span><a href="http://224.0.0.0/4" target="_blank" class="">224.0.0.0/4</a>, 10.0.0.10,<span class="Apple-converted-space"> </span><a href="http://172.16.0.0/16" target="_blank" class="">172.16.0.0/16</a>}, priority 90, uuid ff3390b1<br class=""></div><div class="">   next;<br class=""></div><div class="">10. ls_out_port_sec_l2 (ovn-northd.c:4929): outport == "864929" && eth.dst == {fa:16:3e:bc:20:10}, priority 50, uuid af91c05c<br class=""></div><div class="">   output;<br class=""></div><div class="">   /* output to "864929", type "" */<br class=""></div><div class="">----8<----8<----<br class=""></div><div class=""><br class=""></div><div class="">However, when I use<span class="Apple-converted-space"> </span><a href="http://172.16.0.0/24" target="_blank" class="">172.16.0.0/24</a><span class="Apple-converted-space"> </span>addresses, the last step changes to:<br class=""></div><div class=""><br class=""></div><div class="">----8<----8<----<br class=""></div><div class="">ct_next(ct_state=est|trk /* default (use --ct to customize) */)<br class=""></div><div class="">---------------------------------------------------------------<br class=""></div><div class="">4. ls_out_acl_hint (ovn-northd.c:5292): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0, priority 4, uuid ab5a233e<br class=""></div><div class="">   reg0[8] = 1;<br class=""></div><div class="">   reg0[10] = 1;<br class=""></div><div class="">   next;<br class=""></div><div class="">5. ls_out_acl (ovn-northd.c:5553): reg0[10] == 1 && (outport == @neutron_pg_drop && ip), priority 2001, uuid e36c0840<br class=""></div><div class="">   ct_commit { ct_label.blocked = 1; };<br class=""></div><div class="">----8<----8<----<br class=""></div><div class=""><br class=""></div><div class="">Further notes:<br class=""></div><div class=""><br class=""></div><div class="">- ICMP traffic between<span class="Apple-converted-space"> </span><a href="http://172.16.0.0/24" target="_blank" class="">172.16.0.0/24</a><span class="Apple-converted-space"> </span>addresses is forwarded correctly, with last step of ovn-trace being:<br class=""></div><div class=""><br class=""></div><div class="">----8<----8<----<br class=""></div><div class="">ct_next(ct_state=est|trk /* default (use --ct to customize) */)<br class=""></div><div class="">---------------------------------------------------------------<br class=""></div><div class="">4. ls_out_acl_hint (ovn-northd.c:5292): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0, priority 4, uuid ab5a233e<br class=""></div><div class="">   reg0[8] = 1;<br class=""></div><div class="">   reg0[10] = 1;<br class=""></div><div class="">   next;<br class=""></div><div class="">5. ls_out_acl (ovn-northd.c:5498): reg0[8] == 1 && (outport == @pg_ed081ef3_754a_492f_80b2_fb73cd2dceed && ip4 && ip4.src ==<span class="Apple-converted-space"> </span><a href="http://0.0.0.0/0" target="_blank" class="">0.0.0.0/0</a><span class="Apple-converted-space"> </span>&& icmp4), priority 2002, uuid cd1705d8<br class=""></div><div class="">   next;<br class=""></div><div class="">9. ls_out_port_sec_ip (ovn-northd.c:4525): outport == "864929" && eth.dst == fa:16:3e:bc:20:10 && ip4.dst == {255.255.255.255,<span class="Apple-converted-space"> </span><a href="http://224.0.0.0/4" target="_blank" class="">224.0.0.0/4</a>, 10.0.0.10,<span class="Apple-converted-space"> </span><a href="http://172.16.0.0/16" target="_blank" class="">172.16.0.0/16</a>}, priority 90, uuid ff3390b1<br class=""></div><div class="">   next;<br class=""></div><div class="">10. ls_out_port_sec_l2 (ovn-northd.c:4929): outport == "864929" && eth.dst == {fa:16:3e:bc:20:10}, priority 50, uuid af91c05c<br class=""></div><div class="">   output;<br class=""></div><div class="">   /* output to "864929", type "" */<br class=""></div><div class="">----8<----8<----<br class=""></div><div class=""><br class=""></div><div class="">- If I replace security group rule, changing remote group to remote ip, traffic is forwarded correctly and last step in ovn-trace is:<br class=""></div><div class=""><br class=""></div><div class="">----8<----8<----<br class=""></div><div class="">ct_next(ct_state=est|trk /* default (use --ct to customize) */)<br class=""></div><div class="">---------------------------------------------------------------<br class=""></div><div class="">4. ls_out_acl_hint (ovn-northd.c:5292): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0, priority 4, uuid ab5a233e<br class=""></div><div class="">   reg0[8] = 1;<br class=""></div><div class="">   reg0[10] = 1;<br class=""></div><div class="">   next;<br class=""></div><div class="">5. ls_out_acl (ovn-northd.c:5498): reg0[8] == 1 && (outport == @pg_ed081ef3_754a_492f_80b2_fb73cd2dceed && ip4 && ip4.src ==<span class="Apple-converted-space"> </span><a href="http://172.16.0.0/24" target="_blank" class="">172.16.0.0/24</a><span class="Apple-converted-space"> </span>&& tcp), priority 2002, uuid a0871ca2<br class=""></div><div class="">   next;<br class=""></div><div class="">9. ls_out_port_sec_ip (ovn-northd.c:4525): outport == "864929" && eth.dst == fa:16:3e:bc:20:10 && ip4.dst == {255.255.255.255,<span class="Apple-converted-space"> </span><a href="http://224.0.0.0/4" target="_blank" class="">224.0.0.0/4</a>, 10.0.0.10,<span class="Apple-converted-space"> </span><a href="http://172.16.0.0/16" target="_blank" class="">172.16.0.0/16</a>}, priority 90, uuid ff3390b1<br class=""></div><div class="">   next;<br class=""></div><div class="">10. ls_out_port_sec_l2 (ovn-northd.c:4929): outport == "864929" && eth.dst == {fa:16:3e:bc:20:10}, priority 50, uuid af91c05c<br class=""></div><div class="">   output;<br class=""></div><div class="">   /* output to "864929", type "" */<br class=""></div><div class="">----8<----8<----<br class=""></div><div class=""><br class=""></div><div class="">--<br class=""></div><div class=""> Krzysztof Klimonda<br class=""></div><div class=""> <a href="mailto:kklimonda@syntaxhighlighted.com" target="_blank" class="">kklimonda@syntaxhighlighted.com</a><br class=""></div><div class="">_______________________________________________<br class=""></div><div class="">discuss mailing list<br class=""></div><div class=""><a href="mailto:discuss@openvswitch.org" target="_blank" class="">discuss@openvswitch.org</a><br class=""></div><div class=""><a href="https://mail.openvswitch.org/mailman/listinfo/ovs-discuss" target="_blank" class="">https://mail.openvswitch.org/mailman/listinfo/ovs-discuss</a><br class=""></div></blockquote></blockquote><div class="">_______________________________________________<br class=""></div><div class="">discuss mailing list<br class=""></div><div class=""><a href="mailto:discuss@openvswitch.org" target="_blank" class="">discuss@openvswitch.org</a><br class=""></div><div class=""><a href="https://mail.openvswitch.org/mailman/listinfo/ovs-discuss" target="_blank" class="">https://mail.openvswitch.org/mailman/listinfo/ovs-discuss</a><br class=""></div><div class=""><br class=""></div></blockquote><div class=""><br class=""></div><div class=""><br class=""></div></blockquote><div class=""><br class=""></div></blockquote><div class=""><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class="">_______________________________________________</span></span></span><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class="">discuss mailing list</span></span></span><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class=""><a href="mailto:discuss@openvswitch.org" target="_blank" class="">discuss@openvswitch.org</a></span></span></span><br class=""></div><div class=""><span style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline;" class=""><span style="font-family: Helvetica;" class=""><span style="font-size: 12px;" class=""><a href="https://mail.openvswitch.org/mailman/listinfo/ovs-discuss" target="_blank" class="">https://mail.openvswitch.org/mailman/listinfo/ovs-discuss</a></span></span></span><br class=""></div></div></blockquote></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><b class="">Attachments:</b><br class=""></div><ul class=""><li class="">signature.asc<br class=""></li></ul></blockquote><div class=""><br class=""></div></div>_______________________________________________<br class="">discuss mailing list<br class=""><a href="mailto:discuss@openvswitch.org" target="_blank" class="">discuss@openvswitch.org</a><br class=""><a href="https://mail.openvswitch.org/mailman/listinfo/ovs-discuss" rel="noreferrer" target="_blank" class="">https://mail.openvswitch.org/mailman/listinfo/ovs-discuss</a></blockquote></div></div></blockquote></div><br class=""></body></html>