[ovs-discuss] problems ovn-trace and ACLs with a DR Port

Brendan Doyle brendan.doyle at oracle.com
Fri Jan 8 18:40:02 UTC 2021 

Folks,

Has anyone seen this os is it a know bug.

I have an ACLs on an "external"/"provider" local net switch that my DR 
port uses, when I run an ovn-trace on it
the trace says the pkt will be dropped, but in reality it is not dropped 
as expected and designed.

My Gateway is doing an SNAT:

router ed432a94-99b3-4f2e-be15-3d6bf10b2ec1 (lr_vcn8124626_igw)
     port lr_vcn8124626_igw-ls_vcn8124626_external_igw
         mac: "00:13:97:9a:ff:71"
         networks: ["253.255.80.20/16"]
         gateway chassis: [pcacn002 pcacn001 pcacn003]
     port lr_vcn8124626_igw-lsb_vcn8124626_igw
         mac: "00:13:97:44:35:c5"
         networks: ["253.255.28.4/25"]
     nat ae98281a-16bb-479a-be49-451830cac9d5
         external ip: "10.68.50.38"
         logical ip: "10.226.110.3"
         type: "dnat_and_snat"


So 10.226.110.3 should be changed to 10.68.50.38 before it reaches the 
localnet switch.
The ACL on the localnet switch is:

ovn-nbctl acl-list ls_vcn8124626_external_igw
   to-lport 32767 (inport == 
"ls_vcn8124626_external_igw-lr_vcn8124626_igw" && ip4.dst == 
$vcn8124626_allowed_underlay) allow-related
   to-lport 32766 (inport == 
"ls_vcn8124626_external_igw-lr_vcn8124626_igw" && ip4.dst == 
253.255.0.0/16) drop
   to-lport  1002 (inport == 
"ls_vcn8124626_external_igw-lr_vcn8124626_igw" && ip4.src == 
$vcn8124626_igw) allow-related
   to-lport  1001 (inport == 
"ls_vcn8124626_external_igw-lr_vcn8124626_igw" && ip) drop

Where:
ovn-nbctl list Address_Set vcn8124626_igw
_uuid               : 3060caa9-0e93-44f0-88f3-f8e9296076cf
addresses           : ["10.68.50.38"]
external_ids        : {}
name                : vcn8124626_igw

So the 1002 priority rule should and does allow this, I verified by 
recreating the rule with severity
debug:
2021-01-08T18:23:08.825Z|00106|acl_log(ovn_pinctrl0)|INFO|name="ls_vcn8124626_external_igw-3", 
verdict=allow, severity=debug: 
tcp,vlan_tci=0x0000,dl_src=00:13:97:9a:ff:71,dl_dst=00:00:0c:07:ac:01,nw_src=10.68.50.38,nw_dst=10.68.48.206,nw_tos=0,nw_ecn=0,nw_ttl=62,tp_src=37132,tp_dst=22,tcp_flags=syn

Yet, when I do a trace it says that the pkt is dropped by the 1001 rule 
above:
ingress(dp="lr_vcn8124626_igw", 
inport="lr_vcn8124626_igw-lsb_vcn8124626_igw")
------------------------------------------------------------------------------
  0. lr_in_admission (ovn-northd.c:7854): eth.dst == 00:13:97:44:35:c5 
&& inport == "lr_vcn8124626_igw-lsb_vcn8124626_igw", priority 50, uuid 
af2b728a
     next;
  1. lr_in_lookup_neighbor (ovn-northd.c:7903): 1, priority 0, uuid 3a491137
     reg9[3] = 1;
     next;
  2. lr_in_learn_neighbor (ovn-northd.c:7909): reg9[3] == 1 || reg9[2] 
== 1, priority 100, uuid cbcc1aad
     next;
  9. lr_in_ip_routing (ovn-northd.c:7508): ip4.dst == 0.0.0.0/0, 
priority 1, uuid a1a4b2dd
     ip.ttl--;
     reg8[0..15] = 0;
     reg0 = 253.255.0.1;
     reg1 = 253.255.80.20;
     eth.src = 00:13:97:9a:ff:71;
     outport = "lr_vcn8124626_igw-ls_vcn8124626_external_igw";
     flags.loopback = 1;
     next;
10. lr_in_ip_routing_ecmp (ovn-northd.c:9392): reg8[0..15] == 0, 
priority 150, uuid b0ccc5db
     next;
12. lr_in_arp_resolve (ovn-northd.c:9859): ip4, priority 0, uuid 08c7cc77
     get_arp(outport, reg0);
     /* MAC binding to 00:00:0c:07:ac:01. */
     next;
15. lr_in_gw_redirect (ovn-northd.c:9978): outport == 
"lr_vcn8124626_igw-ls_vcn8124626_external_igw", priority 50, uuid cf2e8dc7
     outport = "cr-lr_vcn8124626_igw-ls_vcn8124626_external_igw";
     next;
16. lr_in_arp_request (ovn-northd.c:10059): 1, priority 0, uuid d815320c
     output;
     /* Replacing type "chassisredirect" outport 
"cr-lr_vcn8124626_igw-ls_vcn8124626_external_igw" with distributed port 
"lr_vcn8124626_igw-ls_vcn8124626_external_igw". */

egress(dp="lr_vcn8124626_igw", 
inport="lr_vcn8124626_igw-lsb_vcn8124626_igw", 
outport="lr_vcn8124626_igw-ls_vcn8124626_external_igw")
-------------------------------------------------------------------------------------------------------------------------------------
  3. lr_out_delivery (ovn-northd.c:10105): outport == 
"lr_vcn8124626_igw-ls_vcn8124626_external_igw", priority 100, uuid 93cfd886
     output;
     /* output to "lr_vcn8124626_igw-ls_vcn8124626_external_igw", type 
"patch" */

ingress(dp="ls_vcn8124626_external_igw", 
inport="ls_vcn8124626_external_igw-lr_vcn8124626_igw")
-----------------------------------------------------------------------------------------------
  0. ls_in_port_sec_l2 (ovn-northd.c:4505): inport == 
"ls_vcn8124626_external_igw-lr_vcn8124626_igw", priority 50, uuid b9322886
     next;
  3. ls_in_pre_acl (ovn-northd.c:4646): ip && inport == 
"ls_vcn8124626_external_igw-lr_vcn8124626_igw", priority 110, uuid 511a04ba
     next;
19. ls_in_l2_lkup (ovn-northd.c:6893): 1, priority 0, uuid 7f03d594
     outport = "_MC_unknown";
     output;

multicast(dp="ls_vcn8124626_external_igw", mcgroup="_MC_unknown")
-----------------------------------------------------------------

     egress(dp="ls_vcn8124626_external_igw", 
inport="ls_vcn8124626_external_igw-lr_vcn8124626_igw", 
outport="ln-ls_vcn8124626_external_igw")
---------------------------------------------------------------------------------------------------------------------------------------
          1. ls_out_pre_acl (ovn-northd.c:4667): ip && outport == 
"ln-ls_vcn8124626_external_igw", priority 110, uuid 28eefe23
             next;
          4. ls_out_acl (ovn-northd.c:5132): ct.est && ct_label.blocked 
== 0 && (inport == "ls_vcn8124626_external_igw-lr_vcn8124626_igw" && 
ip), priority 2001, uuid 091b3960
             ct_commit(ct_label=0x1/0x1);

Odd?

Brendan

More information about the discuss mailing list