On 12/17/25 12:09 PM, Xie Liu wrote: > Consider the case of stateful Firewall for N-S traffic: > > PUBLIC---S1-(S1-R1)---------(R1-S1)-R1 -------- S2 ---- VM1 > > Configuration: > > ovn-nbctl pg-add pg_dgw > ovn-nbctl pg-set-ports pg_dgw S1-R1 > ovn-nbctl acl-add pg_dgw from-lport 2000 "inport == @pg_dgw && ip4 && icmp4" > allow-related > ovn-nbctl acl-add pg_dgw from-lport 1000 "inport == @pg_dgw && ip4" drop > ovn-nbctl acl-add pg_dgw to-lport 1000 "outport == @pg_dgw && ip4" drop > ovn-nbctl lsp-set-options S1-R1 router-port=R1-S1 enable_router_port_acl=true > > VM1 pings external network. > > Through this patch[1], the ovn-controller assigned a CT zone ID > to the localnet LSP but not the dgw LSP. > > This caused ACL failures: ICMP reply packets from external networks > performed CT lookups in the wrong zone, couldn't match established > connections, and were incorrectly dropped. > > This commit enables CT zone allocation for patch ports that correspond > to router gateway ports when enable_router_port_acl=true is set. > > Changes: > - northd: Add enable-router-port-acl option to southbound port binding > - binding: Handle patch port CT zone requirements in local_lports > - controller: Add/Delete CT zone for patch ports enabled/disabled ACL > > [1]https://github.com/ovn-org/ovn/commit/5ae7d2cb60a50541e88e8f5c74a669e2aa7acdda > > Reported-at: https://github.com/ovn-org/ovn/issues/264 > Signed-off-by: Xie Liu <[email protected]> > Signed-off-by: Dumitru Ceara <[email protected]> > (cherry picked from commit 4ff608e9179ed85dd7031e820be7d03d479ef6b2) > ---
Hi Xie Liu, Thanks for the backport, applied to 24.09 Regards, Dumitru _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
