On 4/14/23 23:12, Ihar Hrachyshka wrote: > When setting flows for LS, OVN distinguishes between two states: where > there’s a stateful ACL present in its list (has_stateful == true *) > and when it’s missing (all ACLs are stateless). > > When has_stateful == true, the following is done (among other things): > - ct handling flows are set; > - they are omitted by a higher priority flow for “service” protocols: > NA, RA, MLD. > > The latter is done because of a known issue in kernel ct > implementation for the protocols: > > * https://bugzilla.kernel.org/show_bug.cgi?id=11797 > > The assumption is that by default OVN allows all traffic unless > explicitly forbidden, so omitting ct flows only avoids ct machinery > but doesn't affect functional behavior of flow tables for the > protocols. > > But if an ACL that forbids these protocols is configured, because of > the ct omittance, this ACL is not in effect. (But only when > has_stateful == true.) > > This behavior results in inconsistent and confusing behavior in > OpenStack Neutron where > > (1) the default security group behavior is drop all IP traffic > (achieved with default "drop" Port_Group); and > (2) ports that have stateful and stateless ACLs configured can > co-exist in the same network. > > In which case, depending on other "stateful" ports present in the > network, "stateless" ports may or may not observe RA / NA / MLD > traffic. Which affects their IPv6 address configuration. > > In this patch, I suggest that we don't make RA / NA / MLD behavior > dependent on whether "stateful" ACLs are present. Instead, make the > protocols always allowed, regardless of ACLs configured (whether > stateful ACLs or ACLs that forbid packets of these protocols). > > Note: an argument can be made that the same "always-on" behavior > should be guaranteed for ARP protocol that serves a similar goal in a > IPv4 network as RA / NA do for IPv6 networks. This scenario is not > directly related to the inconsistency between "purely stateless" and > "mixed-stateful" networks and hence is left for a follow-up patch. > > Note: this patch carries a test case that utilizes scapy tool to > construct packets for the protocols under test. A proper backport may > demand backporting scapy related patches too. > > Reported-At: https://bugs.launchpad.net/neutron/+bug/2006949 > Reported-At: https://bugzilla.redhat.com/show_bug.cgi?id=2149731 > Signed-off-by: Ihar Hrachyshka <ihrac...@redhat.com> > --- > v1: initial version. > v2: remove debug ov?-*ctl commands from the new test case. > v2: adjust failing test cases that didn't expect new flows. > v3: add always-on flow for S_SWITCH_IN_ACL_AFTER_LB stage too. > v3: adjust acls used in test case to include --apply-after-lb. > v3: update more test cases that match the list of flows against > expected. > v4: added missing 'check' prefixes for test case ctl commands. > v5: fixed a test failure due to a typo in v4. > ---
Thanks, Ihar! I applied this to main and backported it to all stable branches down to 22.03. I also had to cherry pick b84b89664974 ("nbctl: Display "apply-after-lb" information when listing ACLs.") to branches <= 22.12 to prevent the new test case from failing. _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev