Re: [ovs-discuss] [External] : UDP stateful ACL not working when pkt passing through two switches ?

Thu, 11 Aug 2022 08:41:00 -0700 


On 11/08/2022 00:51, Numan Siddique wrote:

On Tue, Aug 9, 2022 at 6:37 PM Brendan Doyle <brendan.do...@oracle.com> wrote:



On 09/08/2022 03:14, Numan Siddique wrote:

On Mon, Aug 8, 2022 at 7:39 PM Brendan Doyle<brendan.do...@oracle.com>  wrote:

Did not see a response so sending again, am I missing something here, or is it 
a bug?

Thanks
Brendan

On 28/07/2022 19:53, Brendan Doyle wrote:

UDP stateful ACL not working? The logical representation of My network  is 
shown bellow
('ovn-nbctl show' shown towards the end). I have a Port Group 
(pg_vcn3_net1_sl3) that has
two ports in it, the VM port on switch(ls_vcn3_net1) and 
lsb_vcn4_stgw-lr_vcn3_stgw switch
(ls_vcn3_backbone) asshown below ((o)).

The port 'lsb_vcn4_stgw-lr_vcn3_stgw' is a router port right ?  (i.e
it is a patch port connecting to lr_vcn3_stgw router).

Yes it is

If the inport or outport is a router port, ovn-northd adds the flows
to skip the conntrack.

Why? and is there a way around it? bar adding a switch between
ls_vcn3_backbone
and lr_vcn3_stgw :

       +-----------------------------+
       |   ls_vcn3_backbone    |
       +--------((O))----------------+
                  | lsb_vcn4_stgw-lr_vcn3_stgw in PG pg_vcn3_net1_sl3
                  |
     +----------------------------+
     |  ls_vcn3_gw_join       | <<-- New switch just so ACLs on
lsb_vcn4_stgw-lr_vcn3_stgw get applied
      +---------------------------+
                  |
                  | lr_vcn3_stgw-lsb_vcn3_stgw (253.255.25.10/25)
        /----------------\
       ( lr_vcn3_stgw ) SNAT 192.16.1.6 to 253.255.80.8
        \-----------------/


The problem I have is that lr_vcn3_stgw provides access to an NFS server
in the
underlay, but that NFS server is "made available" at an IP in the overlay by
having ls_vcn3_net1  do proxy ARP for the overlay NFS server IP address.

I need the NFS server to be in the same Port Group that is created for the
all IPs in the subnet associated with  ls_vcn3_net1/lr_vcn3_net1 as if
it were
on a VM directly connected to ls_vcn3_net1.


I don't think there is a work around and we may have to add this
support in ovn-northd.

Ok so I did not see a request for Enhancement procedure for OVN just

one for filing bugs so I guess I should just take that path. I thought a 
possible

work around would be to add a switch as follows:

     +-----------------------------+
      |   ls_vcn3_backbone    |
      +--------((O))----------------+

                 | lsb_vcn3_stgw-ls_ls_vcn3_gw_join     (in PG 
pg_vcn3_net1_sl3)

                 |
                 | ls_vcn3_gw_join-lsb_vcn3_stgw
    +----------------------------+

    |  ls_vcn3_gw_join       | <<-- New switch just so ACLs on  get 
applied lsb_vcn3_stgw-ls_ls_vcn3_gw_join

     +---------------------------+
                 | ls_vcn3_gw_join-lr_vcn3_stgw
                 |
                 | lr_vcn3_stgw-ls_vcn3_gw_join   (253.255.25.10/25)
       /----------------\
      ( lr_vcn3_stgw ) SNAT 192.16.1.6 to 253.255.80.8
       \-----------------/

But I don't see how that can be done in OVN. I don't see how we
can "connect" switch ports to other switch ports. I see the lsp-add
command does have an option to specify a 'parent' but reading the
man page it seems this must be used in conjunction with a VLAN
tag. so I could not do something like


ovn-nbctl lsp-add ls_vcn3_gw_join  ls_vcn3_gw_join-lsb_vcn3_stgw 
ls_vcn3_backbone


Brendan.



ACLs are generally applied to VIF ports and I think that's why it was
skipped for router ports.
If we have to add the support, this should be carefully designed and
tested thoroughly.
As this may incur additional conntrack recirculations and may even
break hardware offloading.

Thanks
Numan


Thanks

Brendan




Thanks
Numan


I do a 'showmount -e 192.16.1.106' in the VM, I see the pkt go out from the VM  
get to the NFS
server on the underlay, see the reply on the underlay and then I see my PG ACL 
drop the pkt.

The ACLs are:

Egress From VM - Ingress to switch
-----------------------------------
from-lport 32767 (inport == @pg_vcn3_net1_sl3 && (arp || udp.dst == 67 || 
udp.dst == 68)) allow-related
from-lport 27000 (inport == @pg_vcn3_net1_sl3 && ip4.dst == 192.16.1.0/24 && 
udp.dst == 111) allow-related
from-lport     0 (inport == @pg_vcn3_net1_sl3) drop log(name=fss-8,severity=debug) 
                            <------- Drops the return pkt

Ingress TO VM - Egress from switch
------------------------------------
    to-lport 32767 (outport == @pg_vcn3_net1_sl3 && (arp || udp.dst == 67 || 
udp.dst == 68)) allow-related
    to-lport 27000 (outport == @pg_vcn3_net1_sl3 && ip4.src == 192.16.1.0/24 && 
tcp.dst == 111) allow-related
    to-lport 27000 (outport == @pg_vcn3_net1_sl3 && ip4.src == 192.16.1.0/24 && 
tcp.dst == 20048) allow-related
    to-lport 27000 (outport == @pg_vcn3_net1_sl3 && ip4.src == 192.16.1.0/24 && 
udp.dst == 111) allow-related  <------- But this should
    to-lport     0 (outport == @pg_vcn3_net1_sl3) drop 
log(name=fss-17,severity=debug)                                                 
              have allowed the
                                                                                
                                                                                
                                                          return pkt


          +----------------+
          |       VM       |
          | 192.16.1.6     |
          +-----((O))------+
                  | 284195d2-9280-4334-900e-571ecd00327a in PG pg_vcn3_net1_sl3
        +---------------------+
        |    ls_vcn3_net1     |
        +---------------------+
                  | ls_vcn3_net1-lr_vcn3_net1 (proxy ARP for 192.16.1.106)
                    |
                  |
                  | lr_vcn3_net1-ls_vcn3_net1 (192.16.1.1/24)
            /------------\
           ( lr_vcn3_net1 )
            \------------/
                  | lr_vcn3_net1-lsb_vcn3_net1 (253.255.25.1/25)
                  |
                  |
                  | lsb_vcn3_net1-lr_vcn3_net1
       +------------------------+
       |   ls_vcn3_backbone     |
       +--------((O))-----------+
                  | lsb_vcn4_stgw-lr_vcn3_stgw in PG pg_vcn3_net1_sl3
                  |
                  |
                  | lr_vcn3_stgw-lsb_vcn3_stgw (253.255.25.10/25)
           /------------\
          ( lr_vcn3_stgw ) SNAT 192.16.1.6 to 253.255.80.8
           \------------/
                  | lr_vcn3_stgw-ls_vcn3_external_stgw (253.255.80.20/16)
                  |
                  |
                  | ls_vcn3_external_stgw-lr_vcn3_stgw
        +-----------------------+
        | ls_vcn3_external_stgw |
        +-----------------------+
                  | ln-ls_vcn3_external_stgw
                  |   (localnet)
                  |
             +---------+
             | br-ext  | Physical OVS on chassis
             +---------+
                  |      Egress : Change dst 192.16.1.106 to dst 253.255.0.2
                  |      Ingress: Change src 253.255.0.2 to 192.16.1.106
253.255.0.0/16  |
                  |
           +---------------+
           |  NFS server   |
           | 253.255.0.2   |
           +---------------+

When I do a trace of the out going pkt, it looks like to me that there is no 
conntrack
established in the ls_vcn3_backbone so it does not recognize the return pkt as 
a return
but the 'allow-related' should have established that. See Below


ovn-trace --detailed ls_vcn3_net1 'inport == "284195d2-9280-4334-900e-571ecd00327a" && eth.dst == 40:44:00:00:00:90 
&& eth.src == 52:54:00:02:55:96 && ip4.src == 192.16.1.6 && ip4.dst == 192.16.1.106 && ip.ttl == 64 
&& udp.dst == 111'
# 
udp,reg14=0x1,vlan_tci=0x0000,dl_src=52:54:00:02:55:96,dl_dst=40:44:00:00:00:90,nw_src=192.16.1.6,nw_dst=192.16.1.106,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=111

ingress(dp="ls_vcn3_net1", inport="284195")
-------------------------------------------
   0. ls_in_port_sec_l2 (northd.c:5493): inport == "284195", priority 50, uuid 
0b9563aa
      next;
   5. ls_in_pre_acl (northd.c:5753): ip, priority 100, uuid fad1d4d2
      reg0[0] = 1;
      next;
   7. ls_in_pre_stateful (northd.c:5937): reg0[0] == 1, priority 100, uuid 
0bb84a55
      ct_next;

ct_next(ct_state=est|trk /* default (use --ct to customize) */) <----- Looks 
like we set up conntrack on the ls_vcn3_net1
---------------------------------------------------------------
   8. ls_in_acl_hint (northd.c:6019): !ct.new && ct.est && !ct.rpl && 
ct_label.blocked == 0, priority 4, uuid 2712c6a2
      reg0[8] = 1;
      reg0[10] = 1;
      next;
   9. ls_in_acl (northd.c:6244): reg0[8] == 1 && (inport == @pg_vcn3_net1_sl3 && 
ip4.dst == 192.16.1.0/24 && udp.dst == 111), priority 28000, uuid aff2df9c
      next;
22. ls_in_l2_lkup (northd.c:8218): eth.dst == 40:44:00:00:00:90, priority 50, 
uuid 9b0ee70d
      outport = "ls_vcn3_net1-lr_vcn3_net1";
      output;

egress(dp="ls_vcn3_net1", inport="284195", outport="ls_vcn3_net1-lr_vcn3_net1")
-------------------------------------------------------------------------------
   0. ls_out_pre_lb (northd.c:5643): ip && outport == 
"ls_vcn3_net1-lr_vcn3_net1", priority 110, uuid d8ef0aac
      next;
   1. ls_out_pre_acl (northd.c:5643): ip && outport == 
"ls_vcn3_net1-lr_vcn3_net1", priority 110, uuid d5cd7965
      next;
   3. ls_out_acl_hint (northd.c:6019): !ct.new && ct.est && !ct.rpl && 
ct_label.blocked == 0, priority 4, uuid 930df986
      reg0[8] = 1;
      reg0[10] = 1;
      next;
   9. ls_out_port_sec_l2 (northd.c:5591): outport == 
"ls_vcn3_net1-lr_vcn3_net1", priority 50, uuid 56148a7c
      output;
      /* output to "ls_vcn3_net1-lr_vcn3_net1", type "patch" */

ingress(dp="lr_vcn3_net1", inport="lr_vcn3_net1-ls_vcn3_net1")
--------------------------------------------------------------
   0. lr_in_admission (northd.c:10519): eth.dst == 40:44:00:00:00:90 && inport == 
"lr_vcn3_net1-ls_vcn3_net1", priority 50, uuid 08eee924
      xreg0[0..47] = 40:44:00:00:00:90;
      next;
   1. lr_in_lookup_neighbor (northd.c:10662): 1, priority 0, uuid d3159b2b
      reg9[2] = 1;
      next;
   2. lr_in_learn_neighbor (northd.c:10671): reg9[2] == 1, priority 100, uuid 
bef4eddc
      next;
10. lr_in_ip_routing_pre (northd.c:10905): 1, priority 0, uuid c7269d9a
      reg7 = 0;
      next;
11. lr_in_ip_routing (northd.c:9435): ip4.dst == 192.16.1.0/24, priority 74, 
uuid a571523c
      ip.ttl--;
      reg8[0..15] = 0;
      reg0 = ip4.dst;
      reg1 = 192.16.1.1;
      eth.src = 40:44:00:00:00:90;
      outport = "lr_vcn3_net1-ls_vcn3_net1";
      flags.loopback = 1;
      next;
12. lr_in_ip_routing_ecmp (northd.c:10980): reg8[0..15] == 0, priority 150, 
uuid 5aa40905
      next;
13. lr_in_policy (northd.c:8667): ip4.dst == 192.16.1.106, priority 100, uuid 
fe728a63
      reg0 = 253.255.25.10;
      reg1 = 253.255.25.1;
      eth.src = 40:44:00:00:00:a0;
      outport = "lr_vcn3_net1-lsb_vcn3_net1";
      flags.loopback = 1;
      reg8[0..15] = 0;
      next;
14. lr_in_policy_ecmp (northd.c:11115): reg8[0..15] == 0, priority 150, uuid 
3f7c2e78
      next;
15. lr_in_arp_resolve (northd.c:11503): outport == "lr_vcn3_net1-lsb_vcn3_net1" 
&& reg0 == 253.255.25.10, priority 100, uuid 8274aa30
      eth.dst = 40:44:00:00:05:00;
      next;
19. lr_in_arp_request (northd.c:11795): 1, priority 0, uuid 27c79d22
      output;

egress(dp="lr_vcn3_net1", inport="lr_vcn3_net1-ls_vcn3_net1", 
outport="lr_vcn3_net1-lsb_vcn3_net1")
---------------------------------------------------------------------------------------------------
   0. lr_out_chk_dnat_local (northd.c:13021): 1, priority 0, uuid 60605710
      reg9[4] = 0;
      next;
   6. lr_out_delivery (northd.c:11843): outport == 
"lr_vcn3_net1-lsb_vcn3_net1", priority 100, uuid 0ca6195d
      output;
      /* output to "lr_vcn3_net1-lsb_vcn3_net1", type "patch" */

ingress(dp="ls_vcn3_backbone", inport="lsb_vcn3_net1-lr_vcn3_net1")
-------------------------------------------------------------------
   0. ls_in_port_sec_l2 (northd.c:5493): inport == 
"lsb_vcn3_net1-lr_vcn3_net1", priority 50, uuid b32ddca1
      next;
   5. ls_in_pre_acl (northd.c:5640): ip && inport == 
"lsb_vcn3_net1-lr_vcn3_net1", priority 110, uuid ba4adcd0
      next;
   6. ls_in_pre_lb (northd.c:5640): ip && inport == 
"lsb_vcn3_net1-lr_vcn3_net1", priority 110, uuid d1a8a9c5
      next;
   8. ls_in_acl_hint (northd.c:6019): !ct.new && ct.est && !ct.rpl && 
ct_label.blocked == 0, priority 4, uuid 2712c6a2
      reg0[8] = 1;
      reg0[10] = 1;
      next;
22. ls_in_l2_lkup (northd.c:8289): eth.dst == 40:44:00:00:05:00, priority 50, 
uuid cc11ddc9
      outport = "lsb_vcn3_stgw-lr_vcn3_stgw";
      output;

egress(dp="ls_vcn3_backbone", inport="lsb_vcn3_net1-lr_vcn3_net1", 
outport="lsb_vcn3_stgw-lr_vcn3_stgw") <--- Does not look like any conntrack estblished on the 
switch.
--------------------------------------------------------------------------------------------------------
   0. ls_out_pre_lb (northd.c:5643): ip && outport == 
"lsb_vcn3_stgw-lr_vcn3_stgw", priority 110, uuid e2f6ec8c
      next;
   1. ls_out_pre_acl (northd.c:5643): ip && outport == 
"lsb_vcn3_stgw-lr_vcn3_stgw", priority 110, uuid a79ed7f1
      next;
   3. ls_out_acl_hint (northd.c:6019): !ct.new && ct.est && !ct.rpl && 
ct_label.blocked == 0, priority 4, uuid 930df986
      reg0[8] = 1;
      reg0[10] = 1;
      next;
   4. ls_out_acl (northd.c:6244): reg0[8] == 1 && (outport == @pg_vcn3_net1_sl3 && 
ip4.src == 192.16.1.0/24 && udp.dst == 111), priority 28000, uuid 159ff341
      next;
   9. ls_out_port_sec_l2 (northd.c:5591): outport == 
"lsb_vcn3_stgw-lr_vcn3_stgw", priority 50, uuid b6d24444
      output;
      /* output to "lsb_vcn3_stgw-lr_vcn3_stgw", type "patch" */

ingress(dp="lr_vcn3_stgw", inport="lr_vcn3_stgw-lsb_vcn3_stgw")
---------------------------------------------------------------
   0. lr_in_admission (northd.c:10519): eth.dst == 40:44:00:00:05:00 && inport == 
"lr_vcn3_stgw-lsb_vcn3_stgw", priority 50, uuid 6bbbb2f9
      xreg0[0..47] = 40:44:00:00:05:00;
      next;
   1. lr_in_lookup_neighbor (northd.c:10662): 1, priority 0, uuid d3159b2b
      reg9[2] = 1;
      next;
   2. lr_in_learn_neighbor (northd.c:10671): reg9[2] == 1, priority 100, uuid 
bef4eddc
      next;
10. lr_in_ip_routing_pre (northd.c:10905): 1, priority 0, uuid c7269d9a
      reg7 = 0;
      next;
11. lr_in_ip_routing (northd.c:9435): reg7 == 0 && ip4.dst == 192.16.0.0/16, 
priority 49, uuid 4bb6bae4
      ip.ttl--;
      reg8[0..15] = 0;
      reg0 = 253.255.25.1;
      reg1 = 253.255.25.10;
      eth.src = 40:44:00:00:05:00;
      outport = "lr_vcn3_stgw-lsb_vcn3_stgw";
      flags.loopback = 1;
      next;
12. lr_in_ip_routing_ecmp (northd.c:10980): reg8[0..15] == 0, priority 150, 
uuid 5aa40905
      next;
13. lr_in_policy (northd.c:8667): ip4.dst == 192.16.1.106, priority 100, uuid 
1fbe521c
      reg0 = 253.255.0.2;
      reg1 = 253.255.80.20;
      eth.src = 40:44:00:00:05:01;
      outport = "lr_vcn3_stgw-ls_vcn3_external_stgw";
      flags.loopback = 1;
      reg8[0..15] = 0;
      next;
14. lr_in_policy_ecmp (northd.c:11115): reg8[0..15] == 0, priority 150, uuid 
3f7c2e78
      next;
15. lr_in_arp_resolve (northd.c:11149): ip4, priority 0, uuid 8070025f
      get_arp(outport, reg0);
      /* MAC binding to 98:03:9b:59:af:24. */
      next;
18. lr_in_gw_redirect (northd.c:11716): outport == 
"lr_vcn3_stgw-ls_vcn3_external_stgw", priority 50, uuid 7a07c64e
      outport = "cr-lr_vcn3_stgw-ls_vcn3_external_stgw";
      next;
19. lr_in_arp_request (northd.c:11795): 1, priority 0, uuid 27c79d22
      output;
      /* Replacing type "chassisredirect" outport "cr-lr_vcn3_stgw-ls_vcn3_external_stgw" 
with distributed port "lr_vcn3_stgw-ls_vcn3_external_stgw". */

egress(dp="lr_vcn3_stgw", inport="lr_vcn3_stgw-lsb_vcn3_stgw", 
outport="lr_vcn3_stgw-ls_vcn3_external_stgw")
------------------------------------------------------------------------------------------------------------
   0. lr_out_chk_dnat_local (northd.c:13021): 1, priority 0, uuid 60605710
      reg9[4] = 0;
      next;
   3. lr_out_snat (northd.c:12774): ip && ip4.src == 192.16.1.6 && outport == 
"lr_vcn3_stgw-ls_vcn3_external_stgw" && 
is_chassis_resident("cr-lr_vcn3_stgw-ls_vcn3_external_stgw"), priority 161, uuid a6cc7e3c
      ct_snat_in_czone(253.255.80.8);

ct_snatin_czone(ip4.src=253.255.80.8)
-------------------------------------
   6. lr_out_delivery (northd.c:11843): outport == 
"lr_vcn3_stgw-ls_vcn3_external_stgw", priority 100, uuid 5b43ad83
      output;
      /* output to "lr_vcn3_stgw-ls_vcn3_external_stgw", type "patch" */

ingress(dp="ls_vcn3_external_stgw", inport="ls_vcn3_external_stgw-lr_vcn3_stgw")
--------------------------------------------------------------------------------
   0. ls_in_port_sec_l2 (northd.c:5493): inport == 
"ls_vcn3_external_stgw-lr_vcn3_stgw", priority 50, uuid 311f5f1a
      next;
   6. ls_in_pre_lb (northd.c:5640): ip && inport == 
"ls_vcn3_external_stgw-lr_vcn3_stgw", priority 110, uuid f122a239
      next;
22. ls_in_l2_lkup (northd.c:7494): 1, priority 0, uuid 0432699a
      outport = get_fdb(eth.dst);
      next;
23. ls_in_l2_unknown (northd.c:7499): outport == "none", priority 50, uuid 
c66c5cf1
      outport = "_MC_unknown";
      output;

multicast(dp="ls_vcn3_external_stgw", mcgroup="_MC_unknown")
------------------------------------------------------------

      egress(dp="ls_vcn3_external_stgw", inport="ls_vcn3_external_stgw-lr_vcn3_stgw", 
outport="ln-ls_vcn3_external_stgw")
      
-------------------------------------------------------------------------------------------------------------------
           0. ls_out_pre_lb (northd.c:5643): ip && outport == 
"ln-ls_vcn3_external_stgw", priority 110, uuid 9e2e1e50
              next;
           9. ls_out_port_sec_l2 (northd.c:5591): outport == 
"ln-ls_vcn3_external_stgw", priority 50, uuid 33e53686
              output;
              /* output to "ln-ls_vcn3_external_stgw", type "localnet" */




More Details on the config
============================
============================

lr_vcn3_stgw
=============
Routing Tables
---------------
192.16.0.0/16              253.255.25.1 dst-ip lr_vcn3_stgw-lsb_vcn3_stgw
     0.0.0.0/0               253.255.0.2 dst-ip 
lr_vcn3_stgw-ls_vcn3_external_stgw

Policy Routing
--------------
100  ip4.dst == 192.16.1.106  reroute 253.255.0.2

lr_vcn3_net1
============

Policy Routing
--------------
100  ip4.dst == 192.16.1.106  reroute 253.255.25.10

br-ext flows
=============
priority=1013,ip,in_port=216,nw_dst=192.16.1.106 
actions=mod_nw_dst:253.255.0.2,output:1
priority=913,ip,in_port=1,nw_src=253.255.0.2,nw_dst=253.255.80.8 
actions=mod_nw_src:192.16.1.106,output:216




Failing ACLs - that Should Work
=================================
ovn-nbctl list Port_Group
_uuid               : a4de7036-896e-4e54-a466-8a44f9a87960
acls                : [1d2e36f9-47ca-4e8a-a0c6-587df26f0f3e, 
44a4c403-ac29-4579-a771-0963d1f1fc4a,
                         bad8f976-a87d-47e4-805b-a3bf8057bed8, 
c7655e9a-9eb8-48fc-8d25-6ca17d303e28,
                         ce002242-457b-48e8-b40f-77419cee43fb, 
dd9bbafd-2e91-42bd-b1ad-df11b71850fe,
                         fc345e12-bfaf-498b-a011-bc4eeba31670, 
fc6b6c71-6171-43d1-ba97-3e5e1a43065c]
external_ids        : {}
name                : pg_vcn3_net1_sl3
ports               : [306e0eab-6b23-405c-a38c-918c1b2e795d, 
f8819747-84cf-4019-9028-690dff014bc1]


ovn-nbctl lsp-list ls_vcn3_backbone | grep stgw
306e0eab-6b23-405c-a38c-918c1b2e795d (lsb_vcn3_stgw-lr_vcn3_stgw)

ovn-nbctl lsp-list ls_vcn3_net1
f8819747-84cf-4019-9028-690dff014bc1 (284195d2-9280-4334-900e-571ecd00327a)
295f1e55-a9e5-42f9-bb8c-a679bcfa084d (ls_vcn3_net1-lr_vcn3_net1)


ovn-nbctl acl-list pg_vcn3_net1_sl3
=====================================
Egress From VM - Ingress to switch
-----------------------------------
from-lport 32767 (inport == @pg_vcn3_net1_sl3 && (arp || udp.dst == 67 || 
udp.dst == 68)) allow-related
from-lport 27000 (inport == @pg_vcn3_net1_sl3 && ip4.dst == 192.16.1.0/24 && 
udp.dst == 111) allow-related
from-lport     0 (inport == @pg_vcn3_net1_sl3) drop log(name=fss-8,severity=debug) 
                            <------- Drops

Ingress TO VM - Egress from switch
------------------------------------
    to-lport 32767 (outport == @pg_vcn3_net1_sl3 && (arp || udp.dst == 67 || 
udp.dst == 68)) allow-related
    to-lport 27000 (outport == @pg_vcn3_net1_sl3 && ip4.src == 192.16.1.0/24 && 
tcp.dst == 111) allow-related
    to-lport 27000 (outport == @pg_vcn3_net1_sl3 && ip4.src == 192.16.1.0/24 && 
tcp.dst == 20048) allow-related
    to-lport 27000 (outport == @pg_vcn3_net1_sl3 && ip4.src == 192.16.1.0/24 && 
udp.dst == 111) allow-related  <------- But this should
    to-lport     0 (outport == @pg_vcn3_net1_sl3) drop 
log(name=fss-17,severity=debug)                                                 
           have allowed the
                                                                                    
                                                                                    
&a mp;n bsp;                                              return pkt
Drop Message
=============
name="fss-8", verdict=drop, 
udp,dl_src=40:44:00:00:05:00,dl_dst=40:44:00:00:00:a0,nw_src=192.16.1.106,nw_dst=192.16.1.6,tp_src=111,tp_dst=755

tcpdump on VM
--------------
52:54:00:02:55:96 > 40:44:00:00:00:90, ethertype IPv4, proto UDP (17)
      192.16.1.6.755 > 192.16.1.106.111


tcpdump on underlay NFS Server
------------------------------
40:44:00:00:05:01 > 98:03:9b:59:af:24, ethertype IPv4, proto UDP (17)
      253.255.80.8.755 > 253.255.0.2.111:

98:03:9b:59:af:24 > 40:44:00:00:05:01, ethertype IPv4, proto UDP (17)
      253.255.0.2.111 > 253.255.80.8.755:



ovn-nbctl show
===============
switch 18e9d8e6-1cbc-4d4f-afc1-caec9aecf569 (ls_vcn3_net1)
      port 284195d2-9280-4334-900e-571ecd00327a
          addresses: ["52:54:00:02:55:96 192.16.1.6"]
      port ls_vcn3_net1-lr_vcn3_net1
          type: router
          addresses: ["40:44:00:00:00:90"]
          router-port: lr_vcn3_net1-ls_vcn3_net1


switch 7f43d2e4-f146-40d9-8be5-a7b75b319e75 (ls_vcn3_backbone)
      port lsb_vcn3_net1-lr_vcn3_net1
          type: router
          router-port: lr_vcn3_net1-lsb_vcn3_net1
      port lsb_vcn3_stgw-lr_vcn3_stgw
          type: router
          router-port: lr_vcn3_stgw-lsb_vcn3_stgw


switch a8e0c8fe-872d-4bfc-bdd9-90063a196603 (ls_vcn3_external_stgw)
      port ls_vcn3_external_stgw-lr_vcn3_stgw
          type: router
          router-port: lr_vcn3_stgw-ls_vcn3_external_stgw
      port ln-ls_vcn3_external_stgw
          type: localnet
          addresses: ["unknown"]

router 10f1c098-e5cc-4f85-b8a1-33c49356fd1c (lr_vcn3_net1)
      port lr_vcn3_net1-ls_vcn3_net1
          mac: "40:44:00:00:00:90"
          networks: ["192.16.1.1/24"]
      port lr_vcn3_net1-lsb_vcn3_net1
          mac: "40:44:00:00:00:a0"
          networks: ["253.255.25.1/25"]

router a63b3879-b694-45c5-ac97-75df53b5ca66 (lr_vcn3_stgw)
      port lr_vcn3_stgw-lsb_vcn3_stgw
          mac: "40:44:00:00:05:00"
          networks: ["253.255.25.10/25"]
      port lr_vcn3_stgw-ls_vcn3_external_stgw
          mac: "40:44:00:00:05:01"
          networks: ["253.255.80.20/16", "253.255.80.8/16"]
          gateway chassis: [sca15-rain06 sca15-rain17 sca15-rain05]
      nat 909bf813-7f7e-4eea-b460-5261529fcd5d
          external ip: "253.255.80.8"
          logical ip: "192.16.1.6"
          type: "snat"

_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://urldefense.com/v3/__https://mail.openvswitch.org/mailman/listinfo/ovs-discuss__;!!ACWV5N9M2RV99hQ!JRVNTziGt4XNeZ2SOqeVpPAJBumMpBrFghfvmDgxloqJYkHdd5yJ-4J7MI8VHal0HkV4VYbXcNk4gUrOZOdyEZ_q3NY$


_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://urldefense.com/v3/__https://mail.openvswitch.org/mailman/listinfo/ovs-discuss__;!!ACWV5N9M2RV99hQ!Ms64_u0ESDW-m688lhHonX3mr4V7mjt6enpsBQZwZ4C7gO6gABzyt4iF7D-lNEZvoojRoS6qjoUnLxf3$

_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://urldefense.com/v3/__https://mail.openvswitch.org/mailman/listinfo/ovs-discuss__;!!ACWV5N9M2RV99hQ!IpQmTBwF9oahKr5VTjKeI6MK6SHOpMGpkRxlw1tmAeQti2dFrkcz-jomk1oI50g3QMHdTVnNZutjxedQ$



_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss






















					Reply via email to