-
Epic
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
None
-
Too many ACL sampled packets when traffic traverses logical routers
-
False
-
-
False
-
-
To Do
-
rhel-9
-
rhel-net-ovn
-
50% To Do, 0% In Progress, 50% Done
-
ssg_networking
Problem Description:
Originally reported upstream: https://mail.openvswitch.org/pipermail/ovs-discuss/2025-May/053626.html
With topologies similar to the following:
switch afc9bff5-0b20-43c7-8ef7-9bc65e9a19ee (ls2)
port ls2-rtr
type: router
router-port: rtr-ls2
port vm3
addresses: ["00:00:00:00:00:03"]
switch c9c171ef-849c-436d-b3f9-73d83b9c4e5d (ls)
port ls-rtr
type: router
addresses: ["00:00:00:00:01:00"]
router-port: rtr-ls
port vm1
addresses: ["00:00:00:00:00:01"]
router cd90bc9c-5ed1-403f-a3c7-1923ef069360 (rtr)
port rtr-ls
mac: "00:00:00:00:01:00"
ipv6-lla: "fe80::200:ff:fe00:100"
networks: ["42.42.42.1/24", "4242::1/64"]
port rtr-ls2
mac: "00:00:00:00:02:00"
ipv6-lla: "fe80::200:ff:fe00:200"
networks: ["43.43.43.1/24"] \{noformat}
E.g., two logical switches connected together by a logical router.
And the following ACLs applied to both switches:
- ovn-nbctl acl-list pg
from-lport 100 (inport==@pg && ip4) allow-related
to-lport 200 (outport==@pg && ip4 && icmp4) allow-related {noformat}
If sampling of packets that are part of established sessions is configured for both ACLs:# ovn-nbctl list sample _uuid : 23153fae-0a73-4f86-bdf2-137e76647da8 collectors : [82540855-dcd4-44e4-8354-e08a972500cd] metadata : 2000000_uuid : 42391c82-23d2-4f2b-a7b9-88afaa68282c collectors : [82540855-dcd4-44e4-8354-e08a972500cd] metadata : 1000000\{noformat} - ovn-nbctl --columns action,direction,match,sample_new,sample_est list acl
action : allow-related
direction : from-lport
match : "inport==@pg && ip4"
sample_new : []
sample_est : 23153fae-0a73-4f86-bdf2-137e76647da8action : allow-related
direction : to-lport
match : "outport==@pg && ip4 && icmp4"
sample_new : []
sample_est : 42391c82-23d2-4f2b-a7b9-88afaa68282c {noformat}
Reply packets on established sessions are sampled twice:
* once in the egress pipeline of sw1 (towards the router)
* once in the egress pipeline of sw2 (towards the destination)
The first sample should not happen because router ports are skipped from conntrack so in practice there should be no conntrack entry associated to the packet in the egress pipeline (from switch to router). However, the function skip_port_from_conntrack() does not clear CT information associated with the packet in the ingress pipeline if the switch has stateful ACLs. That's the case since https://github.com/ovn-org/ovn/commit/d17ece7:
Also, this patch does not change the behavior for ACLs such as allow-related:
packets are still sent to conntrack, even for router ports. While this does
not work if router ports are distributed, allow-related ACLs work today on
router ports when those ports are handled on the same chassis for ingress and
egress traffic. This patch does not change that behavior. \{noformat}
h3. Impact Assessment: Describe the severity and impact (e.g., network down,availability of a workaround, etc.).
h3. Software Versions: Specify the exact versions in use (e.g.,openvswitch3.1-3.1.0-147.el8fdp).
Any OVN24.03 or newer.
h3. Issue Type: this is a day-on issue
h3. Reproducibility: this can be consistently reproduced
h3. Reproduction Steps: with the attached configuration, ping once from "vm3":
ip netns exec vm3 ping 42.42.42.2 -c 1 {noformat}
Expected Behavior:
There should be two samples of the ICMP reply packet (one for each ACL).
Observed Behavior:
Three samples are actually generated.