Uploaded image for project: 'Fast Datapath Product'
  1. Fast Datapath Product
  2. FDP-848

Stale sample from allow ACL are generated after the ACL is removed and packet is hitting a less restrictive ACL

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • FDP-25.A
    • None
    • ovn24.09
    • 5
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide

      Given that a high-priority ACL has been removed from the system and a long-standing connection that previously matched the removed ACL is still active,

      When the connection should now be subject to the next lower-priority ACL, 

      Then, the OVN controller should correctly update the observationPointID for this connection and no stale samples are reported from the removed ACL.

      Show
      Given that a high-priority ACL has been removed from the system and a long-standing connection that previously matched the removed ACL is still active, When the connection should now be subject to the next lower-priority ACL,  Then, the OVN controller should correctly update the observationPointID for this connection and no stale samples are reported from the removed ACL.
    • ovn24.09-24.09.1-21.el9fdp
    • rhel-9
    • rhel-sst-network-fastdatapath
    • ssg_networking
    • FDP 25.A
    • 1
    • +

      Considering the following configuration:

       

      $ovn-nbctl acl-list sw01 
   from-lport   100 (inport == "sw01-port1" && udp.dst == 5201) allow-related [after-lb] 
   from-lport    10 (inport == "sw01-port1" && udp) allow-related [after-lb] 
    
   $ovn-nbctl list acl 
   _uuid               : e440336a-84d3-4a6d-95a9-edd1db1c3631 
   action              : allow-related
   direction           : from-lport 
   external_ids        : {} 
   label               : 0 
   log                 : false 
   match               : "inport == \"sw01-port1\" && udp" 
   meter               : [] 
   name                : [] 
   options             : {apply-after-lb="true"} 
   priority            : 10 
   sample_est          : ac6a6efc-a2e0-4d68-b5f8-8cd91113e554 
   sample_new          : 5cdad2ab-4390-4772-ac40-74aa2980c06e 
   severity            : [] 
   tier                : 0 
    
   _uuid               : 85ef08d7-aacc-41d7-b808-6ab011edd753 
   action              : allow-related 
   direction           : from-lport 
   external_ids        : {} 
   label               : 0 
   log                 : false 
   match               : "inport == \"sw01-port1\" && udp.dst == 5201" 
   meter               : [] 
   name                : [] 
   options             : {apply-after-lb="true"} 
   priority            : 100 
   sample_est          : 143ce7e2-fd13-4d5e-930c-133d5cf87d0d 
   sample_new          : 1d1a0a05-2a8a-4c72-ad35-77d7e2908183 
   severity            : [] 
   tier                : 0

      If the priority-100 ACL is removed, a long standing udp connection with destination port 5201 will hit the 10-priority ACL however ovn-controller will continue sampling the existing connection with the observationPointID associated to the removed ACL. In order to fix the issue we should recommit the  observationPointID to the connection tracking table.

       

              lorenzobianconi lorenzo bianconi
              lorenzobianconi lorenzo bianconi
              Ehsan Elahi Ehsan Elahi
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: