Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow-related is not working for reply flow #242

Open
lynn901 opened this issue Apr 26, 2024 · 1 comment
Open

allow-related is not working for reply flow #242

lynn901 opened this issue Apr 26, 2024 · 1 comment

Comments

@lynn901
Copy link

lynn901 commented Apr 26, 2024
edited
Loading

ovn v22.12.3
ovs 3.1.5

subnet1 192.168.1.0/24
vm1 192.168.1.7
vm2 192.168.1.9

subnet ACL configure as:
from-lport 1900 (ip4.src == 192.168.1.0/24 && ip4.dst == 192.168.1.0/24) allow-related
from-lport 1598 (ip4.src==192.168.1.9 && ip4.dst==192.168.1.7 && icmp) drop
to-lport 1597 (ip4.src==192.168.1.9 && ip4.dst==192.168.1.7 && icmp) drop

vm2 ping vm1 is unreachable

ovn trace is in the picture below
image
@neilliu9891
Copy link

In the above description, when pinging VM1 from VM2, it is allowed by rule 1, but dropped by rule 3 in the inbound direction of VM1. This is because the above three rules do not specify an inport value, so they should be applied to all VMs in the subnet, which causes the aforementioned issue.
The scenario in which allow-related takes effect is the handling logic for reply packets. In the current situation, VM1 should not have received the request packet, so there is no communication. Can you please confirm this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lynn901 @neilliu9891