Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ovn: Exclude inport and outport symbol tables from conjunction
If there are multiple ACLs associated with a port group and they match on a range of some field, then ovn-controller doesn't install the flows properly and this results in broken ACL functionality. For example, if there is a port group - pg1 with logical ports - [p1, p2] and if there are below ACLs (only match condition is shown) 1 - outport == @pg1 && ip4 && tcp.dst >= 500 && tcp.dst <= 501 2 - outport == @pg1 && ip4 && tcp.dst >= 600 && tcp.dst <= 601 The first ACL will result in the below OF flows 1. conj_id=1,tcp 2. tcp,reg15=0x11: conjunction(1, 1/2) 3. tcp,reg15=0x12: conjunction(1, 1/2) 5. tcp,tp_dst=500: conjunction(1, 2/2) 6. tcp,tp_dst=501: conjunction(1, 2/2) The second ACL will result in the below OF flows 7. conj_id=2,tcp 8. tcp,reg15=0x11: conjunction(2, 1/2) 9. tcp,reg15=0x12: conjunction(2, 1/2) 11. tcp,tp_dst=600: conjunction(2, 2/2) 12. tcp,tp_dst=601: conjunction(2, 3/2) The OF flows (2) and (8) have the exact match but with different action. This results in only one of the flows getting installed. The same goes for the flows (3) and (9). And this completely breaks the ACL functionality for such scenarios. In order to fix this issue, this patch excludes the 'inport' and 'outport' symbols from conjunction. With this patch we will have the below flows. tcp,reg15=0x11,tp_dst=500 tcp,reg15=0x11,tp_dst=501 tcp,reg15=0x12,tp_dst=500 tcp,reg15=0x12,tp_dst=501 tcp,reg15=0x13,tp_dst=500 tcp,reg15=0x13,tp_dst=501 tcp,reg15=0x11,tp_dst=600 tcp,reg15=0x11,tp_dst=601 tcp,reg15=0x12,tp_dst=600 tcp,reg15=0x12,tp_dst=601 tcp,reg15=0x13,tp_dst=600 tcp,reg15=0x13,tp_dst=601 Acked-by: Mark Michelson <mmichels@redhat.com> Acked-by: Daniel Alvarez <dalvarez@redhat.com> Signed-off-by: Numan Siddique <nusiddiq@redhat.com> (cherry-picked from ovn commit 298701d) Signed-off-by: Ben Pfaff <blp@ovn.org>
- Loading branch information