[Bug 1906922] Re: Unpredictable behaviour on conflicting flow actions

Brian Murray 1906922 at bugs.launchpad.net
Tue Jan 19 19:22:49 UTC 2021 

Hello Frode, or anyone else affected,

Accepted ovn into focal-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/ovn/20.03.1-0ubuntu1.2
in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
focal to verification-done-focal. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-focal. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: ovn (Ubuntu Focal)
       Status: In Progress => Fix Committed

** Tags added: verification-needed-focal

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ovn in Ubuntu.
https://bugs.launchpad.net/bugs/1906922

Title:
  Unpredictable behaviour on conflicting flow actions

Status in Ubuntu Cloud Archive:
  In Progress
Status in Ubuntu Cloud Archive ussuri series:
  In Progress
Status in Ubuntu Cloud Archive victoria series:
  In Progress
Status in ovn package in Ubuntu:
  Fix Released
Status in ovn source package in Focal:
  Fix Committed
Status in ovn source package in Groovy:
  Fix Committed

Bug description:
  [Impact]

  When CMS configures ACLs with overlapping rules the flow rules OVN
  programs into Open vSwitch may lead to unpredictable forwarding
  behavior such as every other packet being dropped.

  
  [Test Case]

  How to reproduce with OpenStack as CMS:
  - Update the "default" group to accept ICMP, then:
      openstack security group create a
      openstack security group create b
      openstack security group create c
      openstack security group rule create --ingress --ethertype IPv4 --protocol icmp --remote-group b b
      openstack security group rule create --ingress --ethertype IPv6 --protocol icmp --remote-group b b
      openstack security group rule create --ingress --ethertype IPv4 --protocol icmp --remote-group c c
      openstack security group rule create --ingress --ethertype IPv6 --protocol icmp --remote-group c c
      openstack server add security group
      for server in zaza-neutrontests-ins-1 zaza-neutrontests-ins-2; do for group in a b c; do openstack server add security group $server $group;done;done

  Look for bad conjunction messages in ovn-controller log and monitor
  ICMP reachability to the instances.

  [Other Info]

  Fixed upstream:
  https://github.com/ovn-org/ovn/commit/986b3d5e4ad6f05245d021ba699c957246294a22

  Other bug trackers:
  https://bugzilla.redhat.com/1871931

  Symptoms:
  Every other packet does not arrive.

  2020-12-05T10:33:38.304Z|00016|ofctrl|INFO|OpenFlow error: OFPT_ERROR (OF1.3) (xid=0x1af): NXBAC_BAD_CONJUNCTION
  OFPT_FLOW_MOD (OF1.3) (xid=0x1af): ***decode error: NXBAC_BAD_CONJUNCTION***
  00000000  04 0e 00 b0 00 00 01 af-00 00 00 00 e6 89 28 3a |..............(:|
  00000010  00 00 00 00 00 00 00 00-2c 00 00 00 00 00 07 d2 |........,.......|
  00000020  ff ff ff ff ff ff ff ff-ff ff ff ff 00 00 00 00 |................|
  00000030  00 01 00 53 80 00 0a 02-08 00 80 00 14 01 01 00 |...S............|
  00000040  01 1e 04 00 00 00 03 00-01 d3 08 00 00 00 22 00 |..............".|
  00000050  00 00 2b 00 01 d9 20 00-00 00 00 00 00 00 00 00 |..+... .........|
  00000060  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 |................|
  00000070  00 00 00 00 00 00 01 80-00 04 08 00 00 00 00 00 |................|
  00000080  00 00 03 00 00 00 00 00-00 04 00 28 00 00 00 00 |...........(....|
  00000090  ff ff 00 10 00 00 23 20-00 0e ff f8 2d 00 00 00 |......# ....-...|
  000000a0  ff ff 00 10 00 00 23 20-00 22 01 02 00 00 00 09 |......# ."......|

  I have been able to backport this fix to 20.03.1 with minor adaption
  using these commits from master, however a flaky test may need some
  more investigation:

  commit 986b3d5e4ad6f05245d021ba699c957246294a22
  commit 33c15c145988daa6172928dc870f3a0225515f50
  commit 107bb25029350bd0f7dfeeb0ef3053adbd504e3e
  commit e49ce9a33f38f29c44e3c30afcc189b5f6a9ef8e
  commit dadae4f800ccb1f2759378f0bd804dd002e31605
  commit 7cab7bd1268ba67429954da4f73de91090acf779
  commit 9d2e8d32fb9865513b70408a665184a67564390d
  commit f4e508dd7a6cfbfc2e3250a8c11a8d0fdc1dfdd0
  commit 6f0b1e02d9ab3a94048c4818f2d382938cad4b71
  commit 23063cf4178c05f5d6b3e4ec6d323ccc88df6101
  commit 354d3853d40cbce89a434632f67daed7fc992d8b

  The list of commits is quite long and this is due to how
  controller/ofctrl.c has changed from 20.03.1 was cut until now, but
  the nature of the changes look sane to me.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1906922/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list