Question about security group in Allow address pairs scenario

Asked by Taoyunxiang on 2019-08-12

Hi,
     Thanks for reading my question. The security group is default .
      I add 192.168.15.200 to VM1 (192.168.15.4) by allow address pairs. I can connect VM1 by new ip( 192.168.15.200) from VM2(192.168.15.9),but the reverse is not.

      When I trace the traffic by ovn-trace, I fount it has been dropped by acl, which matches the pg of ' neutron_pg_drop'

      Actually, VM1 can connect VM2 when did not attach allow-address-pair IP to VM1. The allow-address-pairs does not change the port and pg of VM1,why does this happen?

Question information

Language:
English Edit question
Status:
Open
For:
networking-ovn Edit question
Assignee:
No assignee Edit question
Last query:
2019-08-12
Last reply:
Taoyunxiang (taoyunxiang) said : #1

The following is the print of 'ovn-trace' , which IP of VM1 is allow-address-pair IP(192.168.15.200)

[root@ovn1 ~]# ovn-trace tyx-net15 'inport == "4620f045-5aef-4658-a51a-595588811ce1" && eth.src == fa:16:3e:d9:58:49 && ip4.src == 192.168.15.200 && ip4.dst == 192.168.15.9 && eth.dst == fa:16:3e:59:4e:c4 && icmp && ip.ttl == 64'
# icmp,reg14=0x4,vlan_tci=0x0000,dl_src=fa:16:3e:d9:58:49,dl_dst=fa:16:3e:59:4e:c4,nw_src=192.168.15.200,nw_dst=192.168.15.9,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=0,icmp_code=0

ingress(dp="tyx-net15", inport="4620f0")
----------------------------------------
 0. ls_in_port_sec_l2 (ovn-northd.c:4060): inport == "4620f0" && eth.src == {fa:16:3e:d9:58:49}, priority 50, uuid 4950245c
    next;
 1. ls_in_port_sec_ip (ovn-northd.c:2815): inport == "4620f0" && eth.src == fa:16:3e:d9:58:49 && ip4.src == {192.168.15.4, 192.168.15.200}, priority 90, uuid 5d526782
    next;
 3. ls_in_pre_acl (ovn-northd.c:3192): ip, priority 100, uuid c9edcc6f
    reg0[0] = 1;
    next;
 5. ls_in_pre_stateful (ovn-northd.c:3319): reg0[0] == 1, priority 100, uuid 48da520a
    ct_next;

ct_next(ct_state=est|trk /* default (use --ct to customize) */)
---------------------------------------------------------------
 6. ls_in_acl (ovn-northd.c:3506): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (inport == @pg_cf7eae68_f0e3_4a6d_a3e1_4f3454e11b3d && ip4), priority 2002, uuid d9384f98
    next;
16. ls_in_l2_lkup (ovn-northd.c:4393): eth.dst == fa:16:3e:59:4e:c4, priority 50, uuid 033f285e
    outport = "b0f01d";
    output;

egress(dp="tyx-net15", inport="4620f0", outport="b0f01d")
---------------------------------------------------------
 1. ls_out_pre_acl (ovn-northd.c:3194): ip, priority 100, uuid 7f173639
    reg0[0] = 1;
    next;
 2. ls_out_pre_stateful (ovn-northd.c:3321): reg0[0] == 1, priority 100, uuid 45d9182c
    ct_next;

ct_next(ct_state=est|trk /* default (use --ct to customize) */)
---------------------------------------------------------------
 4. ls_out_acl (ovn-northd.c:3560): ct.est && ct_label.blocked == 0 && (outport == @neutron_pg_drop && ip), priority 2001, uuid 96f5e6ed
    ct_commit(ct_label=0x1/0x1);

Taoyunxiang (taoyunxiang) said : #2

The following is the print of 'ovn-trace' , which IP of VM1 is of original IP(192.168.15.4)

[root@ovn1 ~]# ovn-trace tyx-net15 'inport == "4620f045-5aef-4658-a51a-595588811ce1" && eth.src == fa:16:3e:d9:58:49 && ip4.src == 192.168.15.4 && ip4.dst == 192.168.15.9 && eth.dst == fa:16:3e:59:4e:c4 && icmp && ip.ttl == 64'
# icmp,reg14=0x4,vlan_tci=0x0000,dl_src=fa:16:3e:d9:58:49,dl_dst=fa:16:3e:59:4e:c4,nw_src=192.168.15.4,nw_dst=192.168.15.9,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=0,icmp_code=0

ingress(dp="tyx-net15", inport="4620f0")
----------------------------------------
 0. ls_in_port_sec_l2 (ovn-northd.c:4060): inport == "4620f0" && eth.src == {fa:16:3e:d9:58:49}, priority 50, uuid 4950245c
    next;
 1. ls_in_port_sec_ip (ovn-northd.c:2815): inport == "4620f0" && eth.src == fa:16:3e:d9:58:49 && ip4.src == {192.168.15.4, 192.168.15.200}, priority 90, uuid 5d526782
    next;
 3. ls_in_pre_acl (ovn-northd.c:3192): ip, priority 100, uuid c9edcc6f
    reg0[0] = 1;
    next;
 5. ls_in_pre_stateful (ovn-northd.c:3319): reg0[0] == 1, priority 100, uuid 48da520a
    ct_next;

ct_next(ct_state=est|trk /* default (use --ct to customize) */)
---------------------------------------------------------------
 6. ls_in_acl (ovn-northd.c:3506): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (inport == @pg_cf7eae68_f0e3_4a6d_a3e1_4f3454e11b3d && ip4), priority 2002, uuid d9384f98
    next;
16. ls_in_l2_lkup (ovn-northd.c:4393): eth.dst == fa:16:3e:59:4e:c4, priority 50, uuid 033f285e
    outport = "b0f01d";
    output;

egress(dp="tyx-net15", inport="4620f0", outport="b0f01d")
---------------------------------------------------------
 1. ls_out_pre_acl (ovn-northd.c:3194): ip, priority 100, uuid 7f173639
    reg0[0] = 1;
    next;
 2. ls_out_pre_stateful (ovn-northd.c:3321): reg0[0] == 1, priority 100, uuid 45d9182c
    ct_next;

ct_next(ct_state=est|trk /* default (use --ct to customize) */)
---------------------------------------------------------------
 4. ls_out_acl (ovn-northd.c:3506): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (outport == @pg_cf7eae68_f0e3_4a6d_a3e1_4f3454e11b3d && ip4 && ip4.src == $pg_cf7eae68_f0e3_4a6d_a3e1_4f3454e11b3d_ip4), priority 2002, uuid 70893f69
    next;
 8. ls_out_port_sec_ip (ovn-northd.c:2815): outport == "b0f01d" && eth.dst == fa:16:3e:59:4e:c4 && ip4.dst == {255.255.255.255, 224.0.0.0/4, 192.168.15.9}, priority 90, uuid c73f7f48
    next;
 9. ls_out_port_sec_l2 (ovn-northd.c:4518): outport == "b0f01d" && eth.dst == {fa:16:3e:59:4e:c4}, priority 50, uuid 42dd9108
    output;
    /* output to "b0f01d", type "" */

Taoyunxiang (taoyunxiang) said : #3

From the info of logical-switch-port, I found the column of addresses has never changed . I guess that the ovn-controller eventually translate the port from portgroup to specified IP , and the basis of translation is the column of addresses. So the default gruop only allows the original IP of the logical port.

But I can not find the code to prove my opinion. Am I right , can you show me the code associated this problem ?

Can you help with this problem?

Provide an answer of your own, or ask Taoyunxiang for more information if necessary.

To post a message you must log in.