When ACL is applied to a subnet, the action allow-related affects the other actions，such as drop

BigCousin-z commented 3 months ago

configure as： ovn-nbctl acl-list subnet 1：to-lport 2000 (ip4.src == 100.100.200.0/24) drop 2：to-lport 2000 (ip4.src == 1.2.3.4/24) allow-related

The network from ping 100.100.100.2 to 100.100.200.2 is connected

when I modify the configure ，as： ovn-nbctl acl-list subnet 1：to-lport 2000 (ip4.src == 100.100.200.0/24) drop The network from ping 100.100.100.2 to 100.100.200.2 is not work

Will allow related-affect the correctness of other rule actions?

ovn trace ： ls_out_acl (northd.c:6506): reg0[10] == 1 && (ip4.src == 100.100.200.0/24), priority 3000, uuid 41d5f22e ct_commit { ct_mark.blocked = 1; };

BigCousin-z commented 3 months ago

anyone？

chaudron commented 3 months ago

This is an OVN-related question, you might want to ask the question here; https://github.com/ovn-org/ovn/issues

I'll close it here...

openvswitch / ovs-issues

When ACL is applied to a subnet, the action allow-related affects the other actions，such as drop #325