neilliu9891
commented
1 month ago In the above description, when pinging VM1 from VM2, it is allowed by rule 1, but dropped by rule 3 in the inbound direction of VM1. This is because the above three rules do not specify an inport value, so they should be applied to all VMs in the subnet, which causes the aforementioned issue. The scenario in which allow-related takes effect is the handling logic for reply packets. In the current situation, VM1 should not have received the request packet, so there is no communication. Can you please confirm this?
ovn v22.12.3 ovs 3.1.5
subnet1 192.168.1.0/24 vm1 192.168.1.7 vm2 192.168.1.9
subnet ACL configure as: from-lport 1900 (ip4.src == 192.168.1.0/24 && ip4.dst == 192.168.1.0/24) allow-related from-lport 1598 (ip4.src==192.168.1.9 && ip4.dst==192.168.1.7 && icmp) drop to-lport 1597 (ip4.src==192.168.1.9 && ip4.dst==192.168.1.7 && icmp) drop
vm2 ping vm1 is unreachable
ovn trace is in the picture below