Initially a ping session was started with a VM from the dhcp namespace.
The relevant OVN acl shows as:
from-lport 1002 (inport == "da8bd41a-5809-4036-8a12-af6d4140685c" && ip4) allow-related
to-lport 1002 (outport == "da8bd41a-5809-4036-8a12-af6d4140685c" && ip4 && icmp4) allow-related
THe problem reproduces as below..
Initially a ping session was started with a VM from the dhcp namespace. 5809-4036- 8a12-af6d414068 5c" && ip4) allow-related 5809-4036- 8a12-af6d414068 5c" && ip4 && icmp4) allow-related
The relevant OVN acl shows as:
from-lport 1002 (inport == "da8bd41a-
to-lport 1002 (outport == "da8bd41a-
Conntrack on that connection shows: ovncontroller- 01 devstack]$ sudo conntrack -L | grep 10.0.0.4
[stack@
icmp 1 29 src=10.0.0.2 dst=10.0.0.4 type=8 code=0 id=27789 src=10.0.0.4 dst=10.0.0.2 type=0 code=0 id=27789 mark=0 zone=3 use=1
icmp 1 29 src=10.0.0.2 dst=10.0.0.4 type=8 code=0 id=27789 src=10.0.0.4 dst=10.0.0.2 type=0 code=0 id=27789 mark=0 zone=1 use=1
Now the ICMP security group rule is deleted ovncontroller- 01 devstack]$ neutron security- group-rule- delete e3a3888b- e0c8-4af9- 88a0-17f1c617a4 ff
[stack@
Conntrack still shows the connection and ping is still ongoing to the VM ovncontroller- 01 devstack]$ sudo conntrack -L | grep 10.0.0.4
[stack@
icmp 1 29 src=10.0.0.2 dst=10.0.0.4 type=8 code=0 id=27789 src=10.0.0.4 dst=10.0.0.2 type=0 code=0 id=27789 mark=0 zone=3 use=1
icmp 1 29 src=10.0.0.2 dst=10.0.0.4 type=8 code=0 id=27789 src=10.0.0.4 dst=10.0.0.2 type=0 code=0 id=27789 mark=0 zone=1 use=1
Now we delete the conntrack state as below: ovncontroller- 01 devstack]$ sudo conntrack -D -p icmp -s 10.0.0.2 -d 10.0.0.4
[stack@
icmp 1 29 src=10.0.0.2 dst=10.0.0.4 type=8 code=0 id=27789 src=10.0.0.4 dst=10.0.0.2 type=0 code=0 id=27789 mark=0 zone=3 use=1
icmp 1 29 src=10.0.0.2 dst=10.0.0.4 type=8 code=0 id=27789 src=10.0.0.4 dst=10.0.0.2 type=0 code=0 id=27789 mark=0 zone=1 use=1
conntrack v1.4.2 (conntrack-tools): 2 flow entries have been deleted.
Then the ping to the VM stops.