I find this bug in the latest version.
I configure the allowed address pair with CIDR, the format is "IP/length", but in the southbound db table logical_flow, it saves the "IP", not "IP/length"
steve@ovn:~/devstack$ neutron port-list
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------+
| 4dd7156d-4235-40b8-9856-11178812112c | | fa:16:3e:d4:75:c7 | {"subnet_id": "44294991-2762-4dcd-94ff-cc467037dc33", "ip_address": "20.0.0.3"} |
| a06956eb-3b8e-43d7-8ba6-89ba1c528d94 | | fa:16:3e:dc:2a:a6 | {"subnet_id": "44294991-2762-4dcd-94ff-cc467037dc33", "ip_address": "20.0.0.2"} |
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------+
steve@ovn:~/devstack$
steve@ovn:~/devstack$ neutron port-show 4dd7156d-4235-40b8-9856-11178812112c +-----------------------+---------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+---------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | {"ip_address": "30.0.0.0/24", "mac_address": "fa:16:3e:d4:75:c7"} |
| | {"ip_address": "40.0.0.0/24", "mac_address": "fa:16:3e:d4:75:c7"} |
| binding:host_id | ovn |
| binding:vif_details | {"port_filter": true} |
| binding:vif_type | ovs |
| binding:vnic_type | normal |
| created_at | 2016-03-31T13:08:15 |
| description | |
| device_id | 43788ce0-303a-4bec-9637-bb2d6bb4ad4d |
| device_owner | compute:nova |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "44294991-2762-4dcd-94ff-cc467037dc33", "ip_address": "20.0.0.3"} |
| id | 4dd7156d-4235-40b8-9856-11178812112c |
| mac_address | fa:16:3e:d4:75:c7 |
| name | |
| network_id | 8c0df965-a100-425e-b035-302adeb6c10f |
| port_security_enabled | True |
| qos_policy_id | |
| security_groups | fccb122c-f40e-4946-b4a0-2c5a48fa8708 |
| status | ACTIVE |
| tenant_id | 51d2a360f6e84dcf9b0fa2ebb28fa932 |
| updated_at | 2016-03-31T13:08:21 |
+-----------------------+---------------------------------------------------------------------------------
In northbound DB, the 30.0.0.0/24 and 40.0.0.0/24 is saved in column 'port_security'
steve@ovn:~/devstack$ sudo ovn-nbctl --db=unix:/usr/local/var/run/openvswitch/nb_db.sock list logical_port
_uuid : 4c498a78-b443-473f-ae1a-da677acce8eb
addresses : ["fa:16:3e:dc:2a:a6 20.0.0.2"]
enabled : true
external_ids : {"neutron:port_name"=""}
name : "a06956eb-3b8e-43d7-8ba6-89ba1c528d94"
options : {}
parent_name : []
port_security : []
tag : []
type : ""
up : true
_uuid : ce1f42fe-5e78-4356-aa79-4fc2dfc33f17
addresses : ["fa:16:3e:d4:75:c7 20.0.0.3"]
enabled : true
external_ids : {"neutron:port_name"=""}
name : "4dd7156d-4235-40b8-9856-11178812112c"
options : {}
parent_name : []
port_security : ["fa:16:3e:d4:75:c7 20.0.0.3 30.0.0.0/24 40.0.0.0/24"]
tag : []
type : ""
up : true
But in southbound db, the logical flow for the allowed address pair is:
_uuid : 16e6ee6d-36d4-41ed-9784-064f6e0e5542
actions : "next;"
external_ids : {stage-name=ls_in_port_sec_ip}
logical_datapath : 0ee09ef5-a12e-4084-965b-a81eec65d085
match : "inport == \"4dd7156d-4235-40b8-9856-11178812112c\" && eth.src == fa:16:3e:d4:75:c7 && ip4.src == {0.0.0.0, 20.0.0.3, 30.0.0.0, 40.0.0.0}"
pipeline : ingress
priority : 90
table_id : 1
The mask length disappears.
For my understanding this needs to be fixed in OVN itself.