enable_router_port_acl usage

[TVKain]

The commit 48397c0 added the enable_router_port_acl option for lsp which has a dgw port peer.

My goal is to set up a stateful Firewall for N-S traffic

I set up a simple topology to test it out
PUBLIC---S1-(S1-R1)-------------(R1-S1)-R1 -------- S2 ---- VM1

R1: dgw port 26.7.2.18, SNAT
S1: localnet -> VLAN 1000, 26.7.2.0/24
S2: localnet -> VLAN 3001, 192.168.31.0/24,
VM1: internal 192.168.31.200, floating 26.7.2.81
PUBLIC: 26.7.2.201

The behaviors that I want are

1. VM1 is able to initiate ICMP echo to PUBLIC and receive the reply
2. PUBLIC attemps to initiate ICMP echo to VM1 Floating IP will be blocked

ovn-nbctl pg-add pg_dgw
ovn-nbctl pg-set-ports pg_dgw S1-R1
ovn-nbctl acl-add pg_dgw to-lport 1002 "outport == @pg_dgw && ip4" allow-related
ovn-nbctl acl-add pg_dgw from-lport 1001 "inport == @pg_dgw && ip4" drop
ovn-nbctl lsp-set-options S1-R1 router-port=R1-S1 enable_router_port_acl=true

Actual result:
VM1 was able to initiate IMCP echo to PUBLIC, but the return traffic didn't pass through

[shylou]

@TVKain Patch [1] causes the ovn-controller to assign a CT zone ID to the localnet LSP but not to the dgw LSP. As a result, reply packets from the external network use the localnet’s CT zone for lookup, fail to match ACL rules, and are discarded.

@dceara @putnopvut I modified the code to assign a CT zone ID to the dgw LSP on this chassis, resolving the issue. Any suggestions?

[1]5ae7d2c

[shylou]

@TVKain hi，I would greatly appreciate it if you could test the attached patch [1] to validate its functionality. Please let me know if you encounter any issues or have feedback.

Thank you for your time and assistance

[1]shylou@f174b5a

[dontmesswithnets]

@shylou Greetings! A little bit question: the option enable_router_port_acl works only on distributed router's ports, but not on l3gateway router's ports, doesn't it? I ask because looking for the way to configure stateful firewall on l3gateway routers..

[TVKain]

The enable_router_port_acl option only applies to LSPs that have a DGW port peer. With it enabled, you can configure a stateful firewall, but it only affects North-South traffic—this is especially useful in Baremetal VLAN setups where N-S traffic passes through the network node. You can test the patch here: shylou@f174b5a

For East-West traffic, it’s not possible to apply this, since the router is distributed with OVN and the traffic does not traverse a central node where ACLs could be enforced.