Uploaded image for project: 'Fast Datapath Product'
  1. Fast Datapath Product
  2. FDP-578

enable_router_port_acl="true" does not unDNAT packets

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • None
    • ovn24.03
    • 13
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide

      Given an OVN-Kubernetes setup with dual ovn_cluster_routers connected by a Geneve tunnel, where `enable_router_port_acl` is enabled to manage traffic through a load balancer on ovn-worker2,

      When a client sends a TCP SYN packet to the service, which is DNAT'ed correctly to the server and the server sends a SYN-ACK in response,

      Then, the system must properly unDNAT the server's response.

      Show
      Given an OVN-Kubernetes setup with dual ovn_cluster_routers connected by a Geneve tunnel, where `enable_router_port_acl` is enabled to manage traffic through a load balancer on ovn-worker2, When a client sends a TCP SYN packet to the service, which is DNAT'ed correctly to the server and the server sends a SYN-ACK in response, Then, the system must properly unDNAT the server's response.
    • sst_network_fastdatapath
    • ssg_networking
    • FDP 24.E, FDP 24.F, FDP 24.G, FDP 24.H
    • Important

      In an OVNK setup, where packets are packets destined to a nodeport service (IP of node acting as LB IP) over geneve, I enabled enable_router_port_acl to ensure packets that come out of ovn_cluster_router would hit the load balancer on the switch. This works, but the reply packet is not unDNAT'ed. The topology is like this:

       

      client —> ovn-worker --> ovn_cluster_router (worker1) ------>transit switch (geneve) ----> ovn_cluster_router (worker2) --->ovn-worker2 switch—>ovn-k8s-mp0 ---> ovn-worker2 switch—> server

      Note ovn_cluster_router on worker1 sends to mp0 on ovn-worker2 as next hop, so the packet is hairpinned there by the host.

      In this case ovn-worker2 switch has a LB for its IP of 172.18.0.3:31515:

      796efda7-0bd9-450c-b1e8-bf2afc4428f4    Service_default/    tcp        169.254.169.3:31515    10.244.1.5:80
                                                                  tcp        172.18.0.3:31515       10.244.1.5:80
       

      The packet gets DNAT'ed correctly, but the reply from the server is not unDNAT'ed (trace from SYN packet arriving at worker-2):

       

      01:54:07.163657 genev_sys_6081 P   ifindex 6 0a:58:64:58:00:03 ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 63, id 55431, offset 0, flags [DF], proto TCP (6), length 60)
          10.244.0.4.33486 > 172.18.0.3.31515: Flags [S], cksum 0xb73b (incorrect -> 0xaff7), seq 2744169424, win 32640, options [mss 1360,sackOK,TS val 317061550 ecr 0,nop,wscale 7], length 0
      01:54:07.163845 ovn-k8s-mp0 In  ifindex 4 0a:58:0a:f4:01:01 ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 62, id 55431, offset 0, flags [DF], proto TCP (6), length 60)
          10.244.0.4.33486 > 10.244.1.5.80: Flags [S], cksum 0xcadf (correct), seq 2744169424, win 32640, options [mss 1360,sackOK,TS val 317061550 ecr 0,nop,wscale 7], length 0
      01:54:07.163858 ovn-k8s-mp0 Out ifindex 4 66:49:b8:4b:12:3e ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 61, id 55431, offset 0, flags [DF], proto TCP (6), length 60)
          10.244.1.2.33486 > 10.244.1.5.80: Flags [S], cksum 0xc9e1 (correct), seq 2744169424, win 32640, options [mss 1360,sackOK,TS val 317061550 ecr 0,nop,wscale 7], length 0
      01:54:07.163867 1bc9fe829e576f6 Out ifindex 9 66:49:b8:4b:12:3e ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 61, id 55431, offset 0, flags [DF], proto TCP (6), length 60)
          10.244.1.2.33486 > 10.244.1.5.80: Flags [S], cksum 0xc9e1 (correct), seq 2744169424, win 32640, options [mss 1360,sackOK,TS val 317061550 ecr 0,nop,wscale 7], length 0
      01:54:07.163887 1bc9fe829e576f6 P   ifindex 9 0a:58:0a:f4:01:05 ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
          10.244.1.5.80 > 10.244.1.2.33486: Flags [S.], cksum 0x181d (incorrect -> 0x5435), seq 618888846, ack 2744169425, win 32352, options [mss 1360,sackOK,TS val 1311297891 ecr 317042028,nop,wscale 7], length 0
      01:54:07.163892 ovn-k8s-mp0 In  ifindex 4 0a:58:0a:f4:01:05 ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
          10.244.1.5.80 > 10.244.1.2.33486: Flags [S.], cksum 0x181d (incorrect -> 0x5435), seq 618888846, ack 2744169425, win 32352, options [mss 1360,sackOK,TS val 1311297891 ecr 317042028,nop,wscale 7], length 0
      01:54:07.163895 ovn-k8s-mp0 Out ifindex 4 66:49:b8:4b:12:3e ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 60)
          10.244.1.5.80 > 10.244.0.4.33486: Flags [S.], cksum 0x171f (incorrect -> 0x5533), seq 618888846, ack 2744169425, win 32352, options [mss 1360,sackOK,TS val 1311297891 ecr 317042028,nop,wscale 7], length 0
      01:54:07.163900 genev_sys_6081 Out ifindex 6 0a:58:64:58:00:04 ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 60)
          10.244.1.5.80 > 10.244.0.4.33486: Flags [S.], cksum 0x171f (incorrect -> 0x5533), seq 618888846, ack 2744169425, win 32352, options [mss 1360,sackOK,TS val 1311297891 ecr 317042028,nop,wscale 7], length 0 

            mmichelson Mark Michelson
            trozet@redhat.com Tim Rozet
            Jianlin Shi Jianlin Shi
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: