-
Bug
-
Resolution: Unresolved
-
Critical
-
None
-
13
-
False
-
-
False
-
-
rhel-sst-network-fastdatapath
-
-
-
ssg_networking
-
FDP 24.E, FDP 24.F, FDP 24.G, FDP 24.H, FDP 25.A
-
Important
In an OVNK setup, where packets are packets destined to a nodeport service (IP of node acting as LB IP) over geneve, I enabled enable_router_port_acl to ensure packets that come out of ovn_cluster_router would hit the load balancer on the switch. This works, but the reply packet is not unDNAT'ed. The topology is like this:
client —> ovn-worker --> ovn_cluster_router (worker1) ------>transit switch (geneve) ----> ovn_cluster_router (worker2) --->ovn-worker2 switch—>ovn-k8s-mp0 ---> ovn-worker2 switch—> server
Note ovn_cluster_router on worker1 sends to mp0 on ovn-worker2 as next hop, so the packet is hairpinned there by the host.
In this case ovn-worker2 switch has a LB for its IP of 172.18.0.3:31515:
796efda7-0bd9-450c-b1e8-bf2afc4428f4 Service_default/ tcp 169.254.169.3:31515 10.244.1.5:80 tcp 172.18.0.3:31515 10.244.1.5:80
The packet gets DNAT'ed correctly, but the reply from the server is not unDNAT'ed (trace from SYN packet arriving at worker-2):
01:54:07.163657 genev_sys_6081 P ifindex 6 0a:58:64:58:00:03 ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 63, id 55431, offset 0, flags [DF], proto TCP (6), length 60) 10.244.0.4.33486 > 172.18.0.3.31515: Flags [S], cksum 0xb73b (incorrect -> 0xaff7), seq 2744169424, win 32640, options [mss 1360,sackOK,TS val 317061550 ecr 0,nop,wscale 7], length 0 01:54:07.163845 ovn-k8s-mp0 In ifindex 4 0a:58:0a:f4:01:01 ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 62, id 55431, offset 0, flags [DF], proto TCP (6), length 60) 10.244.0.4.33486 > 10.244.1.5.80: Flags [S], cksum 0xcadf (correct), seq 2744169424, win 32640, options [mss 1360,sackOK,TS val 317061550 ecr 0,nop,wscale 7], length 0 01:54:07.163858 ovn-k8s-mp0 Out ifindex 4 66:49:b8:4b:12:3e ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 61, id 55431, offset 0, flags [DF], proto TCP (6), length 60) 10.244.1.2.33486 > 10.244.1.5.80: Flags [S], cksum 0xc9e1 (correct), seq 2744169424, win 32640, options [mss 1360,sackOK,TS val 317061550 ecr 0,nop,wscale 7], length 0 01:54:07.163867 1bc9fe829e576f6 Out ifindex 9 66:49:b8:4b:12:3e ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 61, id 55431, offset 0, flags [DF], proto TCP (6), length 60) 10.244.1.2.33486 > 10.244.1.5.80: Flags [S], cksum 0xc9e1 (correct), seq 2744169424, win 32640, options [mss 1360,sackOK,TS val 317061550 ecr 0,nop,wscale 7], length 0 01:54:07.163887 1bc9fe829e576f6 P ifindex 9 0a:58:0a:f4:01:05 ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) 10.244.1.5.80 > 10.244.1.2.33486: Flags [S.], cksum 0x181d (incorrect -> 0x5435), seq 618888846, ack 2744169425, win 32352, options [mss 1360,sackOK,TS val 1311297891 ecr 317042028,nop,wscale 7], length 0 01:54:07.163892 ovn-k8s-mp0 In ifindex 4 0a:58:0a:f4:01:05 ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) 10.244.1.5.80 > 10.244.1.2.33486: Flags [S.], cksum 0x181d (incorrect -> 0x5435), seq 618888846, ack 2744169425, win 32352, options [mss 1360,sackOK,TS val 1311297891 ecr 317042028,nop,wscale 7], length 0 01:54:07.163895 ovn-k8s-mp0 Out ifindex 4 66:49:b8:4b:12:3e ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 60) 10.244.1.5.80 > 10.244.0.4.33486: Flags [S.], cksum 0x171f (incorrect -> 0x5533), seq 618888846, ack 2744169425, win 32352, options [mss 1360,sackOK,TS val 1311297891 ecr 317042028,nop,wscale 7], length 0 01:54:07.163900 genev_sys_6081 Out ifindex 6 0a:58:64:58:00:04 ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 60) 10.244.1.5.80 > 10.244.0.4.33486: Flags [S.], cksum 0x171f (incorrect -> 0x5533), seq 618888846, ack 2744169425, win 32352, options [mss 1360,sackOK,TS val 1311297891 ecr 317042028,nop,wscale 7], length 0
- blocks
-
SDN-4448 Move host traffic for other hosts to use the Geneve tunnel
- In Progress