Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-25637

drop-forwarding breaks EgressService

XMLWordPrintable

    • No
    • False
    • Hide

      None

      Show
      None
    • Release Note Not Required
    • In Progress

      Commit: https://github.com/ovn-org/ovn-kubernetes/commit/f062cbbf8cff78b890222a769b47b75d9e03b7ed
      Introduced the following rules:

      # iptables-save -c | grep FORW
[0:0] -A FORWARD -d 169.254.169.1/32 -j ACCEPT
[0:0] -A FORWARD -s 169.254.169.1/32 -j ACCEPT
[0:0] -A FORWARD -d 10.96.0.0/16 -j ACCEPT
[0:0] -A FORWARD -s 10.96.0.0/16 -j ACCEPT
[0:0] -A FORWARD -i breth0 -j DROP
[0:0] -A FORWARD -o breth0 -j DROP

      But the -o breth0 rule breaks Egress Services, e.g. these upstream tests fail when you install the cluster with --disable-forwarding:

      go test -v . --ginkgo.focus="Egress Services Should validate pods' egress is SNATed to the LB's ingress ip without selectors ipv4 pods" --ginkgo.v
go test -v . --ginkgo.focus="Egress Services Should validate pods' egress is SNATed to the LB's ingress ip with selectors ipv4 pods" --ginkgo.v
go test -v . --ginkgo.focus="Egress Services Should validate egress service has higher priority than EgressIP when not assigned to the same node ipv4 pods" --ginkgo.v
go test -v . --ginkgo.focus="Egress Services Should validate a node with a local ep is selected when ETP=Local ipv4 pods" --ginkgo.v

      For context, see: https://github.com/ovn-org/ovn-kubernetes/issues/4042

      PR that shows the issue: https://github.com/ovn-org/ovn-kubernetes/pull/4055
      PR with a fix: https://github.com/ovn-org/ovn-kubernetes/pull/4056

            akaris@redhat.com Andreas Karis
            akaris@redhat.com Andreas Karis
            Huiran Wang Huiran Wang
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated: