Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-57751

Submariner traffic SNAT’d on destination gateway — no subnet exclusion support with OVN-Kubernetes nftables

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • None
    • Rejected
    • None
    • Done
    • Release Note Not Required
    • N/A
    • None
    • None
    • None
    • None

      Description of problem:

      Submariner[1] connects two clusters and ensures the pod and services connectivity between the clusters.

      When submarine traffic enters the clusters with OVN-Kubernetes it gets SNATed at ovn-k8s-mp0 and since OVN moved to nftables there is no way to override this behaviour. Earlier with iptables, we avoided this SNAT with a higher priority rule in the POSTROUTING chain. With nftables , even if we add a higher priority rule, all the rules will be executed before taking a final decision, so there is no way to skip the SNAT.

      If OVN-Kubernetes could expose a generic mark value that Submariner could tag the traffic with and avoid an SNAT, it would help us solve the issue.

      [1]https://submariner.io/

      Why is this needed?

      Submariner wants to preserve the source IP when the traffic reaches the destination pod as some use cases rely on the source IP.

       

      ovnk upstream PR:

      https://github.com/ovn-kubernetes/ovn-kubernetes/pull/5113

      Openshift ovnk PRs:

      4.20 : https://github.com/openshift/ovn-kubernetes/pull/2627

      4.19: https://github.com/openshift/ovn-kubernetes/pull/2642

       

       

              yboaron Yossi Boaron
              yboaron Yossi Boaron
              None
              None
              Prachi Yadav Prachi Yadav
              None
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: