Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

If a lsp has a host snat rule, then dnat_and_snat can not be accessed. #257

Open
danieldin95 opened this issue Aug 15, 2024 · 1 comment

Comments

@danieldin95
Copy link
Contributor

In our enviroment, we using ovn for openstack network. I create a load_balancer on logical router(named share_router) to forward ssh port to a lsp(as knowned as a vm1).

()[root@ovn-tool-0 /]# ovn-nbctl create load_balancer vips:"172.16.10.111\:22"="192.168.33.217:22" protocol=tcp
2957dcc1-8d81-4e75-a8b7-c0a25127043a
()[root@ovn-tool-0 /]#
()[root@ovn-tool-0 /]# ovn-nbctl lr-lb-add 34ce470e-72e2-4346-be35-55eab94e2beb 2957dcc1-8d81-4e75-a8b7-c0a25127043a

And the vm1 already has a dnat_and_snat rule binding for floating ip. As you can see, the ssh port can be accessed by 172.16.10.111(load_balancer vip) and 172.16.10.122(dnat_and_snat external ip).
But when I add a host(/32) snat rule using other external address for this vm1(just a test), the ssh port canot be accessed by 172.16.10.122, and I see the reply packets with source_address: 172.16.10.133.

()[root@ovn-tool-0 /]# ovn-nbctl lr-nat-list 34ce470e-72e2-4346-be35-55eab94e2beb
TYPE                     EXTERNAL_IP        EXTERNAL_PORT    LOGICAL_IP            EXTERNAL_MAC         LOGICAL_PORT
dnat_and_snat            172.16.10.122                       192.168.33.217
snat                     172.16.10.28                        0.0.0.0/0
snat                     172.16.10.28                        192.168.33.0/24
snat                     172.16.10.133                      192.168.33.217/32
()[root@ovn-tool-0 /]#

I dont know why? or did I missunderstand?And I see the logical flow on logical_router, some things seem be wrong.

  table=2 (lr_out_snat        ), priority=161  , match=(ip && ip4.src == 172.16.10.122 && outport == "lrp-c6cd992a-9b86-46cb-9952-b5931844de38" && is_chassis_resident("cr-lrp-c6cd992a-9b86-46cb-9952-b5931844de38")), action=(next;)
  table=2 (lr_out_snat        ), priority=161  , match=(ip && ip4.src == 192.168.33.217 && outport == "lrp-c6cd992a-9b86-46cb-9952-b5931844de38" && is_chassis_resident("cr-lrp-c6cd992a-9b86-46cb-9952-b5931844de38")), action=(ip4.src=172.16.10.122; next;)
  table=2 (lr_out_snat        ), priority=161  , match=(ip && ip4.src == 192.168.33.217/32 && outport == "lrp-c6cd992a-9b86-46cb-9952-b5931844de38" && is_chassis_resident("cr-lrp-c6cd992a-9b86-46cb-9952-b5931844de38") && (!ct.trk || !ct.rpl)), action=(ct_snat(172.16.10.133);)

So If I understanding is right, the dnat_and_snat rule can not be effected by the host snat rule, or the dnat_and_snat has higher priority then a host snat?

@danieldin95 danieldin95 changed the title If a lsp has a host snat rule by loadbalancer, then dnat_and_snat can not be accessed. If a lsp has a host snat rule, then dnat_and_snat can not be accessed. Aug 15, 2024
@almusil
Copy link
Contributor

almusil commented Aug 28, 2024

Hi,
which version of ovn is this? If this 24.03 and further you might be hitting issues that https://patchwork.ozlabs.org/project/ovn/patch/20240827085252.458355-1-amusil@redhat.com/ is trying to fix. If you have the option would you mind trying this commit if it helps?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants