[ovs-dev] SNAT on OVN logical_router in userspace works for ICMP but not TCP or UDP

[Rostyslav Fridman via dev]

I've encountered the issue that SNAT on OVN logical_router in userspace works 
for ICMP but not TCP or UDP. I am seeing this behavior on version 2.10.1 as 
well as on top of the git tree.

I try to access internet (216.58.215.110) from container (10.0.0.2). On the 
external-router I have SNAT configured. On the external server I see that 
container address is translated for ICMP request, but not for TCP.
container:/# ping 216.58.215.110
PING 216.58.215.110 (216.58.215.110) 56(84) bytes of data.
64 bytes from 216.58.215.110: icmp_seq=1 ttl=53 time=140 ms
^C
--- 216.58.215.110 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 140.663/140.663/140.663/0.000 ms
container:/# curl 216.58.215.110
^C
---
external-server:~# tcpdump -i vlan111 host 216.58.215.110
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan111, link-type EN10MB (Ethernet), capture size 262144 bytes
07:53:22.393289 IP 10.250.111.40 > waw02s17-in-f14.1e100.net: ICMP echo 
request, id 218, seq 1, length 64
07:53:22.533574 IP waw02s17-in-f14.1e100.net > 10.250.111.40: ICMP echo reply, 
id 218, seq 1, length 64
07:53:24.830595 IP 10.0.0.2.58050 > waw02s17-in-f14.1e100.net.http: Flags [S], 
seq 219699121, win 29200, options [mss 1460,sackOK,TS val 2742820693 ecr 
0,nop,wscale 7], length 0

In the bridge flows I see that NAT should be performed since flow packet count 
is increasing.
ovs-appctl bridge/dump-flows br-int
...
table_id=41, duration=5135s, n_packets=28, n_bytes=2408, 
priority=9,ip,metadata=0x1,nw_src=10.0.0.0/8,actions=ct(commit,table=42,zone=NXM_NX_REG12[0..15],nat(src=10.250.111.40))

ovn-trace also confirms that it should be working.

I have the following scheme:
OVS: trunked bonded port --- netdev bridge (br-ext) --- patch --- netdev bridge 
(br-int)
OVN: container --- logical_switch (internal-switch) --- logical_router 
(internal-router) --- logical_switch (interconnect) --- logical_router 
(external-router) --- logical_switch (external-switch with localnet port to 
br-ext)

OVN configuration:
switch d0f22f65-214f-422e-a5ba-68b7ef66581b (interconnect)
    port interconnect_to_internal-router
        type: router
        addresses: ["00:00:00:73:a8:30 100.64.1.2/24"]
        router-port: internal-router_to_interconnect
    port interconnect_to_external-router
        type: router
        addresses: ["00:00:00:da:6b:85 100.64.1.1/24"]
        router-port: external-router_to_interconnect
switch bcdc365a-7c2c-4c32-9a51-8107864e879a (internal-switch)
    port internal-switch_to_internal-router
        type: router
        addresses: ["00:00:00:6b:83:b1 10.0.3.253/22"]
        router-port: internal-router_to_internal-switch
    port default_aaa_eth0
        addresses: ["0a:00:00:00:00:03 10.0.0.2"]
switch 3feba85f-4c6f-4550-9435-7f27837c1fd8 (external-switch)
    port vlan111-mgmt
        addresses: ["a2:dc:3c:76:8f:27"]
    port vlan111
        type: localnet
        tag: 111
        addresses: ["unknown"]
    port external-switch_to_external-router
        type: router
        addresses: ["00:00:00:61:f0:c0 10.250.111.40/24"]
        router-port: external-router_to_external-switch
router f97f9421-c727-488d-8575-bfaf7a7bde6b 
(vlan111-80973513-f2fe-48cb-904a-b205fb0bcc6f)
    port external-router_to_interconnect
        mac: "00:00:00:da:6b:85"
        networks: ["100.64.1.1/24"]
    port external-router_to_external-switch
        mac: "00:00:00:61:f0:c0"
        networks: ["10.250.111.40/24"]
    nat 486f81b0-491f-4c90-9ddd-04ea27e70ac5
        external ip: "10.250.111.40"
        logical ip: "10.0.0.0/8"
        type: "snat"
router 5ca8fc47-1860-43c9-a0ee-a285fd877db5 
(overlay-vlan111-80973513-f2fe-48cb-904a-b205fb0bcc6f)
    port internal-router_to_interconnect
        mac: "00:00:00:73:a8:30"
        networks: ["100.64.1.2/24"]
    port internal-router_to_internal-switch
        mac: "00:00:00:6b:83:b1"
        networks: ["10.0.3.253/22"]

OVS configuration:
    Bridge br-int
        Port patch-br-int-br-ext
            Interface patch-br-int-br-ext
                type: patch
                options: {peer=patch-br-ext-br-int}
        Port "patch-br-int-to-vlan111 "
            Interface "patch-br-int-to-vlan111 "
                type: patch
                options: {peer="patch-vlan111-to-br-int"}
        Port "vlan111-mgmt"
            Interface "vlan111-mgmt"
                type: internal
        Port br-int
            Interface br-int
                type: internal
        Port "veth51a477d8"
            Interface "veth51a477d8"
    Bridge br-ext
        Port "patch-vlan111-to-br-int"
            Interface "patch-vlan111-to-br-int"
                type: patch
                options: {peer="patch-br-int-to-vlan111 "}
        Port "bond0"
            trunks: [111]
            Interface "enp4s0f0"
                type: dpdk
                options: {dpdk-devargs="0000:04:00.0"}
            Interface "enp4s0f1"
                type: dpdk
                options: {dpdk-devargs="0000:04:00.1"}
        Port patch-br-ext-br-int
            Interface patch-br-ext-br-int
                type: patch
                options: {peer=patch-br-int-br-ext}
        Port br-ext
            Interface br-ext
                type: internal
    ovs_version: "2.11.90"

What else should I try? Have I missed anything?
Thanks in advance

--
Best regards,
Rostyslav Fridman
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev