On 3/5/24 15:56, Numan Siddique wrote: > On Mon, Feb 26, 2024 at 7:59 AM Dumitru Ceara <[email protected]> wrote: >> >> Otherwise, in case there's also a SNAT rule that uses the VIP as >> external IP, we break sessions initiated from behind the VIP. >> >> This partially reverts 832893bdbb42 ("ovn-northd: Skip unsnat flows for >> load balancer vips in router ingress pipeline"). That's OK because >> commit 384a7c6237da ("northd: Refactor Logical Flows for routers with >> DNAT/Load Balancers") addressed the original issue in a better way: >> >> In the reply direction, the order of traversal of the tables >> "lr_in_defrag", "lr_in_unsnat" and "lr_in_dnat" adds incorrect >> datapath flows that check ct_state in the wrong conntrack zone. >> This is illustrated below where reply trafic enters the physical host >> port (6) and traverses DNAT zone (14), SNAT zone (default), back to the >> DNAT zone and then on to Logical Switch Port zone (22). The third >> flow is incorrectly checking the state from the SNAT zone instead >> of the DNAT zone. >> >> We also add a system test to ensure traffic initiated from behind a VIP >> + SNAT is not broken. >> >> Another nice side effect is that the northd I-P is slightly simplified >> because we don't need to track NAT external IPs anymore. >> >> Fixes: 832893bdbb42 ("ovn-northd: Skip unsnat flows for load balancer vips >> in router ingress pipeline") >> Reported-at: https://issues.redhat.com/browse/FDP-291 >> Signed-off-by: Dumitru Ceara <[email protected]> > > > Thanks for the fix. It also simplified the lr-nat-stateful code. > > Acked-by: Numan Siddique <[email protected]> >
Thanks, Numan! Applied to main and backported to all branches down to 22.03. Regards, Dumitru _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
