Bug 1998592
| Summary: | LB `skip_snat="true"` is not correctly applied for portless LBs with protocol specified | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux Fast Datapath | Reporter: | Mark Gray <mark.d.gray> |
| Component: | OVN | Assignee: | OVN Team <ovnteam> |
| Status: | NEW --- | QA Contact: | Jianlin Shi <jishi> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | low | ||
| Version: | FDP 20.G | CC: | ctrautma, i.maximets, jiji, mmichels |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Whoever will work on this should consider possible 2.5 times explosion of the number of logical flows in case protocol matches will be blindly added to all load balancer flows: https://mail.openvswitch.org/pipermail/ovs-dev/2021-August/387161.html This will hit performance of northd and all other OVN components. |
Description of problem: OVN logical flows for load balancers are not correctly differentiated by protocol of load balancer when port is not specified. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: # Create the first logical switch with one port ovn-nbctl ls-add sw0 ovn-nbctl lsp-add sw0 sw0-port1 ovn-nbctl lsp-set-addresses sw0-port1 "50:54:00:00:00:01 192.168.0.2" # Create the second logical switch with one port ovn-nbctl ls-add sw1 ovn-nbctl lsp-add sw1 sw1-port1 ovn-nbctl lsp-set-addresses sw1-port1 "50:54:00:00:00:03 11.0.0.2" # Create a logical router and attach both logical switches ovn-nbctl lr-add lr0 ovn-nbctl lrp-add lr0 lrp0 00:00:00:00:ff:01 192.168.0.1/24 ovn-nbctl lsp-add sw0 lrp0-attachment ovn-nbctl lsp-set-type lrp0-attachment router ovn-nbctl lsp-set-addresses lrp0-attachment 00:00:00:00:ff:01 ovn-nbctl lsp-set-options lrp0-attachment router-port=lrp0 ovn-nbctl lrp-add lr0 lrp1 00:00:00:00:ff:02 11.0.0.1/24 ovn-nbctl lsp-add sw1 lrp1-attachment ovn-nbctl lsp-set-type lrp1-attachment router ovn-nbctl lsp-set-addresses lrp1-attachment 00:00:00:00:ff:02 ovn-nbctl lsp-set-options lrp1-attachment router-port=lrp1 ovs-vsctl add-port br-int p1 -- \ set Interface p1 external_ids:iface-id=sw0-port1 ovs-vsctl add-port br-int p2 -- \ set Interface p2 external_ids:iface-id=sw1-port1 ovn-nbctl set Logical_Router lr0 options:chassis=hv1 ovn-nbctl lb-add lb0 11.0.0.200 192.168.0.2 ovn-nbctl lb-add lb1 11.0.0.200 192.168.0.2 ovn-nbctl set Load_Balancer lb0 protocol=tcp ovn-nbctl set Load_Balancer lb0 options=skip_snat=true ovn-nbctl set Load_Balancer lb1 protocol=udp ovn-nbctl lr-lb-add lr0 lb0 ovn-nbctl lr-lb-add lr0 lb1 Actual results: $ ovn-sbctl dump-flows | grep lr_in_dnat table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 && reg0 == 11.0.0.200 && ct_label.natted == 1), action=(flags.skip_snat_for_lb = 1; next;) table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 && reg0 == 11.0.0.200 && ct_label.natted == 1), action=(next;) table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 && reg0 == 11.0.0.200), action=(ct_lb(backends=192.168.0.2);) table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 && reg0 == 11.0.0.200), action=(flags.skip_snat_for_lb = 1; ct_lb(backends=192.168.0.2);) table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;) Expected results: $ ovn-sbctl dump-flows | grep lr_in_dnat table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 && reg0 == 11.0.0.200 && tcp && ct_label.natted == 1), action=(flags.skip_snat_for_lb = 1; next;) table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 && reg0 == 11.0.0.200 && udp && ct_label.natted == 1), action=(next;) table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 && reg0 == 11.0.0.200 && udp), action=(ct_lb(backends=192.168.0.2);) table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 && reg0 == 11.0.0.200 && tcp), action=(flags.skip_snat_for_lb = 1; ct_lb(backends=192.168.0.2);) table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;) Additional Info: This is similar to https://bugzilla.redhat.com/show_bug.cgi?id=1995326