Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 1998592

Summary: LB `skip_snat="true"` is not correctly applied for portless LBs with protocol specified
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Mark Gray <mark.d.gray>
Component: OVNAssignee: OVN Team <ovnteam>
Status: CLOSED WONTFIX QA Contact: Jianlin Shi <jishi>
Severity: unspecified Docs Contact:
Priority: low    
Version: FDP 20.GCC: ctrautma, i.maximets, jiji, mmichels
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-02-14 21:13:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mark Gray 2021-08-27 17:05:18 UTC 
Description of problem:

OVN logical flows for load balancers are not correctly differentiated by protocol of load balancer when port is not specified.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
# Create the first logical switch with one port
ovn-nbctl ls-add sw0
ovn-nbctl lsp-add sw0 sw0-port1
ovn-nbctl lsp-set-addresses sw0-port1 "50:54:00:00:00:01 192.168.0.2"

# Create the second logical switch with one port
ovn-nbctl ls-add sw1
ovn-nbctl lsp-add sw1 sw1-port1
ovn-nbctl lsp-set-addresses sw1-port1 "50:54:00:00:00:03 11.0.0.2"

# Create a logical router and attach both logical switches
ovn-nbctl lr-add lr0
ovn-nbctl lrp-add lr0 lrp0 00:00:00:00:ff:01 192.168.0.1/24
ovn-nbctl lsp-add sw0 lrp0-attachment
ovn-nbctl lsp-set-type lrp0-attachment router
ovn-nbctl lsp-set-addresses lrp0-attachment 00:00:00:00:ff:01
ovn-nbctl lsp-set-options lrp0-attachment router-port=lrp0
ovn-nbctl lrp-add lr0 lrp1 00:00:00:00:ff:02 11.0.0.1/24
ovn-nbctl lsp-add sw1 lrp1-attachment
ovn-nbctl lsp-set-type lrp1-attachment router
ovn-nbctl lsp-set-addresses lrp1-attachment 00:00:00:00:ff:02
ovn-nbctl lsp-set-options lrp1-attachment router-port=lrp1

ovs-vsctl add-port br-int p1 -- \
    set Interface p1 external_ids:iface-id=sw0-port1
ovs-vsctl add-port br-int p2 -- \
    set Interface p2 external_ids:iface-id=sw1-port1

ovn-nbctl set Logical_Router lr0 options:chassis=hv1
ovn-nbctl lb-add lb0 11.0.0.200 192.168.0.2 
ovn-nbctl lb-add lb1 11.0.0.200 192.168.0.2
ovn-nbctl set Load_Balancer lb0 protocol=tcp
ovn-nbctl set Load_Balancer lb0 options=skip_snat=true
ovn-nbctl set Load_Balancer lb1 protocol=udp
ovn-nbctl lr-lb-add lr0 lb0
ovn-nbctl lr-lb-add lr0 lb1


Actual results:
$ ovn-sbctl dump-flows | grep lr_in_dnat
  table=6 (lr_in_dnat         ), priority=110  , match=(ct.est && ip4 && reg0 == 11.0.0.200 && ct_label.natted == 1), action=(flags.skip_snat_for_lb = 1; next;)
  table=6 (lr_in_dnat         ), priority=110  , match=(ct.est && ip4 && reg0 == 11.0.0.200 && ct_label.natted == 1), action=(next;)
  table=6 (lr_in_dnat         ), priority=110  , match=(ct.new && ip4 && reg0 == 11.0.0.200), action=(ct_lb(backends=192.168.0.2);)
  table=6 (lr_in_dnat         ), priority=110  , match=(ct.new && ip4 && reg0 == 11.0.0.200), action=(flags.skip_snat_for_lb = 1; ct_lb(backends=192.168.0.2);)
  table=6 (lr_in_dnat         ), priority=0    , match=(1), action=(next;)


Expected results:
$ ovn-sbctl dump-flows | grep lr_in_dnat
  table=6 (lr_in_dnat         ), priority=110  , match=(ct.est && ip4 && reg0 == 11.0.0.200 && tcp && ct_label.natted == 1), action=(flags.skip_snat_for_lb = 1; next;)
  table=6 (lr_in_dnat         ), priority=110  , match=(ct.est && ip4 && reg0 == 11.0.0.200 && udp && ct_label.natted == 1), action=(next;)
  table=6 (lr_in_dnat         ), priority=110  , match=(ct.new && ip4 && reg0 == 11.0.0.200 && udp), action=(ct_lb(backends=192.168.0.2);)
  table=6 (lr_in_dnat         ), priority=110  , match=(ct.new && ip4 && reg0 == 11.0.0.200 && tcp), action=(flags.skip_snat_for_lb = 1; ct_lb(backends=192.168.0.2);)
  table=6 (lr_in_dnat         ), priority=0    , match=(1), action=(next;)

Additional Info:

This is similar to https://bugzilla.redhat.com/show_bug.cgi?id=1995326
Comment 1 Ilya Maximets 2021-08-27 18:09:20 UTC 
Whoever will work on this should consider possible 2.5 times explosion
of the number of logical flows in case protocol matches will be blindly
added to all load balancer flows:
  https://mail.openvswitch.org/pipermail/ovs-dev/2021-August/387161.html
This will hit performance of northd and all other OVN components.
Comment 2 OVN Bot 2024-02-14 21:13:25 UTC 
This issue is being closed as an automatic process due to the issue's age. If you wish to re-open this issue, please do so in Jira (https://issues.redhat.com) in the 'FDP' project. Please be sure to set the component to the latest OVN version where this issue is known to occur. If this is a feature request or improvement, please set the component to 'OVN'.