Bug 2094980

Summary: VM is unable to ping itself via stateless DNAT on a gateway router
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Ilya Maximets <i.maximets>
Component: ovn22.06Assignee: lorenzo bianconi <lorenzo.bianconi>
Status: CLOSED ERRATA QA Contact: Jianlin Shi <jishi>
Severity: unspecified Docs Contact:
Priority: medium    
Version: FDP 22.ECC: ctrautma, jiji, lorenzo.bianconi, mmichels
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovn22.06-22.06.0-16.el8fdp Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-01 14:15:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ilya Maximets 2022-06-08 18:43:46 UTC 
Description of problem:

In the following OVN configuration with a stateless dnat_and_snat
on a logical router for 172.18.2.10:

switch 10795470-d76e-493c-a43e-b9aad2e88aa8 (ls1)
    port vm2
        addresses: ["00:00:00:00:00:06 192.168.100.6"]
    port ls1-lr1
        type: router
        addresses: ["00:00:00:00:00:01"]
        router-port: lr1-ls1
    port vm1
        addresses: ["00:00:00:00:00:05 192.168.100.5"]
switch 04d43b02-f475-4f72-af33-2842e7052494 (ls-pub)
    port ext-router
        addresses: ["00:00:00:00:01:02 172.18.1.2"]
    port ls-pub-lr1
        type: router
        addresses: ["00:00:00:00:01:01"]
        router-port: lr1-ls-pub
router 286d7302-c3dd-4cf5-ac21-da3a817ce6d6 (lr1)
    port lr1-ls-pub
        mac: "00:00:00:00:01:01"
        networks: ["172.18.1.1/24"]
        gateway chassis: [hv1]
    port lr1-ls1
        mac: "00:00:00:00:00:01"
        networks: ["192.168.100.1/24"]
    nat b5bc05d4-b728-460d-9ff3-7073224bea8f
        external ip: "172.18.1.1"
        logical ip: "192.168.100.0/24"
        type: "snat"
    nat c0beb2ed-765e-48d6-94a6-06c56e89f325
        external ip: "172.18.2.10"
        logical ip: "192.168.100.6"
        type: "dnat_and_snat"

If vm2 is trying to ping itself via DNAT ip 172.18.2.10, the
packet is getting dropped at the lr_in_gw_redirect stage.

The setup also includes following acls, but I'm not sure how
important they are:

ovn-nbctl pg-add pg1 vm1 vm2
pg1_uuid=$(fetch_column nb:Port_Group _uuid name=pg1)
ovn-nbctl acl-add pg1 from-lport 1002 "inport == @pg1 && ip4" allow-related
ovn-nbctl acl-add pg1 to-lport 1002 "outport == @pg1 && ip4 && icmp4" allow-related
ovn-nbctl acl-add pg1 to-lport 1002 "outport == @pg1 && ip4 && ip4.src == \$pg1_ip4" allow-related

---

This is a regression caused by the fix for BZ2066990 .

The issue can be reproduced with the OVN system testsuite by
applying the following patch:
  https://launchpadlibrarian.net/596069233/test-synthesis.patch

Note that the actual ping will not work without the kernel fix:
  https://patchwork.kernel.org/project/netdevbpf/patch/20220606221140.488984-1-i.maximets@ovn.org/
But the packet should not be dropped by the OVN pipeline regardless.
Comment 1 lorenzo bianconi 2022-06-10 21:42:20 UTC 
upstream fix: https://patchwork.ozlabs.org/project/ovn/patch/409c31361c83deb29581a5b4e27f1504342f43f6.1654882598.git.lorenzo.bianconi@redhat.com/
Comment 2 OVN Bot 2022-06-30 04:09:06 UTC 
This issue has been cloned at https://bugzilla.redhat.com/show_bug.cgi?id=2102479
Comment 3 OVN Bot 2022-06-30 04:09:14 UTC 
This issue has been cloned at https://bugzilla.redhat.com/show_bug.cgi?id=2102480
Comment 4 OVN Bot 2022-06-30 04:09:24 UTC 
This issue has been cloned at https://bugzilla.redhat.com/show_bug.cgi?id=2102481
Comment 5 OVN Bot 2022-06-30 04:09:32 UTC 
This issue has been cloned at https://bugzilla.redhat.com/show_bug.cgi?id=2102482
Comment 6 OVN Bot 2022-06-30 04:09:36 UTC 
This issue is fixed in ovn22.06-22.06.0-15.el8fdp
Comment 7 OVN Bot 2022-06-30 04:09:43 UTC 
This issue has been cloned at https://bugzilla.redhat.com/show_bug.cgi?id=2102483
Comment 8 OVN Bot 2022-07-02 04:05:14 UTC 
This issue has been cloned at https://bugzilla.redhat.com/show_bug.cgi?id=2103305
Comment 9 OVN Bot 2022-07-02 04:05:20 UTC 
This issue has been cloned at https://bugzilla.redhat.com/show_bug.cgi?id=2103306
Comment 10 OVN Bot 2022-07-02 04:05:42 UTC 
This issue has been cloned at https://bugzilla.redhat.com/show_bug.cgi?id=2103308
Comment 11 OVN Bot 2022-07-02 04:05:50 UTC 
This issue has been cloned at https://bugzilla.redhat.com/show_bug.cgi?id=2103309
Comment 12 OVN Bot 2022-07-02 04:06:13 UTC 
This issue is fixed in ovn22.06-22.06.0-16.el8fdp
Comment 13 OVN Bot 2022-07-02 04:06:21 UTC 
This issue has been cloned at https://bugzilla.redhat.com/show_bug.cgi?id=2103312
Comment 16 Jianlin Shi 2022-07-08 00:51:54 UTC 
Verified on ovn22.06-22.06.0-16.el8:

+ ovn-nbctl --wait=hv sync                                                                            
+ ip netns exec vm1 ping 172.18.2.10 -c 1                                                             
PING 172.18.2.10 (172.18.2.10) 56(84) bytes of data.                                                  
64 bytes from 192.168.100.6: icmp_seq=1 ttl=64 time=0.916 ms                                          
                                                                                                      
--- 172.18.2.10 ping statistics ---                                                                   
1 packets transmitted, 1 received, 0% packet loss, time 0ms                                           
rtt min/avg/max/mdev = 0.916/0.916/0.916/0.000 ms                                                     
+ ip netns exec vm2 ping 172.18.2.10 -c 1                                                             
PING 172.18.2.10 (172.18.2.10) 56(84) bytes of data.                                                  
64 bytes from 172.18.2.10: icmp_seq=1 ttl=62 time=1.01 ms                                             
                                                                                                      
--- 172.18.2.10 ping statistics ---                                                                   
1 packets transmitted, 1 received, 0% packet loss, time 0ms                                           
rtt min/avg/max/mdev = 1.012/1.012/1.012/0.000 ms                                                     
++ ovn-nbctl find nat external_ip=172.18.2.10                                                         
++ awk '/_uuid/{print $3}'                                                                            
+ nat_uuid=1e4c4d78-eda5-4c14-add3-a7c26f8ca76b                                                       
+ ovn-nbctl set nat 1e4c4d78-eda5-4c14-add3-a7c26f8ca76b options:stateless=true                       
+ ip netns exec vm1 ping 172.18.2.10 -c 1                                                             
PING 172.18.2.10 (172.18.2.10) 56(84) bytes of data.                                                  
64 bytes from 192.168.100.6: icmp_seq=1 ttl=64 time=0.044 ms                                          
                                                                                                      
--- 172.18.2.10 ping statistics ---                                                                   
1 packets transmitted, 1 received, 0% packet loss, time 0ms                                           
rtt min/avg/max/mdev = 0.044/0.044/0.044/0.000 ms                                                     
+ ip netns exec vm2 ping 172.18.2.10 -c 1                                                             
PING 172.18.2.10 (172.18.2.10) 56(84) bytes of data.                                                  
64 bytes from 172.18.2.10: icmp_seq=1 ttl=62 time=0.036 ms                                            
                                                                                                      
--- 172.18.2.10 ping statistics ---                                                                   
1 packets transmitted, 1 received, 0% packet loss, time 0ms                                           
rtt min/avg/max/mdev = 0.036/0.036/0.036/0.000 ms                                                     
[root@dell-per730-20 bz2102480]# rpm -qa | grep -E "openvswitch2.15|ovn22.06"                         
python3-openvswitch2.15-2.15.0-109.el8fdp.x86_64                                                      
ovn22.06-central-22.06.0-16.el8fdp.x86_64                                                             
ovn22.06-host-22.06.0-16.el8fdp.x86_64                                                                
openvswitch2.15-2.15.0-109.el8fdp.x86_64                                                              
ovn22.06-22.06.0-16.el8fdp.x86_64
Comment 18 errata-xmlrpc 2022-08-01 14:15:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ovn22.06 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:5789