Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 2128618

Summary: [RFE] Add a flag to signal if hairpinning was applied
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Nadia Pinaeva <npinaeva>
Component: ovn22.12Assignee: OVN Team <ovnteam>
Status: CLOSED NOTABUG QA Contact: Jianlin Shi <jishi>
Severity: medium Docs Contact:
Priority: unspecified    
Version: FDP 22.LCC: ctrautma, dceara, jiji
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-22 16:01:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nadia Pinaeva 2022-09-21 09:23:53 UTC 
Description of problem:
ACLs applied on egress pipeline (direction=to-lport) that match on source ip don't work for hairpinned traffic, because hairpinning SNATs to service ip.
If we know that hairpinning was applied, we know that ip.src == ip.dst, and can use the following expression to include hairpinned traffic:
ip.src == ip || pkt.hairpinned && ip.dst == ip

To do so, we need a new flag pkt.hairpinned (this name is not a requirement, but just a placeholder) that will signal if hairpinning happened on ingress pipeline.

This will be used for network policy implementation in ovn-k to make sure hairpinned traffic is affected by network policy rules.
Comment 1 Nadia Pinaeva 2022-09-22 16:01:28 UTC 
We decided to use hairpin_snat_ip for that purpose, which is a bit more complicated, but doesn't require any new ovn features.