+++ This bug was initially created as a clone of Bug #1943637 +++ Description of problem: Observed that when cluster was upgrade from OCP 4.5.16 to 4.6.17, there appear to be SNAT rules that are not getting removed/cleaned. Output below is from and OCP 4.5.16. cluster upgraded to OCP 4.6.17 Version-Release number of selected component (if applicable): OCP 4.6.17 How reproducible: upgrade from 4.5.16 Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: oc rsh -n openshift-ovn-kubernetes ovnkube-master-x2tnl sh-4.4# sh-4.4# ovn-nbctl lr-nat-list GR_master-0 TYPE EXTERNAL_IP EXTERNAL_PORT LOGICAL_IP EXTERNAL_MAC LOGICAL_PORT snat 169.254.33.2 172.10.0.0/16 sh-4.4# sh-4.4# sh-4.4# sh-4.4# ovn-nbctl lr-nat-list GR_master-1 TYPE EXTERNAL_IP EXTERNAL_PORT LOGICAL_IP EXTERNAL_MAC LOGICAL_PORT snat 169.254.33.2 172.10.0.0/16 sh-4.4# sh-4.4# sh-4.4# ovn-nbctl lr-nat-list GR_master-2 TYPE EXTERNAL_IP EXTERNAL_PORT LOGICAL_IP EXTERNAL_MAC LOGICAL_PORT snat 169.254.33.2 172.10.0.0/16 sh-4.4# sh-4.4# sh-4.4# sh-4.4# ovn-nbctl lr-nat-list GR_worker-13 TYPE EXTERNAL_IP EXTERNAL_PORT LOGICAL_IP EXTERNAL_MAC LOGICAL_PORT snat 169.254.33.2 172.10.0.0/16 sh-4.4# ovn-nbctl lr-nat-list GR_worker-14 TYPE EXTERNAL_IP EXTERNAL_PORT LOGICAL_IP EXTERNAL_MAC LOGICAL_PORT snat 169.254.33.2 172.10.0.0/16 --- Additional comment from Tim Rozet on 2021-03-29 16:21:56 UTC --- These snat rules are leftover from the "old local gateway" mode when transitioning to the new. The old local gateway mode used br-local bridge with a 169.254.x.x with ovn-k8s-gw0 as the GR. In the new local gw mode (same topology as shared) the GR connects to the shared gw bridge. During this upgrade from 4.5 (old mode) -> 4.6 (new mode) it looks like we are not removing the old snat entry. In 4.6 we deploy new local gateway mode with disable-snat-multiple-gws, which means there should be no subnet wide snat on the GR. The multiple gatways will not be snat'ed so they should not have any SNAT entries. The only thing that may have SNAT entry is egress IP.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.12 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:1561