Created attachment 1864011 [details] ovn-trace when source-based route is created with the SNATed src ip Description of problem: In an OCP cluster, create a source-based route at the cluster router using the gateway router's IP as the source IP. For packets get SNATed by LB at the gateway Router. When the packets get to the cluster router, they cannot be matched by the source-based route. However, if change the route to the original source IP before SNAT they can be matched. Version-Release number of selected component (if applicable): OVN: ovn21.12-21.12.0-24.el8fdp.x86_64 OCP: 4.10.0-0.nightly-2022-02-09-054720 Expected behavior: One LR can match the source IP after packets get SNATed by the previous LR.
Adding the ovn_cluster_router routes for reference: $ ovn-nbctl lr-route-list ovn_cluster_router IPv4 Routes Route Table <main>: 100.64.0.5 100.64.0.5 dst-ip 192.168.111.1 10.131.0.3 src-ip <<< the reporter expected this route to be hit 10.131.0.0/23 100.64.0.5 src-ip However, this expectation is not correct, based on the OVN configuration in the NB what happens is: 1. DNAT to 10.129.2.59:8080 for the LB, on GR_worker-0 2. SNAT to 100.64.0.5 because GR_worker-0 is configured with options:lb_force_snat_ip=router_ip, on GR_worker-0 3. Then the src-ip route: "192.168.111.1 via 10.131.0.3 src-ip" will not be hit because the src IP changed, it's now 100.64.0.5. Closing as "not a bug". Thanks!