Bug 2066990
| Summary: | allowed_ext_ips for dnat_and_snat doesn't work when used with stateless | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux Fast Datapath | Reporter: | Jianlin Shi <jishi> |
| Component: | ovn-2021 | Assignee: | lorenzo bianconi <lorenzo.bianconi> |
| Status: | CLOSED ERRATA | QA Contact: | Jianlin Shi <jishi> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | FDP 22.B | CC: | ctrautma, jiji, lorenzo.bianconi |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-06-30 17:59:57 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
upstream patch: https://patchwork.ozlabs.org/project/ovn/patch/a4a2f1b8107c0e3a4fee7eb691d6e89e7b94baef.1648561123.git.lorenzo.bianconi@redhat.com/ Verified on ovn-2021-21.12.0-73:
+ nat_uuid=8cd2ff80-cfc5-4744-b39a-ab7846cf06d0
+ ovn-nbctl set nat 8cd2ff80-cfc5-4744-b39a-ab7846cf06d0 allowed_ext_ips=fe5e71d0-4a21-48b8-b9b6-894baee47948
+ ip netns exec server tcpdump -i server -w server.pcap
+ sleep 1
+ ip netns exec sw01 tcpdump -i sw01 -w sw01.pcap
dropped privs to tcpdump
tcpdump: listening on server, link-type EN10MB (Ethernet), capture size 262144 bytes
dropped privs to tcpdump
tcpdump: listening on sw01, link-type EN10MB (Ethernet), capture size 262144 bytes
+ ip netns exec server ping 1000::12 -c 1
PING 1000::12(1000::12) 56 data bytes
--- 1000::12 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
<==== FAILED
+ sleep 1
+ pkill tcpdump
3 packets captured1 packet captured
3 packets received by filter1 packet received by filter
0 packets dropped by kernel0 packets dropped by kernel
+ sleep 1
+ tcpdump -r server.pcap -nnle -v
reading from file server.pcap, link-type EN10MB (Ethernet)
dropped privs to tcpdump
04:44:24.034168 a2:93:9c:88:b8:44 > 00:00:02:01:02:03, ethertype IPv6 (0x86dd), length 118: (flowlabel 0xd555a, hlim 64, next-header ICMPv6 (58) payload length: 64) 1000::50 > 1000::12: [icmp6 sum ok] ICMP6, echo request, seq 1
04:44:24.672306 a2:93:9c:88:b8:44 > 33:33:00:00:00:02, ethertype IPv6 (0x86dd), length 70: (hlim 255, next-header ICMPv6 (58) payload length: 16) fe80::a093:9cff:fe88:b844 > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 16
source link-address option (1), length 8 (1): a2:93:9c:88:b8:44
04:44:26.033365 00:00:02:01:02:03 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 172.16.1.1 tell 172.16.1.1, length 28
+ tcpdump -r sw01.pcap -nnle -v
reading from file sw01.pcap, link-type EN10MB (Ethernet)
dropped privs to tcpdump
04:44:25.184291 f0:00:00:01:02:03 > 33:33:00:00:00:02, ethertype IPv6 (0x86dd), length 70: (hlim 255, next-header ICMPv6 (58) payload length: 16) fe80::f200:ff:fe01:203 > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 16
source link-address option (1), length 8 (1): f0:00:00:01:02:03
[root@dell-per740-12 bz2066990]# rpm -qa | grep -E "openvswitch2.15|ovn-2021"
ovn-2021-host-21.12.0-73.el8fdp.x86_64
ovn-2021-central-21.12.0-73.el8fdp.x86_64
openvswitch2.15-2.15.0-104.el8fdp.x86_64
ovn-2021-21.12.0-73.el8fdp.x86_64
also Verified on ovn22.03-22.03.0-52: [root@dell-per740-12 bz2066990]# rpm -qa | grep -E "openvswitch2.15|ovn22.03" ovn22.03-22.03.0-52.el8fdp.x86_64 ovn22.03-host-22.03.0-52.el8fdp.x86_64 openvswitch2.15-2.15.0-104.el8fdp.x86_64 ovn22.03-central-22.03.0-52.el8fdp.x86_64 + nat_uuid=6c8699bb-5ef3-4051-954c-88220e3329e3 + ovn-nbctl set nat 6c8699bb-5ef3-4051-954c-88220e3329e3 allowed_ext_ips=28d594cf-528a-4b3a-9e19-9601c7f29d95 + ip netns exec server tcpdump -i server -w server.pcap + sleep 1 + ip netns exec sw01 tcpdump -i sw01 -w sw01.pcap dropped privs to tcpdump tcpdump: listening on server, link-type EN10MB (Ethernet), capture size 262144 bytes dropped privs to tcpdump tcpdump: listening on sw01, link-type EN10MB (Ethernet), capture size 262144 bytes + ip netns exec server ping 1000::12 -c 1 PING 1000::12(1000::12) 56 data bytes --- 1000::12 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms <=== FAILED + sleep 1 + pkill tcpdump 3 packets captured1 packet captured 3 packets received by filter1 packet received by filter 0 packets dropped by kernel0 packets dropped by kernel + sleep 1 + tcpdump -r server.pcap -nnle -v reading from file server.pcap, link-type EN10MB (Ethernet) dropped privs to tcpdump 04:47:33.600301 46:04:f2:f0:19:7a > 33:33:00:00:00:02, ethertype IPv6 (0x86dd), length 70: (hlim 255, next-header ICMPv6 (58) payload length: 16) fe80::4404:f2ff:fef0:197a > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 16 source link-address option (1), length 8 (1): 46:04:f2:f0:19:7a 04:47:34.365151 46:04:f2:f0:19:7a > 00:00:02:01:02:03, ethertype IPv6 (0x86dd), length 118: (flowlabel 0xd555a, hlim 64, next-header ICMPv6 (58) payload length: 64) 1000::50 > 1000::12: [icmp6 sum ok] ICMP6, echo request, seq 1 04:47:36.412580 00:00:02:01:02:03 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 172.16.1.1 tell 172.16.1.1, length 28 + tcpdump -r sw01.pcap -nnle -v reading from file sw01.pcap, link-type EN10MB (Ethernet) dropped privs to tcpdump 04:47:35.136291 f0:00:00:01:02:03 > 33:33:00:00:00:02, ethertype IPv6 (0x86dd), length 70: (hlim 255, next-header ICMPv6 (58) payload length: 16) fe80::f200:ff:fe01:203 > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 16 source link-address option (1), length 8 (1): f0:00:00:01:02:03 Verified on ovn22.03-22.03.0-52.el9:
+ ovn-nbctl set nat 7966bc78-f348-41ed-9d14-cb80fd96a1a8 allowed_ext_ips=a38d0aeb-c2bd-4755-9246-73fe7c96ad26
+ ip netns exec server tcpdump -i server -w server.pcap
+ sleep 1
+ ip netns exec sw01 tcpdump -i sw01 -w sw01.pcap
dropped privs to tcpdump
tcpdump: listening on server, link-type EN10MB (Ethernet), snapshot length 262144 bytes
dropped privs to tcpdump
tcpdump: listening on sw01, link-type EN10MB (Ethernet), snapshot length 262144 bytes
+ ip netns exec server ping 1000::12 -c 1
PING 1000::12(1000::12) 56 data bytes
--- 1000::12 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
+ sleep 1
+ pkill tcpdump
3 packets captured1 packet captured
3 packets received by filter1 packet received by filter
0 packets dropped by kernel
0 packets dropped by kernel
+ sleep 1
+ tcpdump -r server.pcap -nnle -v
reading from file server.pcap, link-type EN10MB (Ethernet), snapshot length 262144
dropped privs to tcpdump
03:25:33.279150 22:8a:7f:9c:5d:28 > 00:00:02:01:02:03, ethertype IPv6 (0x86dd), length 118: (flowlabel 0x704a1, hlim 64, next-header ICMPv6 (58) payload length: 64) 1000::50 > 1000::12: [icmp6 sum ok] ICMP6, echo request, id 4735, seq 1
03:25:35.726638 00:00:02:01:02:03 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 172.16.1.1 tell 172.16.1.1, length 28
03:25:35.794636 22:8a:7f:9c:5d:28 > 33:33:00:00:00:02, ethertype IPv6 (0x86dd), length 70: (hlim 255, next-header ICMPv6 (58) payload length: 16) fe80::208a:7fff:fe9c:5d28 > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 16
source link-address option (1), length 8 (1): 22:8a:7f:9c:5d:28
+ tcpdump -r sw01.pcap -nnle -v
reading from file sw01.pcap, link-type EN10MB (Ethernet), snapshot length 262144
dropped privs to tcpdump
03:25:33.234657 f0:00:00:01:02:03 > 33:33:00:00:00:02, ethertype IPv6 (0x86dd), length 70: (hlim 255, next-header ICMPv6 (58) payload length: 16) fe80::f200:ff:fe01:203 > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 16
source link-address option (1), length 8 (1): f0:00:00:01:02:03
[root@wsfd-advnetlab18 bz2066990]# rpm -qa | grep -E "openvswitch|ovn"
ovn22.03-22.03.0-52.el9fdp.x86_64
openvswitch-selinux-extra-policy-1.0-31.el9fdp.noarch
openvswitch2.17-2.17.0-21.el9fdp.x86_64
ovn22.03-central-22.03.0-52.el9fdp.x86_64
ovn22.03-host-22.03.0-52.el9fdp.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (ovn bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:5446 |
Description of problem: allowed_ext_ips for dnat_and_snat doesn't work when used with stateless Version-Release number of selected component (if applicable): ovn-2021-21.12.0-32.el8 How reproducible: Always Steps to Reproduce: systemctl start openvswitch systemctl start ovn-northd ovn-nbctl set-connection ptcp:6641 ovn-sbctl set-connection ptcp:6642 ovs-vsctl set open . external_ids:system-id=hv1 external_ids:ovn-remote=tcp:1.1.178.25:6642 external_ids:ovn-encap-type=geneve external_ids:ovn-encap-ip=1.1.178.25 systemctl restart ovn-controller ovn-nbctl lr-add R1 ovn-nbctl ls-add sw0 ovn-nbctl ls-add sw1 ovn-nbctl ls-add public ovn-nbctl lrp-add R1 rp-sw0 00:00:01:01:02:03 192.168.1.1/24 2000::a/64 ovn-nbctl lrp-add R1 rp-sw1 00:00:03:01:02:03 192.168.2.1/24 ovn-nbctl lrp-add R1 rp-public 00:00:02:01:02:03 172.16.1.1/24 1000::a/64 ovn-nbctl set logical_router R1 options:chassis=hv1 ovs-vsctl add-br br-ext ovn-nbctl lsp-add sw0 sw0-rp -- set Logical_Switch_Port sw0-rp \ type=router options:router-port=rp-sw0 \ -- lsp-set-addresses sw0-rp router ovn-nbctl lsp-add sw1 sw1-rp -- set Logical_Switch_Port sw1-rp \ type=router options:router-port=rp-sw1 \ -- lsp-set-addresses sw1-rp router ovn-nbctl lsp-add public public-rp -- set Logical_Switch_Port public-rp \ type=router options:router-port=rp-public \ -- lsp-set-addresses public-rp router ovs-vsctl add-port br-int sw01 -- set interface sw01 type=internal external_ids:iface-id=sw01 ip netns add sw01 ip link set sw01 netns sw01 ip netns exec sw01 ip link set sw01 address f0:00:00:01:02:03 ip netns exec sw01 ip link set sw01 up ip netns exec sw01 ip addr add 192.168.1.2/24 dev sw01 ip netns exec sw01 ip route add default via 192.168.1.1 dev sw01 ip netns exec sw01 ip addr add 2000::2/64 dev sw01 ip netns exec sw01 ip -6 route add default via 2000::a ovn-nbctl lsp-add sw0 sw01 \ -- lsp-set-addresses sw01 "f0:00:00:01:02:03 192.168.1.2 2000::2" ovs-vsctl add-port br-int sw11 -- set interface sw11 type=internal external_ids:iface-id=sw11 ip netns add sw11 ip link set sw11 netns sw11 ip netns exec sw11 ip link set sw11 address f0:00:00:02:02:03 ip netns exec sw11 ip link set sw11 up ip netns exec sw11 ip addr add 192.168.2.2/24 dev sw11 ip netns exec sw11 ip route add default via 192.168.2.1 dev sw11 ovn-nbctl lsp-add sw1 sw11 \ -- lsp-set-addresses sw11 "f0:00:00:02:02:03 192.168.2.2" ovs-vsctl add-port br-ext server -- set interface server type=internal ip netns add server ip netns exec server ip link set lo up ip link set server netns server ip netns exec server ip link set server up ip netns exec server ip addr add 172.16.1.50/24 dev server ip netns exec server ip route add default via 172.16.1.1 dev server ip netns exec server ip addr add 1000::50/64 dev server ovs-vsctl set Open_vSwitch . external-ids:ovn-bridge-mappings=phynet:br-ext ovn-nbctl lsp-add public public1 \ -- lsp-set-addresses public1 unknown \ -- lsp-set-type public1 localnet \ -- lsp-set-options public1 network_name=phynet ovn-nbctl --stateless lr-nat-add R1 dnat_and_snat 1000::12 2000::2 ip netns exec server ping6 1000::12 -c 3 set2_uuid=$(ovn-nbctl create address_set name=set2 addresses='1000\:\:51') ovn-nbctl list nat nat_uuid=$(ovn-nbctl list nat | awk '/_uuid/{print $3}') ovn-nbctl set nat $nat_uuid allowed_ext_ips=$set2_uuid ip netns exec server tcpdump -i server -w server.pcap & ip netns exec sw01 tcpdump -i sw01 -w sw01.pcap & sleep 1 ip netns exec server ping 1000::12 -c 1 sleep 1 pkill tcpdump sleep 1 tcpdump -r server.pcap -nnle -v tcpdump -r sw01.pcap -nnle -v Actual results: + ip netns exec server ping 1000::12 -c 1 PING 1000::12(1000::12) 56 data bytes 64 bytes from 2000::2: icmp_seq=1 ttl=63 time=1.58 ms --- 1000::12 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.583/1.583/1.583/0.000 ms + tcpdump -r server.pcap -nnle -v reading from file server.pcap, link-type EN10MB (Ethernet) dropped privs to tcpdump 21:42:57.354628 5e:a8:0b:ac:5b:5d > 00:00:02:01:02:03, ethertype IPv6 (0x86dd), length 118: (flowlabel 0xb66ef, hlim 64, next-header ICMPv6 (58) payload length: 64) 1000::50 > 1000::12: [icmp6 sum ok] ICMP6, echo request, seq 1 21:42:57.356173 00:00:02:01:02:03 > 5e:a8:0b:ac:5b:5d, ethertype IPv6 (0x86dd), length 118: (flowlabel 0xd3c71, hlim 63, next-header ICMPv6 (58) payload length: 64) 2000::2 > 1000::50: [icmp6 sum ok] ICMP6, echo reply, seq 1 + tcpdump -r sw01.pcap -nnle -v reading from file sw01.pcap, link-type EN10MB (Ethernet) dropped privs to tcpdump 21:42:57.355523 00:00:01:01:02:03 > f0:00:00:01:02:03, ethertype IPv6 (0x86dd), length 118: (flowlabel 0xb66ef, hlim 63, next-header ICMPv6 (58) payload length: 64) 1000::50 > 2000::2: [icmp6 sum ok] ICMP6, echo request, seq 1 <=== the packet is dnated 21:42:57.355568 f0:00:00:01:02:03 > 00:00:01:01:02:03, ethertype IPv6 (0x86dd), length 118: (flowlabel 0xd3c71, hlim 64, next-header ICMPv6 (58) payload length: 64) 2000::2 > 1000::50: [icmp6 sum ok] ICMP6, echo reply, seq 1 Expected results: ping should fail, the packet should not be dnated Additional info: it worked as expected if stateless is not configured. [root@wsfd-advnetlab16 nat_test]# rpm -qa | grep -E "openvswitch2.15|ovn-2021" ovn-2021-21.12.0-32.el8fdp.x86_64 openvswitch2.15-2.15.0-84.el8fdp.x86_64 ovn-2021-host-21.12.0-32.el8fdp.x86_64 ovn-2021-central-21.12.0-32.el8fdp.x86_64 python3-openvswitch2.15-2.15.0-84.el8fdp.x86_64