2070929 – OVN-Kubernetes: EgressIP breaks access from a pod with EgressIP to other host networked pods on different nodes

Bug 2070929 - OVN-Kubernetes: EgressIP breaks access from a pod with EgressIP to other host networked pods on different nodes

Summary: OVN-Kubernetes: EgressIP breaks access from a pod with EgressIP to other host...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.10
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.11.0
Assignee:	Surya Seetharaman
QA Contact:	huirwang
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2076321 (view as bug list)
Depends On:
Blocks:	2083116
TreeView+	depends on / blocked

Reported:	2022-04-01 11:02 UTC by Andreas Karis
Modified:	2023-06-15 01:35 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-08-10 11:03:06 UTC
Target Upstream Version:
Embargoed:
Flags:	surya: needinfo-

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift ovn-kubernetes pull 1078	None	Merged	Bug 2070929: Downstream Merge: 04-05-2022	2022-05-06 18:45:17 UTC
Github	ovn-org ovn-kubernetes pull 2945	None	Merged	delete SNAT2NIP if pod.node == egressNodeServingPod	2022-05-04 10:37:04 UTC
Red Hat Knowledge Base (Solution)	6962941	None	None	None	2022-06-13 13:53:12 UTC
Red Hat Product Errata	RHSA-2022:5069	None	None	None	2022-08-10 11:04:03 UTC

Description Andreas Karis 2022-04-01 11:02:18 UTC

OVN-Kubernetes: EgressIP breaks access from a pod with EgressIP to other host networked pods on different nodes

Scenario:

* pod <podA> on node <nodeA> in namespace <nsA> accesses a host networked pod <podB> on node <nodeB>
* EgressIP <eipA> is assigned to namespace <nsA>
* Traffic from <podA> to <podB> breaks

Pods:
~~~
[akaris@linux 2070878]$ oc get pods -A -o wide | grep egress | grep -v debug
e2e-test-egressip-8wznm                            egressip-target-daemonset-sq27b                              1/1     Running     0               19m    10.0.135.215   ip-10-0-135-215.ec2.internal   <none>           <none>
e2e-test-egressip-pfvtq                            e2e-test-egressip-pfvtq-deployment-799497dc77-j9w2p          1/1     Running     0               19m    10.128.2.20    ip-10-0-144-143.ec2.internal   <none>           <none>
[akaris@linux 2070878]$ 
~~~

Before applying the EgressIP:
================================================

curl from 
~~~
~ $ curl 10.0.135.215:32667/clientip
10.0.144.143:49524~ $ 
~~~

Tcpdump on node/ip-10-0-144-143.ec2.internal - we see that the traffic is SNAT'ed to the source node and then sent to the destination node:
~~~
sh-4.4# tcpdump -nne -i ens5 host 10.0.135.215 and port 32667
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens5, link-type EN10MB (Ethernet), capture size 262144 bytes
10:44:21.980235 0e:61:09:b2:50:0b > 0e:4c:94:8d:88:a3, ethertype IPv4 (0x0800), length 74: 10.0.144.143.49524 > 10.0.135.215.32667: Flags [S], seq 337255231, win 26583, options [mss 8861,sackOK,TS val 2215492582 ecr 0,nop,wscale 7], length 0
10:44:21.981733 0e:4c:94:8d:88:a3 > 0e:61:09:b2:50:0b, ethertype IPv4 (0x0800), length 74: 10.0.135.215.32667 > 10.0.144.143.49524: Flags [S.], seq 1450458968, ack 337255232, win 26847, options [mss 8961,sackOK,TS val 2693376292 ecr 2215492582,nop,wscale 7], length 0
10:44:21.982334 0e:61:09:b2:50:0b > 0e:4c:94:8d:88:a3, ethertype IPv4 (0x0800), length 156: 10.0.144.143.49524 > 10.0.135.215.32667: Flags [P.], seq 1:91, ack 1, win 208, options [nop,nop,TS val 2215492584 ecr 2693376292], length 90
10:44:21.982339 0e:61:09:b2:50:0b > 0e:4c:94:8d:88:a3, ethertype IPv4 (0x0800), length 66: 10.0.144.143.49524 > 10.0.135.215.32667: Flags [.], ack 1, win 208, options [nop,nop,TS val 2215492584 ecr 2693376292], length 0
(...)
~~~

We see the same traffic on the destination host ip-10-0-135-215.ec2.internal:
~~~
h-4.4# tcpdump -nne -i ens5 host 10.0.135.215 and port 32667
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens5, link-type EN10MB (Ethernet), capture size 262144 bytes
10:44:21.980683 0a:a8:54:d9:eb:39 > 0a:71:d0:10:a3:bd, ethertype IPv4 (0x0800), length 74: 10.0.144.143.49524 > 10.0.135.215.32667: Flags [S], seq 337255231, win 26583, options [mss 8861,sackOK,TS val 2215492582 ecr 0,nop,wscale 7], length 0
10:44:21.981285 0a:71:d0:10:a3:bd > 0a:a8:54:d9:eb:39, ethertype IPv4 (0x0800), length 74: 10.0.135.215.32667 > 10.0.144.143.49524: Flags [S.], seq 1450458968, ack 337255232, win 26847, options [mss 8961,sackOK,TS val 2693376292 ecr 2215492582,nop,wscale 7], length 0
10:44:21.982748 0a:a8:54:d9:eb:39 > 0a:71:d0:10:a3:bd, ethertype IPv4 (0x0800), length 156: 10.0.144.143.49524 > 10.0.135.215.32667: Flags [P.], seq 1:91, ack 1, win 208, options [nop,nop,TS val 2215492584 ecr 2693376292], length 90
10:44:21.982796 0a:a8:54:d9:eb:39 > 0a:71:d0:10:a3:bd, ethertype IPv4 (0x0800), length 66: 10.0.144.143.49524 > 10.0.135.215.32667: Flags [.], ack 1, win 208, options [nop,nop,TS val 2215492584 ecr 2693376292], length 0
(...)
~~~

OVN trace:
~~~
sh-4.4# ovn-nbctl show | egrep -B2 'switch|10.128.2.20'
switch dcd8fa58-03a6-482d-931a-b207accc0165 (ip-10-0-168-18.ec2.internal)
--
    port openshift-kube-scheduler-operator_openshift-kube-scheduler-operator-77c7f8f6ff-7fn66
        addresses: ["0a:58:0a:80:00:16 10.128.0.22"]
switch 3c724fa1-6664-4c49-9c88-01cac428762d (join)
--
        type: router
        router-port: rtoj-GR_ip-10-0-138-37.ec2.internal
switch 77e3c872-5088-4869-8b37-ab015dc16b42 (ip-10-0-144-143.ec2.internal)
    port e2e-test-egressip-pfvtq_e2e-test-egressip-pfvtq-deployment-799497dc77-j9w2p
        addresses: ["0a:58:0a:80:02:14 10.128.2.20"]
--
    port openshift-image-registry_image-registry-57bb877cc5-shqlm
        addresses: ["0a:58:0a:80:02:07 10.128.2.7"]
switch 4b47a71a-3fa6-471c-af98-4e22ef48e4a5 (ext_ip-10-0-161-98.ec2.internal)
--
        addresses: ["02:8e:15:e3:f3:75"]
        router-port: rtoe-GR_ip-10-0-161-98.ec2.internal
switch 0c0b1dba-c86c-4b63-aa97-cb67a2527f34 (ip-10-0-138-37.ec2.internal)
--
    port openshift-kube-apiserver_installer-6-ip-10-0-138-37.ec2.internal
        addresses: ["0a:58:0a:81:00:24 10.129.0.36"]
switch 7e5734eb-3dad-4c48-ab52-d7f20ac4b633 (ext_ip-10-0-144-143.ec2.internal)
--
        addresses: ["0e:61:09:b2:50:0b"]
        router-port: rtoe-GR_ip-10-0-144-143.ec2.internal
switch 9825c9cd-6335-451c-84b7-ef285953fe0e (ext_ip-10-0-135-215.ec2.internal)
--
        type: localnet
        addresses: ["unknown"]
switch fc0693fd-671a-499a-a86a-020a2a61ee40 (ip-10-0-153-96.ec2.internal)
--
    port openshift-marketplace_redhat-operators-dwwrf
        addresses: ["0a:58:0a:82:00:13 10.130.0.19"]
switch 29a2c24d-4f6a-497e-91cc-2586cbef2b78 (ext_ip-10-0-168-18.ec2.internal)
--
        addresses: ["02:05:50:99:1d:71"]
        router-port: rtoe-GR_ip-10-0-168-18.ec2.internal
switch 0e3c41a6-aea5-4ac7-8f8c-5fea3898cde2 (ip-10-0-135-215.ec2.internal)
--
    port openshift-dns_dns-default-gg79c
        addresses: ["0a:58:0a:81:02:07 10.129.2.7"]
switch 727a729f-24d8-4403-ac7e-410f9a7246ca (ip-10-0-161-98.ec2.internal)
--
    port openshift-monitoring_telemeter-client-68f77c5577-fqs2t
        addresses: ["0a:58:0a:83:00:09 10.131.0.9"]
switch d748ae7f-f130-4277-bfd5-0199f322072a (ext_ip-10-0-138-37.ec2.internal)
--
        type: localnet
        addresses: ["unknown"]
switch c8a8cc67-e15f-4291-b224-5602fcdd9e61 (ext_ip-10-0-153-96.ec2.internal)
--
    nat 0340500b-83b1-4e96-948a-c2496cff9586
        external ip: "10.0.144.143"
        logical ip: "10.128.2.20"
sh-4.4# ovn-nbctl show | grep rtos-ip-10-0-144-143.ec2.internal -A3
        router-port: rtos-ip-10-0-144-143.ec2.internal
    port openshift-monitoring_prometheus-k8s-1
        addresses: ["0a:58:0a:80:02:0d 10.128.2.13"]
    port openshift-ingress-canary_ingress-canary-qwjwr
--
    port rtos-ip-10-0-144-143.ec2.internal
        mac: "0a:58:0a:80:02:01"
        networks: ["10.128.2.1/23"]
        gateway chassis: [d9e825b4-9e8a-4c40-8fea-8887e0f60212]
~~~

~~~
sh-4.4# ovn-trace --minimal  --ovs ip-10-0-144-143.ec2.internal 'inport == "e2e-test-egressip-pfvtq_e2e-test-egressip-pfvtq-deployment-799497dc77-j9w2p" && eth.src == 0a:58:0a:80:02:14 &&  eth.dst == 0a:58:0a:80:02:01 && ip4.src == 10.128.2.20 && ip4.dst == 10.0.135.215 && ip.ttl == 64 && tcp.src==12345 && tcp.dst == 32667' --ct new
# tcp,reg14=0xe,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:14,dl_dst=0a:58:0a:80:02:01,nw_src=10.128.2.20,nw_dst=10.0.135.215,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=12345,tp_dst=32667,tcp_flags=0
*** no OpenFlow flows;
*** no OpenFlow flows;
ct_lb {
    reg0[6] = 0;
    *** chk_lb_hairpin_reply action not implemented;
    reg0[12] = 0;
    *** no OpenFlow flows;
    *** no OpenFlow flows;
    *** no OpenFlow flows;
    *** no OpenFlow flows;
    *** no OpenFlow flows;
    ip.ttl--;
    eth.src = 0a:58:64:40:00:01;
    eth.dst = 0a:58:64:40:00:06;
    *** no OpenFlow flows;
    *** no OpenFlow flows;
    *** no OpenFlow flows;
    *** no OpenFlow flows;
    ip.ttl--;
    eth.src = 0e:61:09:b2:50:0b;
    eth.dst = 0e:4c:94:8d:88:a3;
    ct_dnat /* assuming no un-dnat entry, so no change */ {
        *** no OpenFlow flows;
        ct_snat(ip4.src=10.0.144.143) {
            *** no OpenFlow flows;
            *** no OpenFlow flows;
            *** no OpenFlow flows;
            *** no OpenFlow flows;
            *** no OpenFlow flows;
            output("br-ex_ip-10-0-144-143.ec2.internal");
        };
    };
};
~~~

~~~
sh-4.4# ovn-trace --friendly-names  --ovs ip-10-0-144-143.ec2.internal 'inport == "e2e-test-egressip-pfvtq_e2e-test-egressip-pfvtq-deployment-799497dc77-j9w2p" && eth.src == 0a:58:0a:80:02:14 &&  eth.dst == 0a:58:0a:80:02:01 && ip4.src == 10.128.2.20 && ip4.dst == 10.0.135.215 && ip.ttl == 64 && tcp.src==12345 && tcp.dst == 32667' --ct new
# tcp,reg14=0xe,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:14,dl_dst=0a:58:0a:80:02:01,nw_src=10.128.2.20,nw_dst=10.0.135.215,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=12345,tp_dst=32667,tcp_flags=0

ingress(dp="ip-10-0-144-143.ec2.internal", inport="e2e-test-egressip-pfvtq_e2e-test-egressip-pfvtq-deployment-799497dc77-j9w2p")
--------------------------------------------------------------------------------------------------------------------------------
 0. ls_in_port_sec_l2 (northd.c:5509): inport == "e2e-test-egressip-pfvtq_e2e-test-egressip-pfvtq-deployment-799497dc77-j9w2p" && eth.src == {0a:58:0a:80:02:14}, priority 50, uuid bb5f0a86
    *** no OpenFlow flows
    next;
 1. ls_in_port_sec_ip (northd.c:5142): inport == "e2e-test-egressip-pfvtq_e2e-test-egressip-pfvtq-deployment-799497dc77-j9w2p" && eth.src == 0a:58:0a:80:02:14 && ip4.src == {10.128.2.20}, priority 90, uuid 9d4b07c7
    *** no OpenFlow flows
    next;
 5. ls_in_pre_acl (northd.c:5769): ip, priority 100, uuid 9089bb6c
    cookie=0x9089bb6c, duration=8189.917s, table=13, n_packets=0, n_bytes=0, idle_age=8189, priority=100,ipv6,metadata=0x4 actions=set_field:0x1000000000000000000000000/0x1000000000000000000000000->xxreg0,resubmit(,14)
    cookie=0x9089bb6c, duration=8189.917s, table=13, n_packets=1153180, n_bytes=896794830, idle_age=0, priority=100,ip,metadata=0x4 actions=set_field:0x1000000000000000000000000/0x1000000000000000000000000->xxreg0,resubmit(,14)
    reg0[0] = 1;
    next;
 6. ls_in_pre_lb (northd.c:5901): ip, priority 100, uuid adfd637e
    cookie=0xadfd637e, duration=8189.924s, table=14, n_packets=1153180, n_bytes=896794830, idle_age=0, priority=100,ip,metadata=0x4 actions=set_field:0x4000000000000000000000000/0x4000000000000000000000000->xxreg0,resubmit(,15)
    cookie=0xadfd637e, duration=8189.924s, table=14, n_packets=0, n_bytes=0, idle_age=8189, priority=100,ipv6,metadata=0x4 actions=set_field:0x4000000000000000000000000/0x4000000000000000000000000->xxreg0,resubmit(,15)
    reg0[2] = 1;
    next;
 7. ls_in_pre_stateful (northd.c:5928): reg0[2] == 1 && ip4 && tcp, priority 120, uuid c95e8d65
    cookie=0xc95e8d65, duration=8189.870s, table=15, n_packets=0, n_bytes=0, idle_age=8189, priority=120,tcp,reg0=0x4/0x4,metadata=0x9 actions=move:NXM_OF_IP_DST[]->NXM_NX_XXREG0[64..95],move:NXM_OF_TCP_DST[]->NXM_NX_XXREG0[32..47],ct(table=16,zone=NXM_NX_REG13[0..15],nat)
    cookie=0xc95e8d65, duration=8189.924s, table=15, n_packets=0, n_bytes=0, idle_age=8189, priority=120,tcp,reg0=0x4/0x4,metadata=0x3 actions=move:NXM_OF_IP_DST[]->NXM_NX_XXREG0[64..95],move:NXM_OF_TCP_DST[]->NXM_NX_XXREG0[32..47],ct(table=16,zone=NXM_NX_REG13[0..15],nat)
    cookie=0xc95e8d65, duration=8189.925s, table=15, n_packets=1149633, n_bytes=896215204, idle_age=0, priority=120,tcp,reg0=0x4/0x4,metadata=0x4 actions=move:NXM_OF_IP_DST[]->NXM_NX_XXREG0[64..95],move:NXM_OF_TCP_DST[]->NXM_NX_XXREG0[32..47],ct(table=16,zone=NXM_NX_REG13[0..15],nat)
    reg1 = ip4.dst;
    reg2[0..15] = tcp.dst;
    ct_lb;

ct_lb
-----
 8. ls_in_acl_hint (northd.c:6001): ct.new && !ct.est, priority 7, uuid 40fbe707
    cookie=0x40fbe707, duration=8189.925s, table=16, n_packets=23065, n_bytes=1748569, idle_age=1, priority=7,ct_state=+new-est+trk,metadata=0x4 actions=set_field:0x80000000000000000000000000/0x80000000000000000000000000->xxreg0,set_field:0x200000000000000000000000000/0x200000000000000000000000000->xxreg0,resubmit(,17)
    reg0[7] = 1;
    reg0[9] = 1;
    next;
 9. ls_in_acl (northd.c:6448): ip && (!ct.est || (ct.est && ct_label.blocked == 1)), priority 1, uuid d81e8ce4
    cookie=0xd81e8ce4, duration=8189.924s, table=17, n_packets=0, n_bytes=0, idle_age=8189, priority=1,ct_state=-est+trk,ipv6,metadata=0x4 actions=set_field:0x2000000000000000000000000/0x2000000000000000000000000->xxreg0,resubmit(,18)
    cookie=0xd81e8ce4, duration=8189.924s, table=17, n_packets=0, n_bytes=0, idle_age=8189, priority=1,ct_state=+est+trk,ct_label=0x1/0x1,ipv6,metadata=0x4 actions=set_field:0x2000000000000000000000000/0x2000000000000000000000000->xxreg0,resubmit(,18)
    cookie=0xd81e8ce4, duration=8189.924s, table=17, n_packets=0, n_bytes=0, idle_age=8189, priority=1,ct_state=+est+trk,ct_label=0x1/0x1,ip,metadata=0x4 actions=set_field:0x2000000000000000000000000/0x2000000000000000000000000->xxreg0,resubmit(,18)
    cookie=0xd81e8ce4, duration=8189.924s, table=17, n_packets=23065, n_bytes=1748569, idle_age=1, priority=1,ct_state=-est+trk,ip,metadata=0x4 actions=set_field:0x2000000000000000000000000/0x2000000000000000000000000->xxreg0,resubmit(,18)
    reg0[1] = 1;
    next;
12. ls_in_stateful (northd.c:6789): reg0[1] == 1 && reg0[13] == 0, priority 100, uuid eada98b2
    cookie=0xeada98b2, duration=8189.870s, table=20, n_packets=0, n_bytes=0, idle_age=8189, priority=100,ipv6,reg0=0x2/0x2002,metadata=0x9 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,21)
    cookie=0xeada98b2, duration=8189.872s, table=20, n_packets=0, n_bytes=0, idle_age=8189, priority=100,ip,reg0=0x2/0x2002,metadata=0x9 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,21)
    cookie=0xeada98b2, duration=8189.924s, table=20, n_packets=0, n_bytes=0, idle_age=8189, priority=100,ipv6,reg0=0x2/0x2002,metadata=0x3 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,21)
    cookie=0xeada98b2, duration=8189.924s, table=20, n_packets=0, n_bytes=0, idle_age=8189, priority=100,ip,reg0=0x2/0x2002,metadata=0x3 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,21)
    cookie=0xeada98b2, duration=8189.926s, table=20, n_packets=0, n_bytes=0, idle_age=8189, priority=100,ipv6,reg0=0x2/0x2002,metadata=0x4 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,21)
    cookie=0xeada98b2, duration=8189.926s, table=20, n_packets=18382, n_bytes=1361064, idle_age=1, priority=100,ip,reg0=0x2/0x2002,metadata=0x4 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,21)
    ct_commit { ct_label.blocked = 0; };
    next;
13. ls_in_pre_hairpin (northd.c:6816): ip && ct.trk, priority 100, uuid 183345c2
    cookie=0x183345c2, duration=8189.926s, table=21, n_packets=0, n_bytes=0, idle_age=8189, priority=100,ct_state=+trk,ipv6,metadata=0x4 actions=set_field:0/0x80->reg10,resubmit(,68),move:NXM_NX_REG10[7]->NXM_NX_XXREG0[102],set_field:0/0x80->reg10,resubmit(,69),move:NXM_NX_REG10[7]->NXM_NX_XXREG0[108],resubmit(,22)
    cookie=0x183345c2, duration=8189.926s, table=21, n_packets=1134525, n_bytes=895418520, idle_age=0, priority=100,ct_state=+trk,ip,metadata=0x4 actions=set_field:0/0x80->reg10,resubmit(,68),move:NXM_NX_REG10[7]->NXM_NX_XXREG0[102],set_field:0/0x80->reg10,resubmit(,69),move:NXM_NX_REG10[7]->NXM_NX_XXREG0[108],resubmit(,22)
    reg0[6] = chk_lb_hairpin();
    reg0[12] = chk_lb_hairpin_reply();
    *** chk_lb_hairpin_reply action not implemented
    next;
22. ls_in_l2_lkup (northd.c:8305): eth.dst == 0a:58:0a:80:02:01, priority 50, uuid 371919d7
    *** no OpenFlow flows
    outport = "stor-ip-10-0-144-143.ec2.internal";
    output;

egress(dp="ip-10-0-144-143.ec2.internal", inport="e2e-test-egressip-pfvtq_e2e-test-egressip-pfvtq-deployment-799497dc77-j9w2p", outport="stor-ip-10-0-144-143.ec2.internal")
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 0. ls_out_pre_lb (northd.c:5659): ip && outport == "stor-ip-10-0-144-143.ec2.internal", priority 110, uuid ebde06b7
    *** no OpenFlow flows
    next;
 1. ls_out_pre_acl (northd.c:5659): ip && outport == "stor-ip-10-0-144-143.ec2.internal", priority 110, uuid f14b6ba3
    *** no OpenFlow flows
    next;
 3. ls_out_acl_hint (northd.c:6001): ct.new && !ct.est, priority 7, uuid dc4eb3b9
    cookie=0xdc4eb3b9, duration=8189.925s, table=43, n_packets=26418, n_bytes=2050186, idle_age=0, priority=7,ct_state=+new-est+trk,metadata=0x4 actions=set_field:0x80000000000000000000000000/0x80000000000000000000000000->xxreg0,set_field:0x200000000000000000000000000/0x200000000000000000000000000->xxreg0,resubmit(,44)
    reg0[7] = 1;
    reg0[9] = 1;
    next;
 4. ls_out_acl (northd.c:6451): ip && (!ct.est || (ct.est && ct_label.blocked == 1)), priority 1, uuid eb6560a9
    cookie=0xeb6560a9, duration=8189.925s, table=44, n_packets=0, n_bytes=0, idle_age=8189, priority=1,ct_state=-est+trk,ipv6,metadata=0x4 actions=set_field:0x2000000000000000000000000/0x2000000000000000000000000->xxreg0,resubmit(,45)
    cookie=0xeb6560a9, duration=8189.925s, table=44, n_packets=0, n_bytes=0, idle_age=8189, priority=1,ct_state=+est+trk,ct_label=0x1/0x1,ipv6,metadata=0x4 actions=set_field:0x2000000000000000000000000/0x2000000000000000000000000->xxreg0,resubmit(,45)
    cookie=0xeb6560a9, duration=8189.925s, table=44, n_packets=0, n_bytes=0, idle_age=8189, priority=1,ct_state=+est+trk,ct_label=0x1/0x1,ip,metadata=0x4 actions=set_field:0x2000000000000000000000000/0x2000000000000000000000000->xxreg0,resubmit(,45)
    cookie=0xeb6560a9, duration=8189.925s, table=44, n_packets=14364, n_bytes=1158190, idle_age=0, priority=1,ct_state=-est+trk,ip,metadata=0x4 actions=set_field:0x2000000000000000000000000/0x2000000000000000000000000->xxreg0,resubmit(,45)
    reg0[1] = 1;
    next;
 7. ls_out_stateful (northd.c:6793): reg0[1] == 1 && reg0[13] == 0, priority 100, uuid 3eb26158
    cookie=0x3eb26158, duration=8189.871s, table=47, n_packets=0, n_bytes=0, idle_age=8189, priority=100,ip,reg0=0x2/0x2002,metadata=0x9 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,48)
    cookie=0x3eb26158, duration=8189.872s, table=47, n_packets=0, n_bytes=0, idle_age=8189, priority=100,ipv6,reg0=0x2/0x2002,metadata=0x9 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,48)
    cookie=0x3eb26158, duration=8189.925s, table=47, n_packets=0, n_bytes=0, idle_age=8189, priority=100,ipv6,reg0=0x2/0x2002,metadata=0x3 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,48)
    cookie=0x3eb26158, duration=8189.925s, table=47, n_packets=0, n_bytes=0, idle_age=8189, priority=100,ip,reg0=0x2/0x2002,metadata=0x3 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,48)
    cookie=0x3eb26158, duration=8189.926s, table=47, n_packets=0, n_bytes=0, idle_age=8189, priority=100,ipv6,reg0=0x2/0x2002,metadata=0x4 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,48)
    cookie=0x3eb26158, duration=8189.926s, table=47, n_packets=26418, n_bytes=2050186, idle_age=0, priority=100,ip,reg0=0x2/0x2002,metadata=0x4 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,48)
    ct_commit { ct_label.blocked = 0; };
    next;
 9. ls_out_port_sec_l2 (northd.c:5607): outport == "stor-ip-10-0-144-143.ec2.internal", priority 50, uuid 195755b8
    *** no OpenFlow flows
    output;
    /* output to "stor-ip-10-0-144-143.ec2.internal", type "patch" */

ingress(dp="ovn_cluster_router", inport="rtos-ip-10-0-144-143.ec2.internal")
----------------------------------------------------------------------------
 0. lr_in_admission (northd.c:10535): eth.dst == 0a:58:0a:80:02:01 && inport == "rtos-ip-10-0-144-143.ec2.internal" && is_chassis_resident("cr-rtos-ip-10-0-144-143.ec2.internal"), priority 50, uuid 0294dd7b
    *** no OpenFlow flows
    xreg0[0..47] = 0a:58:0a:80:02:01;
    next;
 1. lr_in_lookup_neighbor (northd.c:10678): 1, priority 0, uuid 0ba0f970
    cookie=0xba0f970, duration=8189.925s, table=9, n_packets=759804, n_bytes=441971831, idle_age=0, priority=0,metadata=0x5 actions=set_field:0x4/0x4->xreg4,resubmit(,10)
    cookie=0xba0f970, duration=8189.888s, table=9, n_packets=354745, n_bytes=157723633, idle_age=0, priority=0,metadata=0x8 actions=set_field:0x4/0x4->xreg4,resubmit(,10)
    reg9[2] = 1;
    next;
 2. lr_in_learn_neighbor (northd.c:10687): reg9[2] == 1, priority 100, uuid 64eb7612
    cookie=0x64eb7612, duration=8189.925s, table=10, n_packets=759804, n_bytes=441971831, idle_age=0, priority=100,reg9=0x4/0x4,metadata=0x5 actions=resubmit(,11)
    next;
10. lr_in_ip_routing_pre (northd.c:10937): 1, priority 0, uuid 390d58e5
    cookie=0x390d58e5, duration=8189.925s, table=18, n_packets=759804, n_bytes=441971831, idle_age=0, priority=0,metadata=0x5 actions=set_field:0/0xffffffff->xxreg1,resubmit(,19)
    cookie=0x390d58e5, duration=8189.887s, table=18, n_packets=354726, n_bytes=157722177, idle_age=0, priority=0,metadata=0x8 actions=set_field:0/0xffffffff->xxreg1,resubmit(,19)
    reg7 = 0;
    next;
11. lr_in_ip_routing (northd.c:9451): ip4.src == 10.128.2.0/23, priority 69, uuid 3fe29bc6
    cookie=0x3fe29bc6, duration=7393.022s, table=19, n_packets=0, n_bytes=0, idle_age=7393, priority=69,ip,metadata=0x5,nw_src=10.128.2.0/23 actions=dec_ttl(),set_field:0/0xffff00000000->xreg4,set_field:0x64400006000000000000000000000000/0xffffffff000000000000000000000000->xxreg0,set_field:0x644000010000000000000000/0xffffffff0000000000000000->xxreg0,set_field:0a:58:64:40:00:01->eth_src,set_field:0x3->reg15,set_field:0x1/0x1->reg10,resubmit(,20)
    ip.ttl--;
    reg8[0..15] = 0;
    reg0 = 100.64.0.6;
    reg1 = 100.64.0.1;
    eth.src = 0a:58:64:40:00:01;
    outport = "rtoj-ovn_cluster_router";
    flags.loopback = 1;
    next;
12. lr_in_ip_routing_ecmp (northd.c:11012): reg8[0..15] == 0, priority 150, uuid c2749f5d
    cookie=0xc2749f5d, duration=8189.925s, table=20, n_packets=759804, n_bytes=441971831, idle_age=0, priority=150,reg8=0/0xffff,metadata=0x5 actions=resubmit(,21)
    cookie=0xc2749f5d, duration=8189.888s, table=20, n_packets=354720, n_bytes=157721805, idle_age=0, priority=150,reg8=0/0xffff,metadata=0x8 actions=resubmit(,21)
    next;
13. lr_in_policy (northd.c:8683): ip4.src == 10.128.0.0/14 && ip4.dst == 10.0.135.215/32, priority 101, uuid fa257030
    cookie=0xfa257030, duration=7440.002s, table=21, n_packets=0, n_bytes=0, idle_age=7440, priority=101,ip,metadata=0x5,nw_src=10.128.0.0/14,nw_dst=10.0.135.215 actions=set_field:0/0xffff00000000->xreg4,resubmit(,22)
    reg8[0..15] = 0;
    next;
14. lr_in_policy_ecmp (northd.c:11147): reg8[0..15] == 0, priority 150, uuid 85a00be8
    cookie=0x85a00be8, duration=8189.925s, table=22, n_packets=759804, n_bytes=441971831, idle_age=0, priority=150,reg8=0/0xffff,metadata=0x5 actions=resubmit(,23)
    cookie=0x85a00be8, duration=8189.887s, table=22, n_packets=354720, n_bytes=157721805, idle_age=0, priority=150,reg8=0/0xffff,metadata=0x8 actions=resubmit(,23)
    next;
15. lr_in_arp_resolve (northd.c:11535): outport == "rtoj-ovn_cluster_router" && reg0 == 100.64.0.6, priority 100, uuid fb98b80d
    cookie=0xfb98b80d, duration=7393.044s, table=23, n_packets=33, n_bytes=6642, idle_age=182, priority=100,reg0=0x64400006,reg15=0x3,metadata=0x5 actions=set_field:0a:58:64:40:00:06->eth_dst,resubmit(,24)
    eth.dst = 0a:58:64:40:00:06;
    next;
19. lr_in_arp_request (northd.c:11827): 1, priority 0, uuid 6cc83334
    cookie=0x6cc83334, duration=8189.925s, table=27, n_packets=759804, n_bytes=441971831, idle_age=0, priority=0,metadata=0x5 actions=resubmit(,37)
    cookie=0x6cc83334, duration=8189.888s, table=27, n_packets=354718, n_bytes=157721657, idle_age=0, priority=0,metadata=0x8 actions=resubmit(,37)
    output;

egress(dp="ovn_cluster_router", inport="rtos-ip-10-0-144-143.ec2.internal", outport="rtoj-ovn_cluster_router")
--------------------------------------------------------------------------------------------------------------
 0. lr_out_chk_dnat_local (northd.c:13053): 1, priority 0, uuid 66e69dde
    cookie=0x66e69dde, duration=8189.926s, table=40, n_packets=756496, n_bytes=703482530, idle_age=0, priority=0,metadata=0x5 actions=set_field:0/0x10->xreg4,resubmit(,41)
    cookie=0x66e69dde, duration=8189.889s, table=40, n_packets=354867, n_bytes=157727979, idle_age=0, priority=0,metadata=0x8 actions=set_field:0/0x10->xreg4,resubmit(,41)
    reg9[4] = 0;
    next;
 6. lr_out_delivery (northd.c:11875): outport == "rtoj-ovn_cluster_router", priority 100, uuid 3a537c94
    cookie=0x3a537c94, duration=8189.926s, table=46, n_packets=163654, n_bytes=19694117, idle_age=0, priority=100,reg15=0x3,metadata=0x5 actions=resubmit(,64)
    output;
    /* output to "rtoj-ovn_cluster_router", type "patch" */

ingress(dp="join", inport="jtor-ovn_cluster_router")
----------------------------------------------------
 0. ls_in_port_sec_l2 (northd.c:5509): inport == "jtor-ovn_cluster_router", priority 50, uuid b7b18223
    cookie=0xb7b18223, duration=8189.926s, table=8, n_packets=163654, n_bytes=19694117, idle_age=0, priority=50,reg14=0x1,metadata=0x3 actions=resubmit(,9)
    next;
 6. ls_in_pre_lb (northd.c:5656): ip && inport == "jtor-ovn_cluster_router", priority 110, uuid 3a0c7e5d
    cookie=0x3a0c7e5d, duration=8189.926s, table=14, n_packets=0, n_bytes=0, idle_age=8189, priority=110,ipv6,reg14=0x1,metadata=0x3 actions=resubmit(,15)
    cookie=0x3a0c7e5d, duration=8189.926s, table=14, n_packets=163654, n_bytes=19694117, idle_age=0, priority=110,ip,reg14=0x1,metadata=0x3 actions=resubmit(,15)
    next;
22. ls_in_l2_lkup (northd.c:8305): eth.dst == 0a:58:64:40:00:06, priority 50, uuid 0d845b46
    cookie=0xd845b46, duration=7393.045s, table=30, n_packets=33, n_bytes=6642, idle_age=182, priority=50,metadata=0x3,dl_dst=0a:58:64:40:00:06 actions=set_field:0x6->reg15,resubmit(,37)
    outport = "jtor-GR_ip-10-0-144-143.ec2.internal";
    output;

egress(dp="join", inport="jtor-ovn_cluster_router", outport="jtor-GR_ip-10-0-144-143.ec2.internal")
---------------------------------------------------------------------------------------------------
 0. ls_out_pre_lb (northd.c:5659): ip && outport == "jtor-GR_ip-10-0-144-143.ec2.internal", priority 110, uuid e9f52572
    *** no OpenFlow flows
    next;
 9. ls_out_port_sec_l2 (northd.c:5607): outport == "jtor-GR_ip-10-0-144-143.ec2.internal", priority 50, uuid 9c8aa745
    *** no OpenFlow flows
    output;
    /* output to "jtor-GR_ip-10-0-144-143.ec2.internal", type "l3gateway" */

ingress(dp="GR_ip-10-0-144-143.ec2.internal", inport="rtoj-GR_ip-10-0-144-143.ec2.internal")
--------------------------------------------------------------------------------------------
 0. lr_in_admission (northd.c:10535): eth.dst == 0a:58:64:40:00:06 && inport == "rtoj-GR_ip-10-0-144-143.ec2.internal", priority 50, uuid ec6376d1
    *** no OpenFlow flows
    xreg0[0..47] = 0a:58:64:40:00:06;
    next;
 1. lr_in_lookup_neighbor (northd.c:10678): 1, priority 0, uuid 0ba0f970
    cookie=0xba0f970, duration=8189.926s, table=9, n_packets=759804, n_bytes=441971831, idle_age=0, priority=0,metadata=0x5 actions=set_field:0x4/0x4->xreg4,resubmit(,10)
    cookie=0xba0f970, duration=8189.889s, table=9, n_packets=354745, n_bytes=157723633, idle_age=0, priority=0,metadata=0x8 actions=set_field:0x4/0x4->xreg4,resubmit(,10)
    reg9[2] = 1;
    next;
 2. lr_in_learn_neighbor (northd.c:10687): reg9[2] == 1 || reg9[3] == 0, priority 100, uuid cdaff181
    cookie=0xcdaff181, duration=8189.889s, table=10, n_packets=354891, n_bytes=157729765, idle_age=0, priority=100,reg9=0x4/0x4,metadata=0x8 actions=resubmit(,11)
    cookie=0xcdaff181, duration=8189.889s, table=10, n_packets=0, n_bytes=0, idle_age=8189, priority=100,reg9=0/0x8,metadata=0x8 actions=resubmit(,11)
    next;
10. lr_in_ip_routing_pre (northd.c:10937): 1, priority 0, uuid 390d58e5
    cookie=0x390d58e5, duration=8189.926s, table=18, n_packets=759804, n_bytes=441971831, idle_age=0, priority=0,metadata=0x5 actions=set_field:0/0xffffffff->xxreg1,resubmit(,19)
    cookie=0x390d58e5, duration=8189.888s, table=18, n_packets=354726, n_bytes=157722177, idle_age=0, priority=0,metadata=0x8 actions=set_field:0/0xffffffff->xxreg1,resubmit(,19)
    reg7 = 0;
    next;
11. lr_in_ip_routing (northd.c:9451): reg7 == 0 && ip4.dst == 0.0.0.0/0, priority 1, uuid 9e4511b4
    *** no OpenFlow flows
    ip.ttl--;
    reg8[0..15] = 0;
    reg0 = 10.0.144.1;
    reg1 = 10.0.144.143;
    eth.src = 0e:61:09:b2:50:0b;
    outport = "rtoe-GR_ip-10-0-144-143.ec2.internal";
    flags.loopback = 1;
    next;
12. lr_in_ip_routing_ecmp (northd.c:11012): reg8[0..15] == 0, priority 150, uuid c2749f5d
    cookie=0xc2749f5d, duration=8189.926s, table=20, n_packets=759804, n_bytes=441971831, idle_age=0, priority=150,reg8=0/0xffff,metadata=0x5 actions=resubmit(,21)
    cookie=0xc2749f5d, duration=8189.889s, table=20, n_packets=354720, n_bytes=157721805, idle_age=0, priority=150,reg8=0/0xffff,metadata=0x8 actions=resubmit(,21)
    next;
13. lr_in_policy (northd.c:11145): 1, priority 0, uuid 6616ddfd
    cookie=0x6616ddfd, duration=8189.926s, table=21, n_packets=149019, n_bytes=92138244, idle_age=0, priority=0,metadata=0x5 actions=set_field:0/0xffff00000000->xreg4,resubmit(,22)
    cookie=0x6616ddfd, duration=8189.889s, table=21, n_packets=354720, n_bytes=157721805, idle_age=0, priority=0,metadata=0x8 actions=set_field:0/0xffff00000000->xreg4,resubmit(,22)
    reg8[0..15] = 0;
    next;
14. lr_in_policy_ecmp (northd.c:11147): reg8[0..15] == 0, priority 150, uuid 85a00be8
    cookie=0x85a00be8, duration=8189.926s, table=22, n_packets=759804, n_bytes=441971831, idle_age=0, priority=150,reg8=0/0xffff,metadata=0x5 actions=resubmit(,23)
    cookie=0x85a00be8, duration=8189.888s, table=22, n_packets=354720, n_bytes=157721805, idle_age=0, priority=150,reg8=0/0xffff,metadata=0x8 actions=resubmit(,23)
    next;
15. lr_in_arp_resolve (northd.c:11181): ip4, priority 0, uuid b8d5d775
    cookie=0xb8d5d775, duration=8189.926s, table=23, n_packets=0, n_bytes=0, idle_age=8189, priority=0,ip,metadata=0x5 actions=push:NXM_NX_REG0[],push:NXM_NX_XXREG0[96..127],pop:NXM_NX_REG0[],set_field:00:00:00:00:00:00->eth_dst,resubmit(,66),pop:NXM_NX_REG0[],resubmit(,24)
    cookie=0xb8d5d775, duration=8189.889s, table=23, n_packets=354720, n_bytes=157721805, idle_age=0, priority=0,ip,metadata=0x8 actions=push:NXM_NX_REG0[],push:NXM_NX_XXREG0[96..127],pop:NXM_NX_REG0[],set_field:00:00:00:00:00:00->eth_dst,resubmit(,66),pop:NXM_NX_REG0[],resubmit(,24)
    get_arp(outport, reg0);
    /* MAC binding to 0e:4c:94:8d:88:a3. */
    next;
19. lr_in_arp_request (northd.c:11827): 1, priority 0, uuid 6cc83334
    cookie=0x6cc83334, duration=8189.926s, table=27, n_packets=759804, n_bytes=441971831, idle_age=0, priority=0,metadata=0x5 actions=resubmit(,37)
    cookie=0x6cc83334, duration=8189.889s, table=27, n_packets=354718, n_bytes=157721657, idle_age=0, priority=0,metadata=0x8 actions=resubmit(,37)
    output;

egress(dp="GR_ip-10-0-144-143.ec2.internal", inport="rtoj-GR_ip-10-0-144-143.ec2.internal", outport="rtoe-GR_ip-10-0-144-143.ec2.internal")
-------------------------------------------------------------------------------------------------------------------------------------------
 0. lr_out_chk_dnat_local (northd.c:13053): 1, priority 0, uuid 66e69dde
    cookie=0x66e69dde, duration=8189.926s, table=40, n_packets=756496, n_bytes=703482530, idle_age=0, priority=0,metadata=0x5 actions=set_field:0/0x10->xreg4,resubmit(,41)
    cookie=0x66e69dde, duration=8189.889s, table=40, n_packets=354867, n_bytes=157727979, idle_age=0, priority=0,metadata=0x8 actions=set_field:0/0x10->xreg4,resubmit(,41)
    reg9[4] = 0;
    next;
 1. lr_out_undnat (northd.c:13073): ip, priority 50, uuid 30f9f51d
    cookie=0x30f9f51d, duration=8189.889s, table=41, n_packets=0, n_bytes=0, idle_age=8189, priority=50,ipv6,metadata=0x8 actions=set_field:0x1/0x1->reg10,ct(table=42,zone=NXM_NX_REG11[0..15],nat)
    cookie=0x30f9f51d, duration=8189.889s, table=41, n_packets=354720, n_bytes=157721805, idle_age=0, priority=50,ip,metadata=0x8 actions=set_field:0x1/0x1->reg10,ct(table=42,zone=NXM_NX_REG11[0..15],nat)
    flags.loopback = 1;
    ct_dnat;

ct_dnat /* assuming no un-dnat entry, so no change */
-----------------------------------------------------
 2. lr_out_post_undnat (northd.c:13075): ip && ct.new, priority 50, uuid 72597618
    cookie=0x72597618, duration=8189.889s, table=42, n_packets=5588, n_bytes=424076, idle_age=2, priority=50,ct_state=+new+trk,ip,metadata=0x8 actions=ct(commit,zone=NXM_NX_REG11[0..15],nat(src)),resubmit(,43)
    cookie=0x72597618, duration=8189.889s, table=42, n_packets=0, n_bytes=0, idle_age=8189, priority=50,ct_state=+new+trk,ipv6,metadata=0x8 actions=ct(commit,zone=NXM_NX_REG11[0..15],nat(src)),resubmit(,43)
    ct_commit;
    next;
 3. lr_out_snat (northd.c:12754): ip && ip4.src == 10.128.2.20, priority 33, uuid 13aacd6b
    *** no OpenFlow flows
    ct_snat(10.0.144.143);

ct_snat(ip4.src=10.0.144.143)
-----------------------------
 6. lr_out_delivery (northd.c:11875): outport == "rtoe-GR_ip-10-0-144-143.ec2.internal", priority 100, uuid 5e0c78ba
    *** no OpenFlow flows
    output;
    /* output to "rtoe-GR_ip-10-0-144-143.ec2.internal", type "l3gateway" */

ingress(dp="ext_ip-10-0-144-143.ec2.internal", inport="etor-GR_ip-10-0-144-143.ec2.internal")
---------------------------------------------------------------------------------------------
 0. ls_in_port_sec_l2 (northd.c:5509): inport == "etor-GR_ip-10-0-144-143.ec2.internal", priority 50, uuid e3140e37
    *** no OpenFlow flows
    next;
 6. ls_in_pre_lb (northd.c:5656): ip && inport == "etor-GR_ip-10-0-144-143.ec2.internal", priority 110, uuid 01bbc6f5
    *** no OpenFlow flows
    next;
22. ls_in_l2_lkup (northd.c:7510): 1, priority 0, uuid e6316566
    cookie=0xe6316566, duration=8189.873s, table=30, n_packets=220645, n_bytes=68069641, idle_age=0, priority=0,metadata=0x9 actions=set_field:0->reg15,resubmit(,71),resubmit(,31)
    cookie=0xe6316566, duration=8189.926s, table=30, n_packets=0, n_bytes=0, idle_age=8189, priority=0,metadata=0x3 actions=set_field:0->reg15,resubmit(,71),resubmit(,31)
    cookie=0xe6316566, duration=8189.928s, table=30, n_packets=0, n_bytes=0, idle_age=8189, priority=0,metadata=0x4 actions=set_field:0->reg15,resubmit(,71),resubmit(,31)
    outport = get_fdb(eth.dst);
    next;
23. ls_in_l2_unknown (northd.c:7515): outport == "none", priority 50, uuid cd3aa917
    cookie=0xcd3aa917, duration=8189.874s, table=31, n_packets=220645, n_bytes=68069641, idle_age=0, priority=50,reg15=0,metadata=0x9 actions=set_field:0x8001->reg15,resubmit(,37)
    outport = "_MC_unknown";
    output;

multicast(dp="ext_ip-10-0-144-143.ec2.internal", mcgroup="_MC_unknown")
-----------------------------------------------------------------------

    egress(dp="ext_ip-10-0-144-143.ec2.internal", inport="etor-GR_ip-10-0-144-143.ec2.internal", outport="br-ex_ip-10-0-144-143.ec2.internal")
    ------------------------------------------------------------------------------------------------------------------------------------------
         0. ls_out_pre_lb (northd.c:5659): ip && outport == "br-ex_ip-10-0-144-143.ec2.internal", priority 110, uuid e34a92c1
            *** no OpenFlow flows
            next;
         9. ls_out_port_sec_l2 (northd.c:5607): outport == "br-ex_ip-10-0-144-143.ec2.internal", priority 50, uuid 34f65456
            *** no OpenFlow flows
            output;
            /* output to "br-ex_ip-10-0-144-143.ec2.internal", type "localnet" */
sh-4.4# 
~~~


After applying the EgressIP:
================================================

~~~
[akaris@linux 2070878]$ oc apply -f egressip.yaml
egressip.k8s.ovn.org/e2e-test-egressip-pfvtq created
~~~

~~~
 $ curl 10.0.135.215:32667/clientip

~~~

~~~
sh-4.4# tcpdump -nne -i ens5 host 10.0.135.215 and port 32667
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens5, link-type EN10MB (Ethernet), capture size 262144 bytes
10:59:23.220391 0e:61:09:b2:50:0b > 0e:4c:94:8d:88:a3, ethertype IPv4 (0x0800), length 74: 10.128.2.20.36356 > 10.0.135.215.32667: Flags [S], seq 3436577877, win 26583, options [mss 8861,sackOK,TS val 2216393822 ecr 0,nop,wscale 7], length 0
10:59:24.283173 0e:61:09:b2:50:0b > 0e:4c:94:8d:88:a3, ethertype IPv4 (0x0800), length 74: 10.128.2.20.36356 > 10.0.135.215.32667: Flags [S], seq 3436577877, win 26583, options [mss 8861,sackOK,TS val 2216394886 ecr 0,nop,wscale 7], length 0
10:59:26.331185 0e:61:09:b2:50:0b > 0e:4c:94:8d:88:a3, ethertype IPv4 (0x0800), length 74: 10.128.2.20.36356 > 10.0.135.215.32667: Flags [S], seq 3436577877, win 26583, options [mss 8861,sackOK,TS val 2216396934 ecr 0,nop,wscale 7], length 0
10:59:30.363171 0e:61:09:b2:50:0b > 0e:4c:94:8d:88:a3, ethertype IPv4 (0x0800), length 74: 10.128.2.20.36356 > 10.0.135.215.32667: Flags [S], seq 3436577877, win 26583, options [mss 8861,sackOK,TS val 2216400966 ecr 0,nop,wscale 7], length 0
^C
4 packets captured
6 packets received by filter
0 packets dropped by kernel
sh-4.4# 
~~~

Traffic is logically blocked by AWS and doesn't make it to the other side.

The trace reveals that the packet is sent out the normal interface and is not SNATed at all:
~~~
sh-4.4# ovn-trace --minimal  --ovs ip-10-0-144-143.ec2.internal 'inport == "e2e-test-egressip-pfvtq_e2e-test-egressip-pfvtq-deployment-799497dc77-j9w2p" && eth.src == 0a:58:0a:80:02:14 &&  eth.dst == 0a:58:0a:80:02:01 && ip4.src == 10.128.2.20 && ip4.dst == 10.0.135.215 && ip.ttl == 64 && tcp.src==12345 && tcp.dst == 32667' --ct new
# tcp,reg14=0xe,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:14,dl_dst=0a:58:0a:80:02:01,nw_src=10.128.2.20,nw_dst=10.0.135.215,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=12345,tp_dst=32667,tcp_flags=0
*** no OpenFlow flows;
*** no OpenFlow flows;
ct_lb {
    reg0[6] = 0;
    *** chk_lb_hairpin_reply action not implemented;
    reg0[12] = 0;
    *** no OpenFlow flows;
    *** no OpenFlow flows;
    *** no OpenFlow flows;
    *** no OpenFlow flows;
    *** no OpenFlow flows;
    ip.ttl--;
    eth.src = 0a:58:64:40:00:01;
    eth.dst = 0a:58:64:40:00:06;
    *** no OpenFlow flows;
    *** no OpenFlow flows;
    *** no OpenFlow flows;
    *** no OpenFlow flows;
    ip.ttl--;
    eth.src = 0e:61:09:b2:50:0b;
    eth.dst = 0e:4c:94:8d:88:a3;
    ct_dnat /* assuming no un-dnat entry, so no change */ {
        *** no OpenFlow flows;
        *** no OpenFlow flows;
        *** no OpenFlow flows;
        *** no OpenFlow flows;
        *** no OpenFlow flows;
        output("br-ex_ip-10-0-144-143.ec2.internal");
    };
};
~~~

~~~
sh-4.4# ovn-trace --friendly-names  --ovs ip-10-0-144-143.ec2.internal 'inport == "e2e-test-egressip-pfvtq_e2e-test-egressip-pfvtq-deployment-799497dc77-j9w2p" && eth.src == 0a:58:0a:80:02:14 &&  eth.dst == 0a:58:0a:80:02:01 && ip4.src == 10.128.2.20 && ip4.dst == 10.0.135.215 && ip.ttl == 64 && tcp.src==12345 && tcp.dst == 32667' --ct new
# tcp,reg14=0xe,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:14,dl_dst=0a:58:0a:80:02:01,nw_src=10.128.2.20,nw_dst=10.0.135.215,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=12345,tp_dst=32667,tcp_flags=0

ingress(dp="ip-10-0-144-143.ec2.internal", inport="e2e-test-egressip-pfvtq_e2e-test-egressip-pfvtq-deployment-799497dc77-j9w2p")
--------------------------------------------------------------------------------------------------------------------------------
 0. ls_in_port_sec_l2 (northd.c:5509): inport == "e2e-test-egressip-pfvtq_e2e-test-egressip-pfvtq-deployment-799497dc77-j9w2p" && eth.src == {0a:58:0a:80:02:14}, priority 50, uuid bb5f0a86
    *** no OpenFlow flows
    next;
 1. ls_in_port_sec_ip (northd.c:5142): inport == "e2e-test-egressip-pfvtq_e2e-test-egressip-pfvtq-deployment-799497dc77-j9w2p" && eth.src == 0a:58:0a:80:02:14 && ip4.src == {10.128.2.20}, priority 90, uuid 9d4b07c7
    *** no OpenFlow flows
    next;
 5. ls_in_pre_acl (northd.c:5769): ip, priority 100, uuid 9089bb6c
    cookie=0x9089bb6c, duration=8324.704s, table=13, n_packets=0, n_bytes=0, idle_age=8324, priority=100,ipv6,metadata=0x4 actions=set_field:0x1000000000000000000000000/0x1000000000000000000000000->xxreg0,resubmit(,14)
    cookie=0x9089bb6c, duration=8324.704s, table=13, n_packets=1173608, n_bytes=924201996, idle_age=0, priority=100,ip,metadata=0x4 actions=set_field:0x1000000000000000000000000/0x1000000000000000000000000->xxreg0,resubmit(,14)
    reg0[0] = 1;
    next;
 6. ls_in_pre_lb (northd.c:5901): ip, priority 100, uuid adfd637e
    cookie=0xadfd637e, duration=8324.711s, table=14, n_packets=1173608, n_bytes=924201996, idle_age=0, priority=100,ip,metadata=0x4 actions=set_field:0x4000000000000000000000000/0x4000000000000000000000000->xxreg0,resubmit(,15)
    cookie=0xadfd637e, duration=8324.711s, table=14, n_packets=0, n_bytes=0, idle_age=8324, priority=100,ipv6,metadata=0x4 actions=set_field:0x4000000000000000000000000/0x4000000000000000000000000->xxreg0,resubmit(,15)
    reg0[2] = 1;
    next;
 7. ls_in_pre_stateful (northd.c:5928): reg0[2] == 1 && ip4 && tcp, priority 120, uuid c95e8d65
    cookie=0xc95e8d65, duration=8324.658s, table=15, n_packets=0, n_bytes=0, idle_age=8324, priority=120,tcp,reg0=0x4/0x4,metadata=0x9 actions=move:NXM_OF_IP_DST[]->NXM_NX_XXREG0[64..95],move:NXM_OF_TCP_DST[]->NXM_NX_XXREG0[32..47],ct(table=16,zone=NXM_NX_REG13[0..15],nat)
    cookie=0xc95e8d65, duration=8324.712s, table=15, n_packets=0, n_bytes=0, idle_age=8324, priority=120,tcp,reg0=0x4/0x4,metadata=0x3 actions=move:NXM_OF_IP_DST[]->NXM_NX_XXREG0[64..95],move:NXM_OF_TCP_DST[]->NXM_NX_XXREG0[32..47],ct(table=16,zone=NXM_NX_REG13[0..15],nat)
    cookie=0xc95e8d65, duration=8324.713s, table=15, n_packets=1170061, n_bytes=923622370, idle_age=0, priority=120,tcp,reg0=0x4/0x4,metadata=0x4 actions=move:NXM_OF_IP_DST[]->NXM_NX_XXREG0[64..95],move:NXM_OF_TCP_DST[]->NXM_NX_XXREG0[32..47],ct(table=16,zone=NXM_NX_REG13[0..15],nat)
    reg1 = ip4.dst;
    reg2[0..15] = tcp.dst;
    ct_lb;

ct_lb
-----
 8. ls_in_acl_hint (northd.c:6001): ct.new && !ct.est, priority 7, uuid 40fbe707
    cookie=0x40fbe707, duration=8324.713s, table=16, n_packets=23402, n_bytes=1773507, idle_age=0, priority=7,ct_state=+new-est+trk,metadata=0x4 actions=set_field:0x80000000000000000000000000/0x80000000000000000000000000->xxreg0,set_field:0x200000000000000000000000000/0x200000000000000000000000000->xxreg0,resubmit(,17)
    reg0[7] = 1;
    reg0[9] = 1;
    next;
 9. ls_in_acl (northd.c:6448): ip && (!ct.est || (ct.est && ct_label.blocked == 1)), priority 1, uuid d81e8ce4
    cookie=0xd81e8ce4, duration=8324.712s, table=17, n_packets=0, n_bytes=0, idle_age=8324, priority=1,ct_state=-est+trk,ipv6,metadata=0x4 actions=set_field:0x2000000000000000000000000/0x2000000000000000000000000->xxreg0,resubmit(,18)
    cookie=0xd81e8ce4, duration=8324.712s, table=17, n_packets=0, n_bytes=0, idle_age=8324, priority=1,ct_state=+est+trk,ct_label=0x1/0x1,ipv6,metadata=0x4 actions=set_field:0x2000000000000000000000000/0x2000000000000000000000000->xxreg0,resubmit(,18)
    cookie=0xd81e8ce4, duration=8324.712s, table=17, n_packets=0, n_bytes=0, idle_age=8324, priority=1,ct_state=+est+trk,ct_label=0x1/0x1,ip,metadata=0x4 actions=set_field:0x2000000000000000000000000/0x2000000000000000000000000->xxreg0,resubmit(,18)
    cookie=0xd81e8ce4, duration=8324.712s, table=17, n_packets=23402, n_bytes=1773507, idle_age=0, priority=1,ct_state=-est+trk,ip,metadata=0x4 actions=set_field:0x2000000000000000000000000/0x2000000000000000000000000->xxreg0,resubmit(,18)
    reg0[1] = 1;
    next;
12. ls_in_stateful (northd.c:6789): reg0[1] == 1 && reg0[13] == 0, priority 100, uuid eada98b2
    cookie=0xeada98b2, duration=8324.657s, table=20, n_packets=0, n_bytes=0, idle_age=8324, priority=100,ipv6,reg0=0x2/0x2002,metadata=0x9 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,21)
    cookie=0xeada98b2, duration=8324.659s, table=20, n_packets=0, n_bytes=0, idle_age=8324, priority=100,ip,reg0=0x2/0x2002,metadata=0x9 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,21)
    cookie=0xeada98b2, duration=8324.711s, table=20, n_packets=0, n_bytes=0, idle_age=8324, priority=100,ipv6,reg0=0x2/0x2002,metadata=0x3 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,21)
    cookie=0xeada98b2, duration=8324.711s, table=20, n_packets=0, n_bytes=0, idle_age=8324, priority=100,ip,reg0=0x2/0x2002,metadata=0x3 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,21)
    cookie=0xeada98b2, duration=8324.713s, table=20, n_packets=0, n_bytes=0, idle_age=8324, priority=100,ipv6,reg0=0x2/0x2002,metadata=0x4 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,21)
    cookie=0xeada98b2, duration=8324.713s, table=20, n_packets=18715, n_bytes=1385706, idle_age=0, priority=100,ip,reg0=0x2/0x2002,metadata=0x4 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,21)
    ct_commit { ct_label.blocked = 0; };
    next;
13. ls_in_pre_hairpin (northd.c:6816): ip && ct.trk, priority 100, uuid 183345c2
    cookie=0x183345c2, duration=8324.713s, table=21, n_packets=0, n_bytes=0, idle_age=8324, priority=100,ct_state=+trk,ipv6,metadata=0x4 actions=set_field:0/0x80->reg10,resubmit(,68),move:NXM_NX_REG10[7]->NXM_NX_XXREG0[102],set_field:0/0x80->reg10,resubmit(,69),move:NXM_NX_REG10[7]->NXM_NX_XXREG0[108],resubmit(,22)
    cookie=0x183345c2, duration=8324.713s, table=21, n_packets=1154612, n_bytes=922800612, idle_age=0, priority=100,ct_state=+trk,ip,metadata=0x4 actions=set_field:0/0x80->reg10,resubmit(,68),move:NXM_NX_REG10[7]->NXM_NX_XXREG0[102],set_field:0/0x80->reg10,resubmit(,69),move:NXM_NX_REG10[7]->NXM_NX_XXREG0[108],resubmit(,22)
    reg0[6] = chk_lb_hairpin();
    reg0[12] = chk_lb_hairpin_reply();
    *** chk_lb_hairpin_reply action not implemented
    next;
22. ls_in_l2_lkup (northd.c:8305): eth.dst == 0a:58:0a:80:02:01, priority 50, uuid 371919d7
    *** no OpenFlow flows
    outport = "stor-ip-10-0-144-143.ec2.internal";
    output;

egress(dp="ip-10-0-144-143.ec2.internal", inport="e2e-test-egressip-pfvtq_e2e-test-egressip-pfvtq-deployment-799497dc77-j9w2p", outport="stor-ip-10-0-144-143.ec2.internal")
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 0. ls_out_pre_lb (northd.c:5659): ip && outport == "stor-ip-10-0-144-143.ec2.internal", priority 110, uuid ebde06b7
    *** no OpenFlow flows
    next;
 1. ls_out_pre_acl (northd.c:5659): ip && outport == "stor-ip-10-0-144-143.ec2.internal", priority 110, uuid f14b6ba3
    *** no OpenFlow flows
    next;
 3. ls_out_acl_hint (northd.c:6001): ct.new && !ct.est, priority 7, uuid dc4eb3b9
    cookie=0xdc4eb3b9, duration=8324.712s, table=43, n_packets=26791, n_bytes=2077788, idle_age=0, priority=7,ct_state=+new-est+trk,metadata=0x4 actions=set_field:0x80000000000000000000000000/0x80000000000000000000000000->xxreg0,set_field:0x200000000000000000000000000/0x200000000000000000000000000->xxreg0,resubmit(,44)
    reg0[7] = 1;
    reg0[9] = 1;
    next;
 4. ls_out_acl (northd.c:6451): ip && (!ct.est || (ct.est && ct_label.blocked == 1)), priority 1, uuid eb6560a9
    cookie=0xeb6560a9, duration=8324.712s, table=44, n_packets=0, n_bytes=0, idle_age=8324, priority=1,ct_state=-est+trk,ipv6,metadata=0x4 actions=set_field:0x2000000000000000000000000/0x2000000000000000000000000->xxreg0,resubmit(,45)
    cookie=0xeb6560a9, duration=8324.712s, table=44, n_packets=0, n_bytes=0, idle_age=8324, priority=1,ct_state=+est+trk,ct_label=0x1/0x1,ipv6,metadata=0x4 actions=set_field:0x2000000000000000000000000/0x2000000000000000000000000->xxreg0,resubmit(,45)
    cookie=0xeb6560a9, duration=8324.712s, table=44, n_packets=0, n_bytes=0, idle_age=8324, priority=1,ct_state=+est+trk,ct_label=0x1/0x1,ip,metadata=0x4 actions=set_field:0x2000000000000000000000000/0x2000000000000000000000000->xxreg0,resubmit(,45)
    cookie=0xeb6560a9, duration=8324.712s, table=44, n_packets=14519, n_bytes=1169660, idle_age=0, priority=1,ct_state=-est+trk,ip,metadata=0x4 actions=set_field:0x2000000000000000000000000/0x2000000000000000000000000->xxreg0,resubmit(,45)
    reg0[1] = 1;
    next;
 7. ls_out_stateful (northd.c:6793): reg0[1] == 1 && reg0[13] == 0, priority 100, uuid 3eb26158
    cookie=0x3eb26158, duration=8324.658s, table=47, n_packets=0, n_bytes=0, idle_age=8324, priority=100,ip,reg0=0x2/0x2002,metadata=0x9 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,48)
    cookie=0x3eb26158, duration=8324.659s, table=47, n_packets=0, n_bytes=0, idle_age=8324, priority=100,ipv6,reg0=0x2/0x2002,metadata=0x9 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,48)
    cookie=0x3eb26158, duration=8324.712s, table=47, n_packets=0, n_bytes=0, idle_age=8324, priority=100,ipv6,reg0=0x2/0x2002,metadata=0x3 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,48)
    cookie=0x3eb26158, duration=8324.712s, table=47, n_packets=0, n_bytes=0, idle_age=8324, priority=100,ip,reg0=0x2/0x2002,metadata=0x3 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,48)
    cookie=0x3eb26158, duration=8324.713s, table=47, n_packets=0, n_bytes=0, idle_age=8324, priority=100,ipv6,reg0=0x2/0x2002,metadata=0x4 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,48)
    cookie=0x3eb26158, duration=8324.713s, table=47, n_packets=26791, n_bytes=2077788, idle_age=0, priority=100,ip,reg0=0x2/0x2002,metadata=0x4 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,48)
    ct_commit { ct_label.blocked = 0; };
    next;
 9. ls_out_port_sec_l2 (northd.c:5607): outport == "stor-ip-10-0-144-143.ec2.internal", priority 50, uuid 195755b8
    *** no OpenFlow flows
    output;
    /* output to "stor-ip-10-0-144-143.ec2.internal", type "patch" */

ingress(dp="ovn_cluster_router", inport="rtos-ip-10-0-144-143.ec2.internal")
----------------------------------------------------------------------------
 0. lr_in_admission (northd.c:10535): eth.dst == 0a:58:0a:80:02:01 && inport == "rtos-ip-10-0-144-143.ec2.internal" && is_chassis_resident("cr-rtos-ip-10-0-144-143.ec2.internal"), priority 50, uuid 0294dd7b
    *** no OpenFlow flows
    xreg0[0..47] = 0a:58:0a:80:02:01;
    next;
 1. lr_in_lookup_neighbor (northd.c:10678): 1, priority 0, uuid 0ba0f970
    cookie=0xba0f970, duration=8324.712s, table=9, n_packets=772812, n_bytes=455249292, idle_age=0, priority=0,metadata=0x5 actions=set_field:0x4/0x4->xreg4,resubmit(,10)
    cookie=0xba0f970, duration=8324.675s, table=9, n_packets=359836, n_bytes=158820876, idle_age=0, priority=0,metadata=0x8 actions=set_field:0x4/0x4->xreg4,resubmit(,10)
    reg9[2] = 1;
    next;
 2. lr_in_learn_neighbor (northd.c:10687): reg9[2] == 1, priority 100, uuid 64eb7612
    cookie=0x64eb7612, duration=8324.712s, table=10, n_packets=772812, n_bytes=455249292, idle_age=0, priority=100,reg9=0x4/0x4,metadata=0x5 actions=resubmit(,11)
    next;
10. lr_in_ip_routing_pre (northd.c:10937): 1, priority 0, uuid 390d58e5
    cookie=0x390d58e5, duration=8324.713s, table=18, n_packets=772812, n_bytes=455249292, idle_age=0, priority=0,metadata=0x5 actions=set_field:0/0xffffffff->xxreg1,resubmit(,19)
    cookie=0x390d58e5, duration=8324.675s, table=18, n_packets=359816, n_bytes=158819366, idle_age=0, priority=0,metadata=0x8 actions=set_field:0/0xffffffff->xxreg1,resubmit(,19)
    reg7 = 0;
    next;
11. lr_in_ip_routing (northd.c:9451): ip4.src == 10.128.2.0/23, priority 69, uuid 3fe29bc6
    cookie=0x3fe29bc6, duration=7527.810s, table=19, n_packets=0, n_bytes=0, idle_age=7527, priority=69,ip,metadata=0x5,nw_src=10.128.2.0/23 actions=dec_ttl(),set_field:0/0xffff00000000->xreg4,set_field:0x64400006000000000000000000000000/0xffffffff000000000000000000000000->xxreg0,set_field:0x644000010000000000000000/0xffffffff0000000000000000->xxreg0,set_field:0a:58:64:40:00:01->eth_src,set_field:0x3->reg15,set_field:0x1/0x1->reg10,resubmit(,20)
    ip.ttl--;
    reg8[0..15] = 0;
    reg0 = 100.64.0.6;
    reg1 = 100.64.0.1;
    eth.src = 0a:58:64:40:00:01;
    outport = "rtoj-ovn_cluster_router";
    flags.loopback = 1;
    next;
12. lr_in_ip_routing_ecmp (northd.c:11012): reg8[0..15] == 0, priority 150, uuid c2749f5d
    cookie=0xc2749f5d, duration=8324.713s, table=20, n_packets=772812, n_bytes=455249292, idle_age=0, priority=150,reg8=0/0xffff,metadata=0x5 actions=resubmit(,21)
    cookie=0xc2749f5d, duration=8324.676s, table=20, n_packets=359810, n_bytes=158818994, idle_age=0, priority=150,reg8=0/0xffff,metadata=0x8 actions=resubmit(,21)
    next;
13. lr_in_policy (northd.c:8683): ip4.src == 10.128.0.0/14 && ip4.dst == 10.0.135.215/32, priority 101, uuid fa257030
    cookie=0xfa257030, duration=7574.790s, table=21, n_packets=0, n_bytes=0, idle_age=7574, priority=101,ip,metadata=0x5,nw_src=10.128.0.0/14,nw_dst=10.0.135.215 actions=set_field:0/0xffff00000000->xreg4,resubmit(,22)
    reg8[0..15] = 0;
    next;
14. lr_in_policy_ecmp (northd.c:11147): reg8[0..15] == 0, priority 150, uuid 85a00be8
    cookie=0x85a00be8, duration=8324.713s, table=22, n_packets=772812, n_bytes=455249292, idle_age=0, priority=150,reg8=0/0xffff,metadata=0x5 actions=resubmit(,23)
    cookie=0x85a00be8, duration=8324.675s, table=22, n_packets=359810, n_bytes=158818994, idle_age=0, priority=150,reg8=0/0xffff,metadata=0x8 actions=resubmit(,23)
    next;
15. lr_in_arp_resolve (northd.c:11535): outport == "rtoj-ovn_cluster_router" && reg0 == 100.64.0.6, priority 100, uuid fb98b80d
    cookie=0xfb98b80d, duration=7527.832s, table=23, n_packets=33, n_bytes=6642, idle_age=317, priority=100,reg0=0x64400006,reg15=0x3,metadata=0x5 actions=set_field:0a:58:64:40:00:06->eth_dst,resubmit(,24)
    eth.dst = 0a:58:64:40:00:06;
    next;
19. lr_in_arp_request (northd.c:11827): 1, priority 0, uuid 6cc83334
    cookie=0x6cc83334, duration=8324.713s, table=27, n_packets=772812, n_bytes=455249292, idle_age=0, priority=0,metadata=0x5 actions=resubmit(,37)
    cookie=0x6cc83334, duration=8324.676s, table=27, n_packets=359808, n_bytes=158818846, idle_age=0, priority=0,metadata=0x8 actions=resubmit(,37)
    output;

egress(dp="ovn_cluster_router", inport="rtos-ip-10-0-144-143.ec2.internal", outport="rtoj-ovn_cluster_router")
--------------------------------------------------------------------------------------------------------------
 0. lr_out_chk_dnat_local (northd.c:13053): 1, priority 0, uuid 66e69dde
    cookie=0x66e69dde, duration=8324.713s, table=40, n_packets=769549, n_bytes=722125663, idle_age=0, priority=0,metadata=0x5 actions=set_field:0/0x10->xreg4,resubmit(,41)
    cookie=0x66e69dde, duration=8324.676s, table=40, n_packets=359959, n_bytes=158825252, idle_age=0, priority=0,metadata=0x8 actions=set_field:0/0x10->xreg4,resubmit(,41)
    reg9[4] = 0;
    next;
 6. lr_out_delivery (northd.c:11875): outport == "rtoj-ovn_cluster_router", priority 100, uuid 3a537c94
    cookie=0x3a537c94, duration=8324.713s, table=46, n_packets=166053, n_bytes=19925078, idle_age=0, priority=100,reg15=0x3,metadata=0x5 actions=resubmit(,64)
    output;
    /* output to "rtoj-ovn_cluster_router", type "patch" */

ingress(dp="join", inport="jtor-ovn_cluster_router")
----------------------------------------------------
 0. ls_in_port_sec_l2 (northd.c:5509): inport == "jtor-ovn_cluster_router", priority 50, uuid b7b18223
    cookie=0xb7b18223, duration=8324.713s, table=8, n_packets=166053, n_bytes=19925078, idle_age=0, priority=50,reg14=0x1,metadata=0x3 actions=resubmit(,9)
    next;
 6. ls_in_pre_lb (northd.c:5656): ip && inport == "jtor-ovn_cluster_router", priority 110, uuid 3a0c7e5d
    cookie=0x3a0c7e5d, duration=8324.713s, table=14, n_packets=0, n_bytes=0, idle_age=8324, priority=110,ipv6,reg14=0x1,metadata=0x3 actions=resubmit(,15)
    cookie=0x3a0c7e5d, duration=8324.713s, table=14, n_packets=166053, n_bytes=19925078, idle_age=0, priority=110,ip,reg14=0x1,metadata=0x3 actions=resubmit(,15)
    next;
22. ls_in_l2_lkup (northd.c:8305): eth.dst == 0a:58:64:40:00:06, priority 50, uuid 0d845b46
    cookie=0xd845b46, duration=7527.832s, table=30, n_packets=33, n_bytes=6642, idle_age=317, priority=50,metadata=0x3,dl_dst=0a:58:64:40:00:06 actions=set_field:0x6->reg15,resubmit(,37)
    outport = "jtor-GR_ip-10-0-144-143.ec2.internal";
    output;

egress(dp="join", inport="jtor-ovn_cluster_router", outport="jtor-GR_ip-10-0-144-143.ec2.internal")
---------------------------------------------------------------------------------------------------
 0. ls_out_pre_lb (northd.c:5659): ip && outport == "jtor-GR_ip-10-0-144-143.ec2.internal", priority 110, uuid e9f52572
    *** no OpenFlow flows
    next;
 9. ls_out_port_sec_l2 (northd.c:5607): outport == "jtor-GR_ip-10-0-144-143.ec2.internal", priority 50, uuid 9c8aa745
    *** no OpenFlow flows
    output;
    /* output to "jtor-GR_ip-10-0-144-143.ec2.internal", type "l3gateway" */

ingress(dp="GR_ip-10-0-144-143.ec2.internal", inport="rtoj-GR_ip-10-0-144-143.ec2.internal")
--------------------------------------------------------------------------------------------
 0. lr_in_admission (northd.c:10535): eth.dst == 0a:58:64:40:00:06 && inport == "rtoj-GR_ip-10-0-144-143.ec2.internal", priority 50, uuid ec6376d1
    *** no OpenFlow flows
    xreg0[0..47] = 0a:58:64:40:00:06;
    next;
 1. lr_in_lookup_neighbor (northd.c:10678): 1, priority 0, uuid 0ba0f970
    cookie=0xba0f970, duration=8324.713s, table=9, n_packets=772812, n_bytes=455249292, idle_age=0, priority=0,metadata=0x5 actions=set_field:0x4/0x4->xreg4,resubmit(,10)
    cookie=0xba0f970, duration=8324.676s, table=9, n_packets=359836, n_bytes=158820876, idle_age=0, priority=0,metadata=0x8 actions=set_field:0x4/0x4->xreg4,resubmit(,10)
    reg9[2] = 1;
    next;
 2. lr_in_learn_neighbor (northd.c:10687): reg9[2] == 1 || reg9[3] == 0, priority 100, uuid cdaff181
    cookie=0xcdaff181, duration=8324.676s, table=10, n_packets=359984, n_bytes=158827092, idle_age=0, priority=100,reg9=0x4/0x4,metadata=0x8 actions=resubmit(,11)
    cookie=0xcdaff181, duration=8324.676s, table=10, n_packets=0, n_bytes=0, idle_age=8324, priority=100,reg9=0/0x8,metadata=0x8 actions=resubmit(,11)
    next;
10. lr_in_ip_routing_pre (northd.c:10937): 1, priority 0, uuid 390d58e5
    cookie=0x390d58e5, duration=8324.714s, table=18, n_packets=772812, n_bytes=455249292, idle_age=0, priority=0,metadata=0x5 actions=set_field:0/0xffffffff->xxreg1,resubmit(,19)
    cookie=0x390d58e5, duration=8324.676s, table=18, n_packets=359816, n_bytes=158819366, idle_age=0, priority=0,metadata=0x8 actions=set_field:0/0xffffffff->xxreg1,resubmit(,19)
    reg7 = 0;
    next;
11. lr_in_ip_routing (northd.c:9451): reg7 == 0 && ip4.dst == 0.0.0.0/0, priority 1, uuid 9e4511b4
    *** no OpenFlow flows
    ip.ttl--;
    reg8[0..15] = 0;
    reg0 = 10.0.144.1;
    reg1 = 10.0.144.143;
    eth.src = 0e:61:09:b2:50:0b;
    outport = "rtoe-GR_ip-10-0-144-143.ec2.internal";
    flags.loopback = 1;
    next;
12. lr_in_ip_routing_ecmp (northd.c:11012): reg8[0..15] == 0, priority 150, uuid c2749f5d
    cookie=0xc2749f5d, duration=8324.714s, table=20, n_packets=772812, n_bytes=455249292, idle_age=0, priority=150,reg8=0/0xffff,metadata=0x5 actions=resubmit(,21)
    cookie=0xc2749f5d, duration=8324.677s, table=20, n_packets=359810, n_bytes=158818994, idle_age=0, priority=150,reg8=0/0xffff,metadata=0x8 actions=resubmit(,21)
    next;
13. lr_in_policy (northd.c:11145): 1, priority 0, uuid 6616ddfd
    cookie=0x6616ddfd, duration=8324.714s, table=21, n_packets=150866, n_bytes=92416040, idle_age=0, priority=0,metadata=0x5 actions=set_field:0/0xffff00000000->xreg4,resubmit(,22)
    cookie=0x6616ddfd, duration=8324.677s, table=21, n_packets=359810, n_bytes=158818994, idle_age=0, priority=0,metadata=0x8 actions=set_field:0/0xffff00000000->xreg4,resubmit(,22)
    reg8[0..15] = 0;
    next;
14. lr_in_policy_ecmp (northd.c:11147): reg8[0..15] == 0, priority 150, uuid 85a00be8
    cookie=0x85a00be8, duration=8324.714s, table=22, n_packets=772812, n_bytes=455249292, idle_age=0, priority=150,reg8=0/0xffff,metadata=0x5 actions=resubmit(,23)
    cookie=0x85a00be8, duration=8324.676s, table=22, n_packets=359810, n_bytes=158818994, idle_age=0, priority=150,reg8=0/0xffff,metadata=0x8 actions=resubmit(,23)
    next;
15. lr_in_arp_resolve (northd.c:11181): ip4, priority 0, uuid b8d5d775
    cookie=0xb8d5d775, duration=8324.714s, table=23, n_packets=0, n_bytes=0, idle_age=8324, priority=0,ip,metadata=0x5 actions=push:NXM_NX_REG0[],push:NXM_NX_XXREG0[96..127],pop:NXM_NX_REG0[],set_field:00:00:00:00:00:00->eth_dst,resubmit(,66),pop:NXM_NX_REG0[],resubmit(,24)
    cookie=0xb8d5d775, duration=8324.677s, table=23, n_packets=359810, n_bytes=158818994, idle_age=0, priority=0,ip,metadata=0x8 actions=push:NXM_NX_REG0[],push:NXM_NX_XXREG0[96..127],pop:NXM_NX_REG0[],set_field:00:00:00:00:00:00->eth_dst,resubmit(,66),pop:NXM_NX_REG0[],resubmit(,24)
    get_arp(outport, reg0);
    /* MAC binding to 0e:4c:94:8d:88:a3. */
    next;
19. lr_in_arp_request (northd.c:11827): 1, priority 0, uuid 6cc83334
    cookie=0x6cc83334, duration=8324.714s, table=27, n_packets=772812, n_bytes=455249292, idle_age=0, priority=0,metadata=0x5 actions=resubmit(,37)
    cookie=0x6cc83334, duration=8324.677s, table=27, n_packets=359808, n_bytes=158818846, idle_age=0, priority=0,metadata=0x8 actions=resubmit(,37)
    output;

egress(dp="GR_ip-10-0-144-143.ec2.internal", inport="rtoj-GR_ip-10-0-144-143.ec2.internal", outport="rtoe-GR_ip-10-0-144-143.ec2.internal")
-------------------------------------------------------------------------------------------------------------------------------------------
 0. lr_out_chk_dnat_local (northd.c:13053): 1, priority 0, uuid 66e69dde
    cookie=0x66e69dde, duration=8324.714s, table=40, n_packets=769549, n_bytes=722125663, idle_age=0, priority=0,metadata=0x5 actions=set_field:0/0x10->xreg4,resubmit(,41)
    cookie=0x66e69dde, duration=8324.677s, table=40, n_packets=359959, n_bytes=158825252, idle_age=0, priority=0,metadata=0x8 actions=set_field:0/0x10->xreg4,resubmit(,41)
    reg9[4] = 0;
    next;
 1. lr_out_undnat (northd.c:13073): ip, priority 50, uuid 30f9f51d
    cookie=0x30f9f51d, duration=8324.677s, table=41, n_packets=0, n_bytes=0, idle_age=8324, priority=50,ipv6,metadata=0x8 actions=set_field:0x1/0x1->reg10,ct(table=42,zone=NXM_NX_REG11[0..15],nat)
    cookie=0x30f9f51d, duration=8324.677s, table=41, n_packets=359810, n_bytes=158818994, idle_age=0, priority=50,ip,metadata=0x8 actions=set_field:0x1/0x1->reg10,ct(table=42,zone=NXM_NX_REG11[0..15],nat)
    flags.loopback = 1;
    ct_dnat;

ct_dnat /* assuming no un-dnat entry, so no change */
-----------------------------------------------------
 2. lr_out_post_undnat (northd.c:13075): ip && ct.new, priority 50, uuid 72597618
    cookie=0x72597618, duration=8324.677s, table=42, n_packets=5610, n_bytes=425836, idle_age=2, priority=50,ct_state=+new+trk,ip,metadata=0x8 actions=ct(commit,zone=NXM_NX_REG11[0..15],nat(src)),resubmit(,43)
    cookie=0x72597618, duration=8324.677s, table=42, n_packets=0, n_bytes=0, idle_age=8324, priority=50,ct_state=+new+trk,ipv6,metadata=0x8 actions=ct(commit,zone=NXM_NX_REG11[0..15],nat(src)),resubmit(,43)
    ct_commit;
    next;
 6. lr_out_delivery (northd.c:11875): outport == "rtoe-GR_ip-10-0-144-143.ec2.internal", priority 100, uuid 5e0c78ba
    *** no OpenFlow flows
    output;
    /* output to "rtoe-GR_ip-10-0-144-143.ec2.internal", type "l3gateway" */

ingress(dp="ext_ip-10-0-144-143.ec2.internal", inport="etor-GR_ip-10-0-144-143.ec2.internal")
---------------------------------------------------------------------------------------------
 0. ls_in_port_sec_l2 (northd.c:5509): inport == "etor-GR_ip-10-0-144-143.ec2.internal", priority 50, uuid e3140e37
    *** no OpenFlow flows
    next;
 6. ls_in_pre_lb (northd.c:5656): ip && inport == "etor-GR_ip-10-0-144-143.ec2.internal", priority 110, uuid 01bbc6f5
    *** no OpenFlow flows
    next;
22. ls_in_l2_lkup (northd.c:7510): 1, priority 0, uuid e6316566
    cookie=0xe6316566, duration=8324.660s, table=30, n_packets=223890, n_bytes=68889118, idle_age=0, priority=0,metadata=0x9 actions=set_field:0->reg15,resubmit(,71),resubmit(,31)
    cookie=0xe6316566, duration=8324.713s, table=30, n_packets=0, n_bytes=0, idle_age=8324, priority=0,metadata=0x3 actions=set_field:0->reg15,resubmit(,71),resubmit(,31)
    cookie=0xe6316566, duration=8324.715s, table=30, n_packets=0, n_bytes=0, idle_age=8324, priority=0,metadata=0x4 actions=set_field:0->reg15,resubmit(,71),resubmit(,31)
    outport = get_fdb(eth.dst);
    next;
23. ls_in_l2_unknown (northd.c:7515): outport == "none", priority 50, uuid cd3aa917
    cookie=0xcd3aa917, duration=8324.661s, table=31, n_packets=223890, n_bytes=68889118, idle_age=0, priority=50,reg15=0,metadata=0x9 actions=set_field:0x8001->reg15,resubmit(,37)
    outport = "_MC_unknown";
    output;

multicast(dp="ext_ip-10-0-144-143.ec2.internal", mcgroup="_MC_unknown")
----------------------------------------------------------------

Comment 1 Andreas Karis 2022-04-01 11:02:38 UTC

[akaris@linux 2070878]$ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.11.0-0.nightly-2022-03-29-152521   True        False         116m    Cluster version is 4.11.0-0.nightly-2022-03-29-152521
[akaris@linux 2070878]$

Comment 2 Andreas Karis 2022-04-01 11:03:20 UTC

~~~
sh-4.4# ovn-trace --friendly-names  --ovs ip-10-0-144-143.ec2.internal 'inport == "e2e-test-egressip-pfvtq_e2e-test-egressip-pfvtq-deployment-799497dc77-j9w2p" && eth.src == 0a:58:0a:80:02:14 &&  eth.dst == 0a:58:0a:80:02:01 && ip4.src == 10.128.2.20 && ip4.dst == 10.0.135.215 && ip.ttl == 64 && tcp.src==12345 && tcp.dst == 32667' --ct new
# tcp,reg14=0xe,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:14,dl_dst=0a:58:0a:80:02:01,nw_src=10.128.2.20,nw_dst=10.0.135.215,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=12345,tp_dst=32667,tcp_flags=0

ingress(dp="ip-10-0-144-143.ec2.internal", inport="e2e-test-egressip-pfvtq_e2e-test-egressip-pfvtq-deployment-799497dc77-j9w2p")
--------------------------------------------------------------------------------------------------------------------------------
 0. ls_in_port_sec_l2 (northd.c:5509): inport == "e2e-test-egressip-pfvtq_e2e-test-egressip-pfvtq-deployment-799497dc77-j9w2p" && eth.src == {0a:58:0a:80:02:14}, priority 50, uuid bb5f0a86
    *** no OpenFlow flows
    next;
 1. ls_in_port_sec_ip (northd.c:5142): inport == "e2e-test-egressip-pfvtq_e2e-test-egressip-pfvtq-deployment-799497dc77-j9w2p" && eth.src == 0a:58:0a:80:02:14 && ip4.src == {10.128.2.20}, priority 90, uuid 9d4b07c7
    *** no OpenFlow flows
    next;
 5. ls_in_pre_acl (northd.c:5769): ip, priority 100, uuid 9089bb6c
    cookie=0x9089bb6c, duration=8324.704s, table=13, n_packets=0, n_bytes=0, idle_age=8324, priority=100,ipv6,metadata=0x4 actions=set_field:0x1000000000000000000000000/0x1000000000000000000000000->xxreg0,resubmit(,14)
    cookie=0x9089bb6c, duration=8324.704s, table=13, n_packets=1173608, n_bytes=924201996, idle_age=0, priority=100,ip,metadata=0x4 actions=set_field:0x1000000000000000000000000/0x1000000000000000000000000->xxreg0,resubmit(,14)
    reg0[0] = 1;
    next;
 6. ls_in_pre_lb (northd.c:5901): ip, priority 100, uuid adfd637e
    cookie=0xadfd637e, duration=8324.711s, table=14, n_packets=1173608, n_bytes=924201996, idle_age=0, priority=100,ip,metadata=0x4 actions=set_field:0x4000000000000000000000000/0x4000000000000000000000000->xxreg0,resubmit(,15)
    cookie=0xadfd637e, duration=8324.711s, table=14, n_packets=0, n_bytes=0, idle_age=8324, priority=100,ipv6,metadata=0x4 actions=set_field:0x4000000000000000000000000/0x4000000000000000000000000->xxreg0,resubmit(,15)
    reg0[2] = 1;
    next;
 7. ls_in_pre_stateful (northd.c:5928): reg0[2] == 1 && ip4 && tcp, priority 120, uuid c95e8d65
    cookie=0xc95e8d65, duration=8324.658s, table=15, n_packets=0, n_bytes=0, idle_age=8324, priority=120,tcp,reg0=0x4/0x4,metadata=0x9 actions=move:NXM_OF_IP_DST[]->NXM_NX_XXREG0[64..95],move:NXM_OF_TCP_DST[]->NXM_NX_XXREG0[32..47],ct(table=16,zone=NXM_NX_REG13[0..15],nat)
    cookie=0xc95e8d65, duration=8324.712s, table=15, n_packets=0, n_bytes=0, idle_age=8324, priority=120,tcp,reg0=0x4/0x4,metadata=0x3 actions=move:NXM_OF_IP_DST[]->NXM_NX_XXREG0[64..95],move:NXM_OF_TCP_DST[]->NXM_NX_XXREG0[32..47],ct(table=16,zone=NXM_NX_REG13[0..15],nat)
    cookie=0xc95e8d65, duration=8324.713s, table=15, n_packets=1170061, n_bytes=923622370, idle_age=0, priority=120,tcp,reg0=0x4/0x4,metadata=0x4 actions=move:NXM_OF_IP_DST[]->NXM_NX_XXREG0[64..95],move:NXM_OF_TCP_DST[]->NXM_NX_XXREG0[32..47],ct(table=16,zone=NXM_NX_REG13[0..15],nat)
    reg1 = ip4.dst;
    reg2[0..15] = tcp.dst;
    ct_lb;

ct_lb
-----
 8. ls_in_acl_hint (northd.c:6001): ct.new && !ct.est, priority 7, uuid 40fbe707
    cookie=0x40fbe707, duration=8324.713s, table=16, n_packets=23402, n_bytes=1773507, idle_age=0, priority=7,ct_state=+new-est+trk,metadata=0x4 actions=set_field:0x80000000000000000000000000/0x80000000000000000000000000->xxreg0,set_field:0x200000000000000000000000000/0x200000000000000000000000000->xxreg0,resubmit(,17)
    reg0[7] = 1;
    reg0[9] = 1;
    next;
 9. ls_in_acl (northd.c:6448): ip && (!ct.est || (ct.est && ct_label.blocked == 1)), priority 1, uuid d81e8ce4
    cookie=0xd81e8ce4, duration=8324.712s, table=17, n_packets=0, n_bytes=0, idle_age=8324, priority=1,ct_state=-est+trk,ipv6,metadata=0x4 actions=set_field:0x2000000000000000000000000/0x2000000000000000000000000->xxreg0,resubmit(,18)
    cookie=0xd81e8ce4, duration=8324.712s, table=17, n_packets=0, n_bytes=0, idle_age=8324, priority=1,ct_state=+est+trk,ct_label=0x1/0x1,ipv6,metadata=0x4 actions=set_field:0x2000000000000000000000000/0x2000000000000000000000000->xxreg0,resubmit(,18)
    cookie=0xd81e8ce4, duration=8324.712s, table=17, n_packets=0, n_bytes=0, idle_age=8324, priority=1,ct_state=+est+trk,ct_label=0x1/0x1,ip,metadata=0x4 actions=set_field:0x2000000000000000000000000/0x2000000000000000000000000->xxreg0,resubmit(,18)
    cookie=0xd81e8ce4, duration=8324.712s, table=17, n_packets=23402, n_bytes=1773507, idle_age=0, priority=1,ct_state=-est+trk,ip,metadata=0x4 actions=set_field:0x2000000000000000000000000/0x2000000000000000000000000->xxreg0,resubmit(,18)
    reg0[1] = 1;
    next;
12. ls_in_stateful (northd.c:6789): reg0[1] == 1 && reg0[13] == 0, priority 100, uuid eada98b2
    cookie=0xeada98b2, duration=8324.657s, table=20, n_packets=0, n_bytes=0, idle_age=8324, priority=100,ipv6,reg0=0x2/0x2002,metadata=0x9 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,21)
    cookie=0xeada98b2, duration=8324.659s, table=20, n_packets=0, n_bytes=0, idle_age=8324, priority=100,ip,reg0=0x2/0x2002,metadata=0x9 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,21)
    cookie=0xeada98b2, duration=8324.711s, table=20, n_packets=0, n_bytes=0, idle_age=8324, priority=100,ipv6,reg0=0x2/0x2002,metadata=0x3 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,21)
    cookie=0xeada98b2, duration=8324.711s, table=20, n_packets=0, n_bytes=0, idle_age=8324, priority=100,ip,reg0=0x2/0x2002,metadata=0x3 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,21)
    cookie=0xeada98b2, duration=8324.713s, table=20, n_packets=0, n_bytes=0, idle_age=8324, priority=100,ipv6,reg0=0x2/0x2002,metadata=0x4 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,21)
    cookie=0xeada98b2, duration=8324.713s, table=20, n_packets=18715, n_bytes=1385706, idle_age=0, priority=100,ip,reg0=0x2/0x2002,metadata=0x4 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,21)
    ct_commit { ct_label.blocked = 0; };
    next;
13. ls_in_pre_hairpin (northd.c:6816): ip && ct.trk, priority 100, uuid 183345c2
    cookie=0x183345c2, duration=8324.713s, table=21, n_packets=0, n_bytes=0, idle_age=8324, priority=100,ct_state=+trk,ipv6,metadata=0x4 actions=set_field:0/0x80->reg10,resubmit(,68),move:NXM_NX_REG10[7]->NXM_NX_XXREG0[102],set_field:0/0x80->reg10,resubmit(,69),move:NXM_NX_REG10[7]->NXM_NX_XXREG0[108],resubmit(,22)
    cookie=0x183345c2, duration=8324.713s, table=21, n_packets=1154612, n_bytes=922800612, idle_age=0, priority=100,ct_state=+trk,ip,metadata=0x4 actions=set_field:0/0x80->reg10,resubmit(,68),move:NXM_NX_REG10[7]->NXM_NX_XXREG0[102],set_field:0/0x80->reg10,resubmit(,69),move:NXM_NX_REG10[7]->NXM_NX_XXREG0[108],resubmit(,22)
    reg0[6] = chk_lb_hairpin();
    reg0[12] = chk_lb_hairpin_reply();
    *** chk_lb_hairpin_reply action not implemented
    next;
22. ls_in_l2_lkup (northd.c:8305): eth.dst == 0a:58:0a:80:02:01, priority 50, uuid 371919d7
    *** no OpenFlow flows
    outport = "stor-ip-10-0-144-143.ec2.internal";
    output;

egress(dp="ip-10-0-144-143.ec2.internal", inport="e2e-test-egressip-pfvtq_e2e-test-egressip-pfvtq-deployment-799497dc77-j9w2p", outport="stor-ip-10-0-144-143.ec2.internal")
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 0. ls_out_pre_lb (northd.c:5659): ip && outport == "stor-ip-10-0-144-143.ec2.internal", priority 110, uuid ebde06b7
    *** no OpenFlow flows
    next;
 1. ls_out_pre_acl (northd.c:5659): ip && outport == "stor-ip-10-0-144-143.ec2.internal", priority 110, uuid f14b6ba3
    *** no OpenFlow flows
    next;
 3. ls_out_acl_hint (northd.c:6001): ct.new && !ct.est, priority 7, uuid dc4eb3b9
    cookie=0xdc4eb3b9, duration=8324.712s, table=43, n_packets=26791, n_bytes=2077788, idle_age=0, priority=7,ct_state=+new-est+trk,metadata=0x4 actions=set_field:0x80000000000000000000000000/0x80000000000000000000000000->xxreg0,set_field:0x200000000000000000000000000/0x200000000000000000000000000->xxreg0,resubmit(,44)
    reg0[7] = 1;
    reg0[9] = 1;
    next;
 4. ls_out_acl (northd.c:6451): ip && (!ct.est || (ct.est && ct_label.blocked == 1)), priority 1, uuid eb6560a9
    cookie=0xeb6560a9, duration=8324.712s, table=44, n_packets=0, n_bytes=0, idle_age=8324, priority=1,ct_state=-est+trk,ipv6,metadata=0x4 actions=set_field:0x2000000000000000000000000/0x2000000000000000000000000->xxreg0,resubmit(,45)
    cookie=0xeb6560a9, duration=8324.712s, table=44, n_packets=0, n_bytes=0, idle_age=8324, priority=1,ct_state=+est+trk,ct_label=0x1/0x1,ipv6,metadata=0x4 actions=set_field:0x2000000000000000000000000/0x2000000000000000000000000->xxreg0,resubmit(,45)
    cookie=0xeb6560a9, duration=8324.712s, table=44, n_packets=0, n_bytes=0, idle_age=8324, priority=1,ct_state=+est+trk,ct_label=0x1/0x1,ip,metadata=0x4 actions=set_field:0x2000000000000000000000000/0x2000000000000000000000000->xxreg0,resubmit(,45)
    cookie=0xeb6560a9, duration=8324.712s, table=44, n_packets=14519, n_bytes=1169660, idle_age=0, priority=1,ct_state=-est+trk,ip,metadata=0x4 actions=set_field:0x2000000000000000000000000/0x2000000000000000000000000->xxreg0,resubmit(,45)
    reg0[1] = 1;
    next;
 7. ls_out_stateful (northd.c:6793): reg0[1] == 1 && reg0[13] == 0, priority 100, uuid 3eb26158
    cookie=0x3eb26158, duration=8324.658s, table=47, n_packets=0, n_bytes=0, idle_age=8324, priority=100,ip,reg0=0x2/0x2002,metadata=0x9 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,48)
    cookie=0x3eb26158, duration=8324.659s, table=47, n_packets=0, n_bytes=0, idle_age=8324, priority=100,ipv6,reg0=0x2/0x2002,metadata=0x9 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,48)
    cookie=0x3eb26158, duration=8324.712s, table=47, n_packets=0, n_bytes=0, idle_age=8324, priority=100,ipv6,reg0=0x2/0x2002,metadata=0x3 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,48)
    cookie=0x3eb26158, duration=8324.712s, table=47, n_packets=0, n_bytes=0, idle_age=8324, priority=100,ip,reg0=0x2/0x2002,metadata=0x3 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,48)
    cookie=0x3eb26158, duration=8324.713s, table=47, n_packets=0, n_bytes=0, idle_age=8324, priority=100,ipv6,reg0=0x2/0x2002,metadata=0x4 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,48)
    cookie=0x3eb26158, duration=8324.713s, table=47, n_packets=26791, n_bytes=2077788, idle_age=0, priority=100,ip,reg0=0x2/0x2002,metadata=0x4 actions=ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_label)),resubmit(,48)
    ct_commit { ct_label.blocked = 0; };
    next;
 9. ls_out_port_sec_l2 (northd.c:5607): outport == "stor-ip-10-0-144-143.ec2.internal", priority 50, uuid 195755b8
    *** no OpenFlow flows
    output;
    /* output to "stor-ip-10-0-144-143.ec2.internal", type "patch" */

ingress(dp="ovn_cluster_router", inport="rtos-ip-10-0-144-143.ec2.internal")
----------------------------------------------------------------------------
 0. lr_in_admission (northd.c:10535): eth.dst == 0a:58:0a:80:02:01 && inport == "rtos-ip-10-0-144-143.ec2.internal" && is_chassis_resident("cr-rtos-ip-10-0-144-143.ec2.internal"), priority 50, uuid 0294dd7b
    *** no OpenFlow flows
    xreg0[0..47] = 0a:58:0a:80:02:01;
    next;
 1. lr_in_lookup_neighbor (northd.c:10678): 1, priority 0, uuid 0ba0f970
    cookie=0xba0f970, duration=8324.712s, table=9, n_packets=772812, n_bytes=455249292, idle_age=0, priority=0,metadata=0x5 actions=set_field:0x4/0x4->xreg4,resubmit(,10)
    cookie=0xba0f970, duration=8324.675s, table=9, n_packets=359836, n_bytes=158820876, idle_age=0, priority=0,metadata=0x8 actions=set_field:0x4/0x4->xreg4,resubmit(,10)
    reg9[2] = 1;
    next;
 2. lr_in_learn_neighbor (northd.c:10687): reg9[2] == 1, priority 100, uuid 64eb7612
    cookie=0x64eb7612, duration=8324.712s, table=10, n_packets=772812, n_bytes=455249292, idle_age=0, priority=100,reg9=0x4/0x4,metadata=0x5 actions=resubmit(,11)
    next;
10. lr_in_ip_routing_pre (northd.c:10937): 1, priority 0, uuid 390d58e5
    cookie=0x390d58e5, duration=8324.713s, table=18, n_packets=772812, n_bytes=455249292, idle_age=0, priority=0,metadata=0x5 actions=set_field:0/0xffffffff->xxreg1,resubmit(,19)
    cookie=0x390d58e5, duration=8324.675s, table=18, n_packets=359816, n_bytes=158819366, idle_age=0, priority=0,metadata=0x8 actions=set_field:0/0xffffffff->xxreg1,resubmit(,19)
    reg7 = 0;
    next;
11. lr_in_ip_routing (northd.c:9451): ip4.src == 10.128.2.0/23, priority 69, uuid 3fe29bc6
    cookie=0x3fe29bc6, duration=7527.810s, table=19, n_packets=0, n_bytes=0, idle_age=7527, priority=69,ip,metadata=0x5,nw_src=10.128.2.0/23 actions=dec_ttl(),set_field:0/0xffff00000000->xreg4,set_field:0x64400006000000000000000000000000/0xffffffff000000000000000000000000->xxreg0,set_field:0x644000010000000000000000/0xffffffff0000000000000000->xxreg0,set_field:0a:58:64:40:00:01->eth_src,set_field:0x3->reg15,set_field:0x1/0x1->reg10,resubmit(,20)
    ip.ttl--;
    reg8[0..15] = 0;
    reg0 = 100.64.0.6;
    reg1 = 100.64.0.1;
    eth.src = 0a:58:64:40:00:01;
    outport = "rtoj-ovn_cluster_router";
    flags.loopback = 1;
    next;
12. lr_in_ip_routing_ecmp (northd.c:11012): reg8[0..15] == 0, priority 150, uuid c2749f5d
    cookie=0xc2749f5d, duration=8324.713s, table=20, n_packets=772812, n_bytes=455249292, idle_age=0, priority=150,reg8=0/0xffff,metadata=0x5 actions=resubmit(,21)
    cookie=0xc2749f5d, duration=8324.676s, table=20, n_packets=359810, n_bytes=158818994, idle_age=0, priority=150,reg8=0/0xffff,metadata=0x8 actions=resubmit(,21)
    next;
13. lr_in_policy (northd.c:8683): ip4.src == 10.128.0.0/14 && ip4.dst == 10.0.135.215/32, priority 101, uuid fa257030
    cookie=0xfa257030, duration=7574.790s, table=21, n_packets=0, n_bytes=0, idle_age=7574, priority=101,ip,metadata=0x5,nw_src=10.128.0.0/14,nw_dst=10.0.135.215 actions=set_field:0/0xffff00000000->xreg4,resubmit(,22)
    reg8[0..15] = 0;
    next;
14. lr_in_policy_ecmp (northd.c:11147): reg8[0..15] == 0, priority 150, uuid 85a00be8
    cookie=0x85a00be8, duration=8324.713s, table=22, n_packets=772812, n_bytes=455249292, idle_age=0, priority=150,reg8=0/0xffff,metadata=0x5 actions=resubmit(,23)
    cookie=0x85a00be8, duration=8324.675s, table=22, n_packets=359810, n_bytes=158818994, idle_age=0, priority=150,reg8=0/0xffff,metadata=0x8 actions=resubmit(,23)
    next;
15. lr_in_arp_resolve (northd.c:11535): outport == "rtoj-ovn_cluster_router" && reg0 == 100.64.0.6, priority 100, uuid fb98b80d
    cookie=0xfb98b80d, duration=7527.832s, table=23, n_packets=33, n_bytes=6642, idle_age=317, priority=100,reg0=0x64400006,reg15=0x3,metadata=0x5 actions=set_field:0a:58:64:40:00:06->eth_dst,resubmit(,24)
    eth.dst = 0a:58:64:40:00:06;
    next;
19. lr_in_arp_request (northd.c:11827): 1, priority 0, uuid 6cc83334
    cookie=0x6cc83334, duration=8324.713s, table=27, n_packets=772812, n_bytes=455249292, idle_age=0, priority=0,metadata=0x5 actions=resubmit(,37)
    cookie=0x6cc83334, duration=8324.676s, table=27, n_packets=359808, n_bytes=158818846, idle_age=0, priority=0,metadata=0x8 actions=resubmit(,37)
    output;

egress(dp="ovn_cluster_router", inport="rtos-ip-10-0-144-143.ec2.internal", outport="rtoj-ovn_cluster_router")
--------------------------------------------------------------------------------------------------------------
 0. lr_out_chk_dnat_local (northd.c:13053): 1, priority 0, uuid 66e69dde
    cookie=0x66e69dde, duration=8324.713s, table=40, n_packets=769549, n_bytes=722125663, idle_age=0, priority=0,metadata=0x5 actions=set_field:0/0x10->xreg4,resubmit(,41)
    cookie=0x66e69dde, duration=8324.676s, table=40, n_packets=359959, n_bytes=158825252, idle_age=0, priority=0,metadata=0x8 actions=set_field:0/0x10->xreg4,resubmit(,41)
    reg9[4] = 0;
    next;
 6. lr_out_delivery (northd.c:11875): outport == "rtoj-ovn_cluster_router", priority 100, uuid 3a537c94
    cookie=0x3a537c94, duration=8324.713s, table=46, n_packets=166053, n_bytes=19925078, idle_age=0, priority=100,reg15=0x3,metadata=0x5 actions=resubmit(,64)
    output;
    /* output to "rtoj-ovn_cluster_router", type "patch" */

ingress(dp="join", inport="jtor-ovn_cluster_router")
----------------------------------------------------
 0. ls_in_port_sec_l2 (northd.c:5509): inport == "jtor-ovn_cluster_router", priority 50, uuid b7b18223
    cookie=0xb7b18223, duration=8324.713s, table=8, n_packets=166053, n_bytes=19925078, idle_age=0, priority=50,reg14=0x1,metadata=0x3 actions=resubmit(,9)
    next;
 6. ls_in_pre_lb (northd.c:5656): ip && inport == "jtor-ovn_cluster_router", priority 110, uuid 3a0c7e5d
    cookie=0x3a0c7e5d, duration=8324.713s, table=14, n_packets=0, n_bytes=0, idle_age=8324, priority=110,ipv6,reg14=0x1,metadata=0x3 actions=resubmit(,15)
    cookie=0x3a0c7e5d, duration=8324.713s, table=14, n_packets=166053, n_bytes=19925078, idle_age=0, priority=110,ip,reg14=0x1,metadata=0x3 actions=resubmit(,15)
    next;
22. ls_in_l2_lkup (northd.c:8305): eth.dst == 0a:58:64:40:00:06, priority 50, uuid 0d845b46
    cookie=0xd845b46, duration=7527.832s, table=30, n_packets=33, n_bytes=6642, idle_age=317, priority=50,metadata=0x3,dl_dst=0a:58:64:40:00:06 actions=set_field:0x6->reg15,resubmit(,37)
    outport = "jtor-GR_ip-10-0-144-143.ec2.internal";
    output;

egress(dp="join", inport="jtor-ovn_cluster_router", outport="jtor-GR_ip-10-0-144-143.ec2.internal")
---------------------------------------------------------------------------------------------------
 0. ls_out_pre_lb (northd.c:5659): ip && outport == "jtor-GR_ip-10-0-144-143.ec2.internal", priority 110, uuid e9f52572
    *** no OpenFlow flows
    next;
 9. ls_out_port_sec_l2 (northd.c:5607): outport == "jtor-GR_ip-10-0-144-143.ec2.internal", priority 50, uuid 9c8aa745
    *** no OpenFlow flows
    output;
    /* output to "jtor-GR_ip-10-0-144-143.ec2.internal", type "l3gateway" */

ingress(dp="GR_ip-10-0-144-143.ec2.internal", inport="rtoj-GR_ip-10-0-144-143.ec2.internal")
--------------------------------------------------------------------------------------------
 0. lr_in_admission (northd.c:10535): eth.dst == 0a:58:64:40:00:06 && inport == "rtoj-GR_ip-10-0-144-143.ec2.internal", priority 50, uuid ec6376d1
    *** no OpenFlow flows
    xreg0[0..47] = 0a:58:64:40:00:06;
    next;
 1. lr_in_lookup_neighbor (northd.c:10678): 1, priority 0, uuid 0ba0f970
    cookie=0xba0f970, duration=8324.713s, table=9, n_packets=772812, n_bytes=455249292, idle_age=0, priority=0,metadata=0x5 actions=set_field:0x4/0x4->xreg4,resubmit(,10)
    cookie=0xba0f970, duration=8324.676s, table=9, n_packets=359836, n_bytes=158820876, idle_age=0, priority=0,metadata=0x8 actions=set_field:0x4/0x4->xreg4,resubmit(,10)
    reg9[2] = 1;
    next;
 2. lr_in_learn_neighbor (northd.c:10687): reg9[2] == 1 || reg9[3] == 0, priority 100, uuid cdaff181
    cookie=0xcdaff181, duration=8324.676s, table=10, n_packets=359984, n_bytes=158827092, idle_age=0, priority=100,reg9=0x4/0x4,metadata=0x8 actions=resubmit(,11)
    cookie=0xcdaff181, duration=8324.676s, table=10, n_packets=0, n_bytes=0, idle_age=8324, priority=100,reg9=0/0x8,metadata=0x8 actions=resubmit(,11)
    next;
10. lr_in_ip_routing_pre (northd.c:10937): 1, priority 0, uuid 390d58e5
    cookie=0x390d58e5, duration=8324.714s, table=18, n_packets=772812, n_bytes=455249292, idle_age=0, priority=0,metadata=0x5 actions=set_field:0/0xffffffff->xxreg1,resubmit(,19)
    cookie=0x390d58e5, duration=8324.676s, table=18, n_packets=359816, n_bytes=158819366, idle_age=0, priority=0,metadata=0x8 actions=set_field:0/0xffffffff->xxreg1,resubmit(,19)
    reg7 = 0;
    next;
11. lr_in_ip_routing (northd.c:9451): reg7 == 0 && ip4.dst == 0.0.0.0/0, priority 1, uuid 9e4511b4
    *** no OpenFlow flows
    ip.ttl--;
    reg8[0..15] = 0;
    reg0 = 10.0.144.1;
    reg1 = 10.0.144.143;
    eth.src = 0e:61:09:b2:50:0b;
    outport = "rtoe-GR_ip-10-0-144-143.ec2.internal";
    flags.loopback = 1;
    next;
12. lr_in_ip_routing_ecmp (northd.c:11012): reg8[0..15] == 0, priority 150, uuid c2749f5d
    cookie=0xc2749f5d, duration=8324.714s, table=20, n_packets=772812, n_bytes=455249292, idle_age=0, priority=150,reg8=0/0xffff,metadata=0x5 actions=resubmit(,21)
    cookie=0xc2749f5d, duration=8324.677s, table=20, n_packets=359810, n_bytes=158818994, idle_age=0, priority=150,reg8=0/0xffff,metadata=0x8 actions=resubmit(,21)
    next;
13. lr_in_policy (northd.c:11145): 1, priority 0, uuid 6616ddfd
    cookie=0x6616ddfd, duration=8324.714s, table=21, n_packets=150866, n_bytes=92416040, idle_age=0, priority=0,metadata=0x5 actions=set_field:0/0xffff00000000->xreg4,resubmit(,22)
    cookie=0x6616ddfd, duration=8324.677s, table=21, n_packets=359810, n_bytes=158818994, idle_age=0, priority=0,metadata=0x8 actions=set_field:0/0xffff00000000->xreg4,resubmit(,22)
    reg8[0..15] = 0;
    next;
14. lr_in_policy_ecmp (northd.c:11147): reg8[0..15] == 0, priority 150, uuid 85a00be8
    cookie=0x85a00be8, duration=8324.714s, table=22, n_packets=772812, n_bytes=455249292, idle_age=0, priority=150,reg8=0/0xffff,metadata=0x5 actions=resubmit(,23)
    cookie=0x85a00be8, duration=8324.676s, table=22, n_packets=359810, n_bytes=158818994, idle_age=0, priority=150,reg8=0/0xffff,metadata=0x8 actions=resubmit(,23)
    next;
15. lr_in_arp_resolve (northd.c:11181): ip4, priority 0, uuid b8d5d775
    cookie=0xb8d5d775, duration=8324.714s, table=23, n_packets=0, n_bytes=0, idle_age=8324, priority=0,ip,metadata=0x5 actions=push:NXM_NX_REG0[],push:NXM_NX_XXREG0[96..127],pop:NXM_NX_REG0[],set_field:00:00:00:00:00:00->eth_dst,resubmit(,66),pop:NXM_NX_REG0[],resubmit(,24)
    cookie=0xb8d5d775, duration=8324.677s, table=23, n_packets=359810, n_bytes=158818994, idle_age=0, priority=0,ip,metadata=0x8 actions=push:NXM_NX_REG0[],push:NXM_NX_XXREG0[96..127],pop:NXM_NX_REG0[],set_field:00:00:00:00:00:00->eth_dst,resubmit(,66),pop:NXM_NX_REG0[],resubmit(,24)
    get_arp(outport, reg0);
    /* MAC binding to 0e:4c:94:8d:88:a3. */
    next;
19. lr_in_arp_request (northd.c:11827): 1, priority 0, uuid 6cc83334
    cookie=0x6cc83334, duration=8324.714s, table=27, n_packets=772812, n_bytes=455249292, idle_age=0, priority=0,metadata=0x5 actions=resubmit(,37)
    cookie=0x6cc83334, duration=8324.677s, table=27, n_packets=359808, n_bytes=158818846, idle_age=0, priority=0,metadata=0x8 actions=resubmit(,37)
    output;

egress(dp="GR_ip-10-0-144-143.ec2.internal", inport="rtoj-GR_ip-10-0-144-143.ec2.internal", outport="rtoe-GR_ip-10-0-144-143.ec2.internal")
-------------------------------------------------------------------------------------------------------------------------------------------
 0. lr_out_chk_dnat_local (northd.c:13053): 1, priority 0, uuid 66e69dde
    cookie=0x66e69dde, duration=8324.714s, table=40, n_packets=769549, n_bytes=722125663, idle_age=0, priority=0,metadata=0x5 actions=set_field:0/0x10->xreg4,resubmit(,41)
    cookie=0x66e69dde, duration=8324.677s, table=40, n_packets=359959, n_bytes=158825252, idle_age=0, priority=0,metadata=0x8 actions=set_field:0/0x10->xreg4,resubmit(,41)
    reg9[4] = 0;
    next;
 1. lr_out_undnat (northd.c:13073): ip, priority 50, uuid 30f9f51d
    cookie=0x30f9f51d, duration=8324.677s, table=41, n_packets=0, n_bytes=0, idle_age=8324, priority=50,ipv6,metadata=0x8 actions=set_field:0x1/0x1->reg10,ct(table=42,zone=NXM_NX_REG11[0..15],nat)
    cookie=0x30f9f51d, duration=8324.677s, table=41, n_packets=359810, n_bytes=158818994, idle_age=0, priority=50,ip,metadata=0x8 actions=set_field:0x1/0x1->reg10,ct(table=42,zone=NXM_NX_REG11[0..15],nat)
    flags.loopback = 1;
    ct_dnat;

ct_dnat /* assuming no un-dnat entry, so no change */
-----------------------------------------------------
 2. lr_out_post_undnat (northd.c:13075): ip && ct.new, priority 50, uuid 72597618
    cookie=0x72597618, duration=8324.677s, table=42, n_packets=5610, n_bytes=425836, idle_age=2, priority=50,ct_state=+new+trk,ip,metadata=0x8 actions=ct(commit,zone=NXM_NX_REG11[0..15],nat(src)),resubmit(,43)
    cookie=0x72597618, duration=8324.677s, table=42, n_packets=0, n_bytes=0, idle_age=8324, priority=50,ct_state=+new+trk,ipv6,metadata=0x8 actions=ct(commit,zone=NXM_NX_REG11[0..15],nat(src)),resubmit(,43)
    ct_commit;
    next;
 6. lr_out_delivery (northd.c:11875): outport == "rtoe-GR_ip-10-0-144-143.ec2.internal", priority 100, uuid 5e0c78ba
    *** no OpenFlow flows
    output;
    /* output to "rtoe-GR_ip-10-0-144-143.ec2.internal", type "l3gateway" */

ingress(dp="ext_ip-10-0-144-143.ec2.internal", inport="etor-GR_ip-10-0-144-143.ec2.internal")
---------------------------------------------------------------------------------------------
 0. ls_in_port_sec_l2 (northd.c:5509): inport == "etor-GR_ip-10-0-144-143.ec2.internal", priority 50, uuid e3140e37
    *** no OpenFlow flows
    next;
 6. ls_in_pre_lb (northd.c:5656): ip && inport == "etor-GR_ip-10-0-144-143.ec2.internal", priority 110, uuid 01bbc6f5
    *** no OpenFlow flows
    next;
22. ls_in_l2_lkup (northd.c:7510): 1, priority 0, uuid e6316566
    cookie=0xe6316566, duration=8324.660s, table=30, n_packets=223890, n_bytes=68889118, idle_age=0, priority=0,metadata=0x9 actions=set_field:0->reg15,resubmit(,71),resubmit(,31)
    cookie=0xe6316566, duration=8324.713s, table=30, n_packets=0, n_bytes=0, idle_age=8324, priority=0,metadata=0x3 actions=set_field:0->reg15,resubmit(,71),resubmit(,31)
    cookie=0xe6316566, duration=8324.715s, table=30, n_packets=0, n_bytes=0, idle_age=8324, priority=0,metadata=0x4 actions=set_field:0->reg15,resubmit(,71),resubmit(,31)
    outport = get_fdb(eth.dst);
    next;
23. ls_in_l2_unknown (northd.c:7515): outport == "none", priority 50, uuid cd3aa917
    cookie=0xcd3aa917, duration=8324.661s, table=31, n_packets=223890, n_bytes=68889118, idle_age=0, priority=50,reg15=0,metadata=0x9 actions=set_field:0x8001->reg15,resubmit(,37)
    outport = "_MC_unknown";
    output;

multicast(dp="ext_ip-10-0-144-143.ec2.internal", mcgroup="_MC_unknown")
-----------------------------------------------------------------------

    egress(dp="ext_ip-10-0-144-143.ec2.internal", inport="etor-GR_ip-10-0-144-143.ec2.internal", outport="br-ex_ip-10-0-144-143.ec2.internal")
    ------------------------------------------------------------------------------------------------------------------------------------------
         0. ls_out_pre_lb (northd.c:5659): ip && outport == "br-ex_ip-10-0-144-143.ec2.internal", priority 110, uuid e34a92c1
            *** no OpenFlow flows
            next;
         9. ls_out_port_sec_l2 (northd.c:5607): outport == "br-ex_ip-10-0-144-143.ec2.internal", priority 50, uuid 34f65456
            *** no OpenFlow flows
            output;
            /* output to "br-ex_ip-10-0-144-143.ec2.internal", type "localnet" */
sh-4.4# 
~~~

Comment 3 Andreas Karis 2022-04-01 11:17:23 UTC

If the destination is on the same subnet, but off cluster, we SNAT to the egress IP:
~~~
sh-4.4# ovn-trace --minimal  --ovs ip-10-0-144-143.ec2.internal 'inport == "e2e-test-egressip-pfvtq_e2e-test-egressip-pfvtq-deployment-799497dc77-j9w2p" && eth.src == 0a:58:0a:80:02:14 &&  eth.dst == 0a:58:0a:80:02:01 && ip4.src == 10.128.2.20 && ip4.dst == 10.0.135.216 && ip.ttl == 64 && tcp.src==12345 && tcp.dst == 32667' --ct new
# tcp,reg14=0xe,vlan_tci=0x0000,dl_src=0a:58:0a:80:02:14,dl_dst=0a:58:0a:80:02:01,nw_src=10.128.2.20,nw_dst=10.0.135.216,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=12345,tp_dst=32667,tcp_flags=0
*** no OpenFlow flows;
*** no OpenFlow flows;
ct_lb {
    reg0[6] = 0;
    *** chk_lb_hairpin_reply action not implemented;
    reg0[12] = 0;
    *** no OpenFlow flows;
    *** no OpenFlow flows;
    *** no OpenFlow flows;
    *** no OpenFlow flows;
    *** no OpenFlow flows;
    ip.ttl--;
    eth.src = 0a:58:64:40:00:01;
    eth.src = 0a:58:64:40:00:01;
    eth.dst = 0a:58:64:40:00:05;
    *** no OpenFlow flows;
    *** no OpenFlow flows;
    *** no OpenFlow flows;
    *** no OpenFlow flows;
    ip.ttl--;
    eth.src = 02:8e:15:e3:f3:75;
    eth.dst = 02:19:01:a5:ff:cb;
    ct_dnat /* assuming no un-dnat entry, so no change */ {
        *** no OpenFlow flows;
        ct_snat(ip4.src=10.0.160.5) {
            *** no OpenFlow flows;
            *** no OpenFlow flows;
            *** no OpenFlow flows;
            *** no OpenFlow flows;
            *** no OpenFlow flows;
            output("br-ex_ip-10-0-161-98.ec2.internal");
        };
    };
};
~~~

Comment 4 Andreas Karis 2022-04-01 11:27:27 UTC

The reason that this happens is that the SNAT here is missing as soon as we use egress IP:
~~~
sh-4.4# ovn-nbctl lr-nat-list GR_ip-10-0-144-143.ec2.internal
TYPE             EXTERNAL_IP        EXTERNAL_PORT    LOGICAL_IP            EXTERNAL_MAC         LOGICAL_PORT
snat             10.0.144.143                        10.128.2.8
snat             10.0.144.143                        10.128.2.12
snat             10.0.144.143                        10.128.2.5
snat             10.0.144.143                        10.128.2.10
snat             10.0.144.143                        10.128.2.4
snat             10.0.144.143                        10.128.2.3
snat             10.0.144.143                        10.128.2.6
snat             10.0.144.143                        10.128.2.13
snat             10.0.144.143                        10.128.2.7
~~~

Yet, we do not reroute traffic with destination 10.0.135.215/32:
~~~
sh-4.4# ovn-nbctl lr-policy-list ovn_cluster_router
Routing Policies
      1004 inport == "rtos-ip-10-0-135-215.ec2.internal" && ip4.dst == 10.0.135.215 /* ip-10-0-135-215.ec2.internal */         reroute                10.129.2.2
      1004 inport == "rtos-ip-10-0-138-37.ec2.internal" && ip4.dst == 10.0.138.37 /* ip-10-0-138-37.ec2.internal */         reroute                10.129.0.2
      1004 inport == "rtos-ip-10-0-144-143.ec2.internal" && ip4.dst == 10.0.144.143 /* ip-10-0-144-143.ec2.internal */         reroute                10.128.2.2
      1004 inport == "rtos-ip-10-0-153-96.ec2.internal" && ip4.dst == 10.0.153.96 /* ip-10-0-153-96.ec2.internal */         reroute                10.130.0.2
      1004 inport == "rtos-ip-10-0-161-98.ec2.internal" && ip4.dst == 10.0.161.98 /* ip-10-0-161-98.ec2.internal */         reroute                10.131.0.2
      1004 inport == "rtos-ip-10-0-168-18.ec2.internal" && ip4.dst == 10.0.168.18 /* ip-10-0-168-18.ec2.internal */         reroute                10.128.0.2
       101 ip4.src == 10.128.0.0/14 && ip4.dst == 10.0.135.215/32           allow
       101 ip4.src == 10.128.0.0/14 && ip4.dst == 10.0.138.37/32           allow
       101 ip4.src == 10.128.0.0/14 && ip4.dst == 10.0.144.143/32           allow
       101 ip4.src == 10.128.0.0/14 && ip4.dst == 10.0.153.96/32           allow
       101 ip4.src == 10.128.0.0/14 && ip4.dst == 10.0.161.98/32           allow
       101 ip4.src == 10.128.0.0/14 && ip4.dst == 10.0.168.18/32           allow
       101 ip4.src == 10.128.0.0/14 && ip4.dst == 10.128.0.0/14           allow
       101 ip4.src == 10.128.0.0/14 && ip4.dst == 100.64.0.0/16           allow
       100                             ip4.src == 10.128.2.20         reroute                100.64.0.5
~~~

The missing reroute makes sense:
https://docs.openshift.com/container-platform/4.10/networking/ovn_kubernetes_network_provider/configuring-egress-ips-ovn.html#nw-egress-ips-about_configuring-egress-ips-ovn
~~~
Egress IP address architectural design and implementation

The OpenShift Container Platform egress IP address functionality allows you to ensure that the traffic from one or more pods in one or more namespaces has a consistent source IP address for services outside the cluster network.
~~~

Removing the SNAT though does not.

When looking at the host that hosts the EgressIP:
~~~
sh-4.4# ovn-nbctl lr-nat-list GR_ip-10-0-161-98.ec2.internal    
TYPE             EXTERNAL_IP        EXTERNAL_PORT    LOGICAL_IP            EXTERNAL_MAC         LOGICAL_PORT
snat             10.0.160.5                          10.128.2.20
snat             10.0.161.98                         10.131.0.15
snat             10.0.161.98                         10.131.0.13
snat             10.0.161.98                         10.131.0.4
snat             10.0.161.98                         10.131.0.34
snat             10.0.161.98                         10.131.0.10
snat             10.0.161.98                         10.131.0.32
snat             10.0.161.98                         10.131.0.5
snat             10.0.161.98                         10.131.0.33
snat             10.0.161.98                         10.131.0.7
snat             10.0.161.98                         10.131.0.11
snat             10.0.161.98                         10.131.0.3
snat             10.0.161.98                         10.131.0.12
snat             10.0.161.98                         10.131.0.9
snat             10.0.161.98                         10.131.0.6
snat             10.0.161.98                         10.131.0.19
snat             10.0.161.98                         10.131.0.20
~~~

As a consequence, when the same pod is spawned on node ip-10-0-161-98.ec2.internal, it will actually be NATted to the egressip when it reaches out to the other host networked pod (that's also contrary to the description of the feature).

Comment 5 Andreas Karis 2022-04-01 11:59:06 UTC

What we would really need here, is a conditional SNAT:
* when on the host that does not host the EgressIP, always SNAT to the host local IP  (so do *not* delete the pod's SNAT assignment). --> already feasible today with a code change

* when on the host that does have the EgressIP: 
a) for traffic to the cluster IPs, SNAT to the host local IP
b) for traffic off cluster, SNAT to the EgressIP
Something like the following iptables rules:
~~~
iptables -t nat -I POSTROUTING -s 10.128.2.20 -d 10.0.135.215 -j MASQUERADE   # and for all other on cluster targets
iptables -t nat -I POSTROUTING -s 10.128.2.20 -j SNAT –to-source 10.0.160.5   # for all other targets
~~~

Comment 7 Andreas Karis 2022-04-13 08:34:59 UTC

Sure. Examples are on kind, but it's the exact same on OpenShift.

Preparation:
===================================
~~~
contrib/kind.sh -ha --ipv6
~~~

01) separate nodes into 2 sets:
~~~
export SOURCE_NAMESPACE="egressip-source"
export TARGET_NAMESPACE="egressip-target"
export EGRESSIP_NAME="egressip-source"
export SOURCE_LABEL="node-role.kubernetes.io/egressip-test-source"
export TARGET_LABEL="node-role.kubernetes.io/egressip-test-target"
export TARGET_TAINT="egressip-test-target"
export EGRESS_ASSIGNABLE_LABEL="k8s.ovn.org/egress-assignable"
# https://docs.openshift.com/container-platform/4.10/installing/installing_aws/installing-restricted-networks-aws.html#installation-cloudformation-security_installing-restricted-networks-aws
export TARGET_PORT="32767"

oc label node ovn-control-plane $TARGET_LABEL=""
oc label node ovn-worker $SOURCE_LABEL=""
oc label node ovn-worker2 $SOURCE_LABEL=""
~~~

02) apply a taint on the target node
~~~
echo "Applying target NoExecute taint to target nodes"
nodes=$(oc get nodes -l ${TARGET_LABEL}= -o name)
if [ $(echo $nodes | wc -w) -lt 1 ] ; then
  echo "Not enough worker nodes with label ${TARGET_LABEL} - at least 1 worker node is required. Got: $nodes"
  exit 1
fi

i=0
for n in $nodes; do
  oc adm taint node $n ${TARGET_TAINT}=true:NoExecute --overwrite
done
~~~

03) assign labels to source nodes:
~~~
echo "Applying egress assignable label ${EGRESS_ASSIGNABLE_LABEL} to nodes"
nodes=$(oc get nodes -l ${SOURCE_LABEL}= -o name)
if [ $(echo $nodes | wc -w) -lt 2 ] ; then
  echo "Not enough worker nodes with label ${SOURCE_LABEL} - at least 2 worker nodes are required. Got: $nodes"
  exit 1
fi

i=0
for n in $nodes; do
  oc label $n ${EGRESS_ASSIGNABLE_LABEL}="" --overwrite
done

oc get nodes -l k8s.ovn.org/egress-assignable=""
~~~

04) create target pod (host networked):
~~~
file=$(mktemp)
cat <<EOF > ${file}
---
apiVersion: v1
kind: Namespace
metadata:
  name: ${TARGET_NAMESPACE}
  labels:
    env: ${TARGET_NAMESPACE}
---
apiVersion: apps/v1
kind: "DaemonSet"
metadata:
  labels:
    app: ${TARGET_NAMESPACE}-deployment
  name: ${TARGET_NAMESPACE}-deployment
  namespace: ${TARGET_NAMESPACE}
spec:
  selector:
    matchLabels:
      app: ${TARGET_NAMESPACE}-deployment
  template:
    metadata:
      labels:
        app: ${TARGET_NAMESPACE}-deployment
    spec:
      hostNetwork: true
      nodeSelector:
        ${TARGET_LABEL}: ""
      tolerations:
        - key: ${TARGET_TAINT}
          operator: Exists
      containers:
      - command:
        - "/agnhost"
        - "netexec"
        - "--http-port"
        - "${TARGET_PORT}"
        image: k8s.gcr.io/e2e-test-images/agnhost:2.33
        imagePullPolicy: IfNotPresent
        name: agnhost
EOF
oc apply -f ${file}
~~~

05) create pods inside the source namespace which will get the egressip later:
~~~
file=$(mktemp)
cat <<EOF >| $file
---
apiVersion: v1
kind: Namespace
metadata:
  name: ${SOURCE_NAMESPACE}
  labels:
    env: ${SOURCE_NAMESPACE}
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: ${SOURCE_NAMESPACE}-deployment
  name: ${SOURCE_NAMESPACE}-deployment
  namespace: ${SOURCE_NAMESPACE}
spec:
  replicas: 2
  selector:
    matchLabels:
      app: ${SOURCE_NAMESPACE}-deployment
  template:
    metadata:
      labels:
        app: ${SOURCE_NAMESPACE}-deployment
    spec:
      nodeSelector:
        ${SOURCE_LABEL}: ""
      containers:
      - command:
        - "/agnhost"
        - "netexec"
        - "--http-port"
        - "8000"
          #- serve-hostname
        image: k8s.gcr.io/e2e-test-images/agnhost:2.33
        imagePullPolicy: IfNotPresent
        name: agnhost
EOF
cat ${file}
oc apply -f ${file}
~~~

Baseline test:
=====================================

Test the target pod from the host and from both source pods:
~~~
[root@ovnkubernetes ovn-kubernetes]# oc get pods -o wide -n $TARGET_NAMESPACE -o custom-columns=IP:.status.podIP
IP
172.18.0.4
[root@ovnkubernetes ovn-kubernetes]# echo $TARGET_PORT
32767
root@ovnkubernetes ovn-kubernetes]# oc get pods -n $SOURCE_NAMESPACE
NAME                                          READY   STATUS    RESTARTS   AGE
egressip-source-deployment-56d66c78dd-58x4p   1/1     Running   0          102s
egressip-source-deployment-56d66c78dd-j85d9   1/1     Running   0          102s
~~~

~~~
[root@ovnkubernetes ovn-kubernetes]# curl 172.18.0.4:$TARGET_PORT/clientip
172.18.0.1:40646
~~~

~~~
[root@ovnkubernetes ovn-kubernetes]# oc exec -n $SOURCE_NAMESPACE egressip-source-deployment-56d66c78dd-58x4p -- curl -s  172.18.0.4:$TARGET_PORT/clientip
172.18.0.2:42692[root@ovnkubernetes ovn-kubernetes]# 
[root@ovnkubernetes ovn-kubernetes]# oc exec -n $SOURCE_NAMESPACE egressip-source-deployment-56d66c78dd-j85d9 -- curl -s  172.18.0.4:$TARGET_PORT/clientip
172.18.0.3:45944
~~~

This is the expected baseline. When pods connect a host networked pod inside the cluster, they hit an SNAT, are SNATted and the target pod sees the node's IP address.

Reproducing the issue
==================================

~~~
file=$(mktemp)
cat <<EOF >| ${file}
apiVersion: k8s.ovn.org/v1
kind: EgressIP
metadata:
  name: ${EGRESSIP_NAME}
spec:
  egressIPs: [ "172.18.0.10" ]
  namespaceSelector:
    matchLabels:
      env: ${SOURCE_NAMESPACE}
EOF
oc apply -f $file
~~~

Broken case a):

EgressIP assigned to source node's node. This works, but traffic hits the EgressIP NAT. This is contrary to the definition of the feature. Traffic should not be natted to EgressIP at all, because this is not an off-cluster target. This case is way more difficult to fix than case b):

~~~
[root@ovnkubernetes ovn-kubernetes]# oc get egressip
NAME              EGRESSIPS     ASSIGNED NODE   ASSIGNED EGRESSIPS
egressip-source   172.18.0.10   ovn-worker      172.18.0.10
~~~

~~~
[root@ovnkubernetes ovn-kubernetes]# oc get pods -n $SOURCE_NAMESPACE -o wide
NAME                                          READY   STATUS    RESTARTS   AGE     IP           NODE          NOMINATED NODE   READINESS GATES
egressip-source-deployment-56d66c78dd-58x4p   1/1     Running   0          8m10s   10.244.0.5   ovn-worker2   <none>           <none>
egressip-source-deployment-56d66c78dd-j85d9   1/1     Running   0          8m10s   10.244.2.4   ovn-worker    <none>           <none>
~~~

~~~
[root@ovnkubernetes ovn-kubernetes]# oc exec -n $SOURCE_NAMESPACE egressip-source-deployment-56d66c78dd-j85d9 -- curl -s  172.18.0.4:$TARGET_PORT/clientip
172.18.0.10:48632
~~~

Broken case b):

Not reproducible on kind, but reproducible on OpenShift 4.10.4 when I had filed the bug.
~~~
[root@ovnkubernetes ovn-kubernetes]# time oc exec -n $SOURCE_NAMESPACE egressip-source-deployment-56d66c78dd-58x4p -- curl -s  172.18.0.4:$TARGET_PORT/clientip
172.18.0.2:46512
real	0m0.220s
user	0m0.140s
sys	0m0.048s
~~~

Either, this affects OpenShift only (which I doubt), or this is already fixed upstream.

Comment 8 Andreas Karis 2022-04-13 10:58:28 UTC

In latest 4.10 on AWS:
~~~
[akaris@linux option5 (main)]$ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.0-0.nightly-2022-04-13-010908   True        False         32m     Cluster version is 4.10.0-0.nightly-2022-04-13-010908
~~~

Applying egress ip stuff:
~~~
bash -x 00_label_nodes.sh
bash -x 01_taint_target_nodes.sh 
bash -x 02_add_egress_assignable.sh 
bash -x 03_deploy_egressip_target.sh 
bash -x 04_deploy_egressip_source.sh
cat <<'EOF' > egressip.yaml 
apiVersion: k8s.ovn.org/v1
kind: EgressIP
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"k8s.ovn.org/v1","kind":"EgressIP","metadata":{"annotations":{},"name":"egressip-source"},"spec":{"egressIPs":["10.0.128.5","10.0.192.5"],"namespaceSelector":{"matchLabels":{"env":"egressip-source"}}}}
  creationTimestamp: "2022-04-13T10:47:41Z"
  generation: 3
  name: egressip-source
  resourceVersion: "37814"
  uid: 66999786-e487-42c4-b11a-bc4cfb348cb4
spec:
  egressIPs:
  - 10.0.128.5
  namespaceSelector:
    matchLabels:
      env: egressip-source
EOF
oc apply -f egressip.yaml
~~~

Testing:
~~~
[akaris@linux option5 (main)]$ oc get egressip
NAME              EGRESSIPS    ASSIGNED NODE                                ASSIGNED EGRESSIPS
egressip-source   10.0.128.5   ip-10-0-190-247.us-east-2.compute.internal   10.0.128.5
[akaris@linux option5 (main)]$ oc get pods -A -o wide | grep source
egressip-source                                    egressip-source-deployment-56d66c78dd-8svhc                                 1/1     Running     0             112s    10.129.2.19    ip-10-0-190-247.us-east-2.compute.internal   <none>           <none>
egressip-source                                    egressip-source-deployment-56d66c78dd-v28z8                                 1/1     Running     0             112s    10.128.2.21    ip-10-0-204-202.us-east-2.compute.internal   <none>           <none>
openshift-network-diagnostics                      network-check-source-58474684f7-nhwts                                       1/1     Running     0             2m27s   10.129.2.13    ip-10-0-190-247.us-east-2.compute.internal   <none>           <none>
[akaris@linux option5 (main)]$ oc get pods -A -o wide | grep target
egressip-target                                    egressip-target-deployment-rd5d6                                            1/1     Running     0             2m30s   10.0.159.106   ip-10-0-159-106.us-east-2.compute.internal   <none>           <none>
openshift-network-diagnostics                      network-check-target-4v4zf                                                  1/1     Running     0             37m     10.128.2.5     ip-10-0-204-202.us-east-2.compute.internal   <none>           <none>
openshift-network-diagnostics                      network-check-target-bcl54                                                  1/1     Running     0             44m     10.129.0.8     ip-10-0-155-115.us-east-2.compute.internal   <none>           <none>
openshift-network-diagnostics                      network-check-target-fszx5                                                  1/1     Running     0             38m     10.131.0.5     ip-10-0-159-106.us-east-2.compute.internal   <none>           <none>
openshift-network-diagnostics                      network-check-target-gfdfq                                                  1/1     Running     0             35m     10.129.2.5     ip-10-0-190-247.us-east-2.compute.internal   <none>           <none>
openshift-network-diagnostics                      network-check-target-nq7zx                                                  1/1     Running     0             44m     10.130.0.7     ip-10-0-246-17.us-east-2.compute.internal    <none>           <none>
openshift-network-diagnostics                      network-check-target-tgtwf                                                  1/1     Running     0             44m     10.128.0.8     ip-10-0-171-125.us-east-2.compute.internal   <none>           <none>
~~~

Broken case a)

[akaris@linux option5 (main)]$ oc exec -n egressip-source egressip-source-deployment-56d66c78dd-8svhc -- curl -s 10.0.159.106:32767/clientip
10.0.128.5:38728  # <--- egressip

Broken case b)

[akaris@linux option5 (main)]$ timeout 10 oc exec -n egressip-source egressip-source-deployment-56d66c78dd-v28z8 -- curl -s 10.0.159.106:32767/clientip
[akaris@linux option5 (main)]$     # <---- nothing

Baseline:

[akaris@linux option5 (main)]$ oc delete -f egressip.yaml 
egressip.k8s.ovn.org "egressip-source" deleted
[akaris@linux option5 (main)]$ oc exec -n egressip-source egressip-source-deployment-56d66c78dd-8svhc -- curl -s 10.0.159.106:32767/clientip
10.0.190.247:41334
[akaris@linux] timeout 10 oc exec -n egressip-source egressip-source-deployment-56d66c78dd-v28z8 -- curl -s 10.0.159.106:32767/clientip
10.0.204.202:56782

Comment 10 Andreas Karis 2022-04-13 12:07:22 UTC

AWS, 4.11 latest also has the issue:
~~~
[akaris@linux option5 (main)]$ oc get egressip
NAME              EGRESSIPS    ASSIGNED NODE                               ASSIGNED EGRESSIPS
egressip-source   10.0.128.5   ip-10-0-188-46.us-west-2.compute.internal   10.0.128.5
[akaris@linux option5 (main)]$ oc get pods -o wide -A | grep source
oc get pods -egressip-source                                    egressip-source-deployment-56d66c78dd-747ht                                1/1     Running       0             16s     10.128.2.24    ip-10-0-188-46.us-west-2.compute.internal    <none>           <none>
egressip-source                                    egressip-source-deployment-56d66c78dd-pwqh5                                1/1     Running       0             16s     10.131.0.18    ip-10-0-227-72.us-west-2.compute.internal    <none>           <none>
openshift-network-diagnostics                      network-check-source-7545f76ddc-lw2ll                                      1/1     Running       0             51m     10.128.2.4     ip-10-0-188-46.us-west-2.compute.internal    <none>           <none>
[akaris@linux option5 (main)]$ oc get pods -o wide -A | grep target
egressip-target                                    egressip-target-deployment-fsqr4                                           1/1     Running       0             27s     10.0.160.229   ip-10-0-160-229.us-west-2.compute.internal   <none>           <none>
openshift-network-diagnostics                      network-check-target-82qdx                                                 1/1     Running       0             51m     10.130.0.6     ip-10-0-158-48.us-west-2.compute.internal    <none>           <none>
openshift-network-diagnostics                      network-check-target-8kmxx                                                 1/1     Running       0             43m     10.131.0.6     ip-10-0-227-72.us-west-2.compute.internal    <none>           <none>
openshift-network-diagnostics                      network-check-target-cc7hd                                                 1/1     Running       0             51m     10.129.0.6     ip-10-0-225-68.us-west-2.compute.internal    <none>           <none>
openshift-network-diagnostics                      network-check-target-wqch9                                                 1/1     Running       0             51m     10.128.0.10    ip-10-0-129-78.us-west-2.compute.internal    <none>           <none>
openshift-network-diagnostics                      network-check-target-x62db                                                 1/1     Running       0             43m     10.129.2.4     ip-10-0-160-229.us-west-2.compute.internal   <none>           <none>
openshift-network-diagnostics                      network-check-target-xqtrf                                                 1/1     Running       0             43m     10.128.2.7     ip-10-0-188-46.us-west-2.compute.internal    <none>           <none>
[akaris@linux option5 (main)]$ oc get pods -o wide -A | grep source
egressip-source                                    egressip-source-deployment-56d66c78dd-747ht                                1/1     Running     0             25s     10.128.2.24    ip-10-0-188-46.us-west-2.compute.internal    <none>           <none>
egressip-source                                    egressip-source-deployment-56d66c78dd-pwqh5                                1/1     Running     0             25s     10.131.0.18    ip-10-0-227-72.us-west-2.compute.internal    <none>           <none>
openshift-network-diagnostics                      network-check-source-7545f76ddc-lw2ll                                      1/1     Running     0             51m     10.128.2.4     ip-10-0-188-46.us-west-2.compute.internal    <none>           <none>
[akaris@linux option5 (main)]$  oc exec -n egressip-source egressip-source-deployment-56d66c78dd-747ht -- curl -s 10.0.160.229:32767/clientip
10.0.128.5:45480[akaris@linux option5 (main)]$ 
[akaris@linux option5 (main)]$  oc exec -n egressip-source egressip-source-deployment-56d66c78dd-pwqh5 -- curl -s 10.0.160.229:32767/clientip
^C
[akaris@linux option5 (main)]$ timeout 10  oc exec -n egressip-source egressip-source-deployment-56d66c78dd-pwqh5 -- curl -s 10.0.160.229:32767/clientip
~~~

~~~
[akaris@linux option5 (main)]$ 
[akaris@linux option5 (main)]$ 
[akaris@linux option5 (main)]$ 
[akaris@linux option5 (main)]$ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.11.0-0.nightly-2022-04-12-072444   True        False         27m     Error while reconciling 4.11.0-0.nightly-2022-04-12-072444: the cluster operator monitoring has not yet successfully rolled out
~~~

Perhaps in kind, this "just works" because the switching/routing is more forgiving?

Comment 11 Tim Rozet 2022-04-19 16:43:51 UTC

*** Bug 2076321 has been marked as a duplicate of this bug. ***

Comment 14 Surya Seetharaman 2022-04-20 20:03:34 UTC

Hi Siva,

I have a fix which I am testing out, we want to be extra sure it will work and not break anything. I will post a PR soon (tomorrow morning).
Thanks for your patience.

Workaround is to add the SNAT back to the node where the pod lives manually, but changing db is of course not manually recommended.
It would be something like:
"ovn-nbctl lr-nat-add GR_nodename snat nodeIP podIP" -> I would recommend waiting for a proper fix instead of doing this.

Please rest assured that this is being worked at with high priority.
Cheers,
Surya.

Comment 15 Anand Paladugu 2022-04-21 19:44:39 UTC

@surya 

I have tested on OCP 4.10.9 to see if creating the missing snat entry makes the problem go away and it worked.

 "ovn-nbctl lr-nat-add GR_worker-0.devops.lab.pnq2.cee.redhat.com snat 10.74.176.229 10.131.0.7"

I have not checked to see if the entry persists after restarting ovn pods on the masters and worker-0.

So is the issue only happening if a non host-network pod tries to communicate with a host-network pod ?

Thx

Anand

Comment 16 Surya Seetharaman 2022-04-21 22:01:12 UTC

upstream PR: https://github.com/ovn-org/ovn-kubernetes/pull/2945

Comment 17 Surya Seetharaman 2022-04-21 22:17:01 UTC

(In reply to Anand Paladugu from comment #15)
> @surya 
> 
> I have tested on OCP 4.10.9 to see if creating the missing snat entry makes
> the problem go away and it worked.
> 
>  "ovn-nbctl lr-nat-add GR_worker-0.devops.lab.pnq2.cee.redhat.com snat
> 10.74.176.229 10.131.0.7"
> 

sure it will work :) but hacking dbs wouldn't be the best option... its unsafe

> I have not checked to see if the entry persists after restarting ovn pods on
> the masters and worker-0.

It will persist because you are inserting an entry into the ovsdb.

> 
> So is the issue only happening if a non host-network pod tries to
> communicate with a host-network pod ?
> 
It will effect all:

1) pod2host-net traffic (where host-net pods are on other nodes and not on the node where the pod lives)
2) pod2svc(backed by host-net pods which live on nodes other than the node where the pod lives)

Comment 18 Anand Paladugu 2022-04-25 02:56:25 UTC

@surya   Thanks for the info.

Comment 19 Surya Seetharaman 2022-04-25 10:07:19 UTC

removing needinfo...

Comment 20 Surya Seetharaman 2022-04-25 10:09:47 UTC

> I have not checked to see if the entry persists after restarting ovn pods on
> the masters and worker-0.

It will persist because you are inserting an entry into the ovsdb.

actually let me correct myself here, its possible it doesn't persist, because the restart will load the buggy code where we delete the SNAT, so it will remove it again :(

Comment 30 errata-xmlrpc 2022-08-10 11:03:06 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069

Note You need to log in before you can comment on or make changes to this bug.