This bug was initially created as a copy of Bug #2070929 I am copying this bug because: OVN-Kubernetes: EgressIP breaks access from a pod with EgressIP to other host networked pods on different nodes Scenario: * pod <podA> on node <nodeA> in namespace <nsA> accesses a host networked pod <podB> on node <nodeB> * EgressIP <eipA> is assigned to namespace <nsA> * Traffic from <podA> to <podB> breaks Pods: ~~~ [akaris@linux 2070878]$ oc get pods -A -o wide | grep egress | grep -v debug e2e-test-egressip-8wznm egressip-target-daemonset-sq27b 1/1 Running 0 19m 10.0.135.215 ip-10-0-135-215.ec2.internal <none> <none> e2e-test-egressip-pfvtq e2e-test-egressip-pfvtq-deployment-799497dc77-j9w2p 1/1 Running 0 19m 10.128.2.20 ip-10-0-144-143.ec2.internal <none> <none> [akaris@linux 2070878]$ ~~~ Before applying the EgressIP: ================================================ curl from ~~~ ~ $ curl 10.0.135.215:32667/clientip 10.0.144.143:49524~ $ ~~~ Tcpdump on node/ip-10-0-144-143.ec2.internal - we see that the traffic is SNAT'ed to the source node and then sent to the destination node: ~~~ sh-4.4# tcpdump -nne -i ens5 host 10.0.135.215 and port 32667 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens5, link-type EN10MB (Ethernet), capture size 262144 bytes 10:44:21.980235 0e:61:09:b2:50:0b > 0e:4c:94:8d:88:a3, ethertype IPv4 (0x0800), length 74: 10.0.144.143.49524 > 10.0.135.215.32667: Flags [S], seq 337255231, win 26583, options [mss 8861,sackOK,TS val 2215492582 ecr 0,nop,wscale 7], length 0 10:44:21.981733 0e:4c:94:8d:88:a3 > 0e:61:09:b2:50:0b, ethertype IPv4 (0x0800), length 74: 10.0.135.215.32667 > 10.0.144.143.49524: Flags [S.], seq 1450458968, ack 337255232, win 26847, options [mss 8961,sackOK,TS val 2693376292 ecr 2215492582,nop,wscale 7], length 0 10:44:21.982334 0e:61:09:b2:50:0b > 0e:4c:94:8d:88:a3, ethertype IPv4 (0x0800), length 156: 10.0.144.143.49524 > 10.0.135.215.32667: Flags [P.], seq 1:91, ack 1, win 208, options [nop,nop,TS val 2215492584 ecr 2693376292], length 90 10:44:21.982339 0e:61:09:b2:50:0b > 0e:4c:94:8d:88:a3, ethertype IPv4 (0x0800), length 66: 10.0.144.143.49524 > 10.0.135.215.32667: Flags [.], ack 1, win 208, options [nop,nop,TS val 2215492584 ecr 2693376292], length 0 (...) ~~~ We see the same traffic on the destination host ip-10-0-135-215.ec2.internal: ~~~ h-4.4# tcpdump -nne -i ens5 host 10.0.135.215 and port 32667 dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens5, link-type EN10MB (Ethernet), capture size 262144 bytes 10:44:21.980683 0a:a8:54:d9:eb:39 > 0a:71:d0:10:a3:bd, ethertype IPv4 (0x0800), length 74: 10.0.144.143.49524 > 10.0.135.215.32667: Flags [S], seq 337255231, win 26583, options [mss 8861,sackOK,TS val 2215492582 ecr 0,nop,wscale 7], length 0 10:44:21.981285 0a:71:d0:10:a3:bd > 0a:a8:54:d9:eb:39, ethertype IPv4 (0x0800), length 74: 10.0.135.215.32667 > 10.0.144.143.49524: Flags [S.], seq 1450458968, ack 337255232, win 26847, options [mss 8961,sackOK,TS val 2693376292 ecr 2215492582,nop,wscale 7], length 0 10:44:21.982748 0a:a8:54:d9:eb:39 > 0a:71:d0:10:a3:bd, ethertype IPv4 (0x0800), length 156: 10.0.144.143.49524 > 10.0.135.215.32667: Flags [P.], seq 1:91, ack 1, win 208, options [nop,nop,TS val 2215492584 ecr 2693376292], length 90 10:44:21.982796 0a:a8:54:d9:eb:39 > 0a:71:d0:10:a3:bd, ethertype IPv4 (0x0800), length 66: 10.0.144.143.49524 > 10.0.135.215.32667: Flags [.], ack 1, win 208, options [nop,nop,TS val 2215492584 ecr 2693376292], length 0 (...) ~~~
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.10.15 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:2258
*** Bug 2095713 has been marked as a duplicate of this bug. ***