Description of problem: In the following OVN configuration with a stateless dnat_and_snat on a logical router for 172.18.2.10: switch 10795470-d76e-493c-a43e-b9aad2e88aa8 (ls1) port vm2 addresses: ["00:00:00:00:00:06 192.168.100.6"] port ls1-lr1 type: router addresses: ["00:00:00:00:00:01"] router-port: lr1-ls1 port vm1 addresses: ["00:00:00:00:00:05 192.168.100.5"] switch 04d43b02-f475-4f72-af33-2842e7052494 (ls-pub) port ext-router addresses: ["00:00:00:00:01:02 172.18.1.2"] port ls-pub-lr1 type: router addresses: ["00:00:00:00:01:01"] router-port: lr1-ls-pub router 286d7302-c3dd-4cf5-ac21-da3a817ce6d6 (lr1) port lr1-ls-pub mac: "00:00:00:00:01:01" networks: ["172.18.1.1/24"] gateway chassis: [hv1] port lr1-ls1 mac: "00:00:00:00:00:01" networks: ["192.168.100.1/24"] nat b5bc05d4-b728-460d-9ff3-7073224bea8f external ip: "172.18.1.1" logical ip: "192.168.100.0/24" type: "snat" nat c0beb2ed-765e-48d6-94a6-06c56e89f325 external ip: "172.18.2.10" logical ip: "192.168.100.6" type: "dnat_and_snat" If vm2 is trying to ping itself via DNAT ip 172.18.2.10, the packet is getting dropped at the lr_in_gw_redirect stage. The setup also includes following acls, but I'm not sure how important they are: ovn-nbctl pg-add pg1 vm1 vm2 pg1_uuid=$(fetch_column nb:Port_Group _uuid name=pg1) ovn-nbctl acl-add pg1 from-lport 1002 "inport == @pg1 && ip4" allow-related ovn-nbctl acl-add pg1 to-lport 1002 "outport == @pg1 && ip4 && icmp4" allow-related ovn-nbctl acl-add pg1 to-lport 1002 "outport == @pg1 && ip4 && ip4.src == \$pg1_ip4" allow-related --- This is a regression caused by the fix for BZ2066990 . The issue can be reproduced with the OVN system testsuite by applying the following patch: https://launchpadlibrarian.net/596069233/test-synthesis.patch Note that the actual ping will not work without the kernel fix: https://patchwork.kernel.org/project/netdevbpf/patch/20220606221140.488984-1-i.maximets@ovn.org/ But the packet should not be dropped by the OVN pipeline regardless.
upstream fix: https://patchwork.ozlabs.org/project/ovn/patch/409c31361c83deb29581a5b4e27f1504342f43f6.1654882598.git.lorenzo.bianconi@redhat.com/
This issue has been cloned at https://bugzilla.redhat.com/show_bug.cgi?id=2102479
This issue has been cloned at https://bugzilla.redhat.com/show_bug.cgi?id=2102480
This issue has been cloned at https://bugzilla.redhat.com/show_bug.cgi?id=2102481
This issue has been cloned at https://bugzilla.redhat.com/show_bug.cgi?id=2102482
This issue is fixed in ovn22.06-22.06.0-15.el8fdp
This issue has been cloned at https://bugzilla.redhat.com/show_bug.cgi?id=2102483
This issue has been cloned at https://bugzilla.redhat.com/show_bug.cgi?id=2103305
This issue has been cloned at https://bugzilla.redhat.com/show_bug.cgi?id=2103306
This issue has been cloned at https://bugzilla.redhat.com/show_bug.cgi?id=2103308
This issue has been cloned at https://bugzilla.redhat.com/show_bug.cgi?id=2103309
This issue is fixed in ovn22.06-22.06.0-16.el8fdp
This issue has been cloned at https://bugzilla.redhat.com/show_bug.cgi?id=2103312
Verified on ovn22.06-22.06.0-16.el8: + ovn-nbctl --wait=hv sync + ip netns exec vm1 ping 172.18.2.10 -c 1 PING 172.18.2.10 (172.18.2.10) 56(84) bytes of data. 64 bytes from 192.168.100.6: icmp_seq=1 ttl=64 time=0.916 ms --- 172.18.2.10 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.916/0.916/0.916/0.000 ms + ip netns exec vm2 ping 172.18.2.10 -c 1 PING 172.18.2.10 (172.18.2.10) 56(84) bytes of data. 64 bytes from 172.18.2.10: icmp_seq=1 ttl=62 time=1.01 ms --- 172.18.2.10 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.012/1.012/1.012/0.000 ms ++ ovn-nbctl find nat external_ip=172.18.2.10 ++ awk '/_uuid/{print $3}' + nat_uuid=1e4c4d78-eda5-4c14-add3-a7c26f8ca76b + ovn-nbctl set nat 1e4c4d78-eda5-4c14-add3-a7c26f8ca76b options:stateless=true + ip netns exec vm1 ping 172.18.2.10 -c 1 PING 172.18.2.10 (172.18.2.10) 56(84) bytes of data. 64 bytes from 192.168.100.6: icmp_seq=1 ttl=64 time=0.044 ms --- 172.18.2.10 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.044/0.044/0.044/0.000 ms + ip netns exec vm2 ping 172.18.2.10 -c 1 PING 172.18.2.10 (172.18.2.10) 56(84) bytes of data. 64 bytes from 172.18.2.10: icmp_seq=1 ttl=62 time=0.036 ms --- 172.18.2.10 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.036/0.036/0.036/0.000 ms [root@dell-per730-20 bz2102480]# rpm -qa | grep -E "openvswitch2.15|ovn22.06" python3-openvswitch2.15-2.15.0-109.el8fdp.x86_64 ovn22.06-central-22.06.0-16.el8fdp.x86_64 ovn22.06-host-22.06.0-16.el8fdp.x86_64 openvswitch2.15-2.15.0-109.el8fdp.x86_64 ovn22.06-22.06.0-16.el8fdp.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (ovn22.06 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:5789