Bug 2106862 - After ovnkube-node restart, external traffic policy local no longer works
Summary: After ovnkube-node restart, external traffic policy local no longer works
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.10
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.12.0
Assignee: Surya Seetharaman
QA Contact: Anurag saxena
URL:
Whiteboard:
Depends On:
Blocks: 2106855
TreeView+ depends on / blocked
 
Reported: 2022-07-13 17:23 UTC by Tim Rozet
Modified: 2023-01-17 19:53 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-01-17 19:52:40 UTC
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift ovn-kubernetes pull 1199 0 None Merged Bug 2106862: Append the SNAT rule in management chain 2022-07-26 22:07:34 UTC
Github ovn-org ovn-kubernetes pull 3069 0 None Merged Append the SNAT rule in management chain 2022-07-26 22:07:35 UTC
Red Hat Product Errata RHSA-2022:7399 0 None None None 2023-01-17 19:53:03 UTC

Description Tim Rozet 2022-07-13 17:23:43 UTC 
Description of problem:
With local gateway mode when external traffic policy is used the source address should not be NAT'ed on its way to the destination endpoint. This works as expected until ovnkube-node is restarted. At this point the iptables rules get configured in the wrong order, so that the packets are SNAT'ed to teh management (mp0) interface:

Before restart:
Chain OVN-KUBE-SNAT-MGMTPORT (1 references)
target     prot opt source               destination         
RETURN     tcp  --  anywhere             anywhere             tcp dpt:30486
RETURN     udp  --  anywhere             anywhere             udp dpt:32397
SNAT       all  --  anywhere             anywhere             /* OVN SNAT to Management Port */ to:10.244.1.2


After restart:

Chain OVN-KUBE-SNAT-MGMTPORT (1 references)
target     prot opt source               destination
SNAT       all  --  anywhere             anywhere             /* OVN SNAT to Management Port */ to:10.244.1.2
RETURN     tcp  --  anywhere             anywhere             tcp dpt:30486
RETURN     udp  --  anywhere             anywhere             udp dpt:32397

Accessing service endpoint before and after restart:
[root@trozet3 /]# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
172.18.0.4 - - [13/Jul/2022 17:11:13] "GET / HTTP/1.1" 200 -
172.18.0.4 - - [13/Jul/2022 17:15:36] "GET / HTTP/1.1" 200 -
10.244.1.2 - - [13/Jul/2022 17:16:57] "GET / HTTP/1.1" 200 - <---After restart, ip is SNAT'ed to mp0
Comment 1 Tim Rozet 2022-07-13 17:24:33 UTC 
Related upstream issue: https://github.com/ovn-org/ovn-kubernetes/issues/2969
Comment 2 Surya Seetharaman 2022-07-15 10:20:19 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=2107309#c1 will fix the cause of this issue
Comment 7 errata-xmlrpc 2023-01-17 19:52:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7399
Note You need to log in before you can comment on or make changes to this bug.