2128618 – [RFE] Add a flag to signal if hairpinning was applied

Bug 2128618 - [RFE] Add a flag to signal if hairpinning was applied

Summary: [RFE] Add a flag to signal if hairpinning was applied

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux Fast Datapath
Classification:	Red Hat
Component:	ovn22.12
Sub Component:
Version:	FDP 22.L
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	OVN Team
QA Contact:	Jianlin Shi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-09-21 09:23 UTC by Nadia Pinaeva
Modified:	2022-09-22 16:01 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-09-22 16:01:28 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FD-2298	0	None	None	None	2022-09-21 09:35:56 UTC

Description Nadia Pinaeva 2022-09-21 09:23:53 UTC

Description of problem:
ACLs applied on egress pipeline (direction=to-lport) that match on source ip don't work for hairpinned traffic, because hairpinning SNATs to service ip.
If we know that hairpinning was applied, we know that ip.src == ip.dst, and can use the following expression to include hairpinned traffic:
ip.src == ip || pkt.hairpinned && ip.dst == ip

To do so, we need a new flag pkt.hairpinned (this name is not a requirement, but just a placeholder) that will signal if hairpinning happened on ingress pipeline.

This will be used for network policy implementation in ovn-k to make sure hairpinned traffic is affected by network policy rules.

Comment 1 Nadia Pinaeva 2022-09-22 16:01:28 UTC

We decided to use hairpin_snat_ip for that purpose, which is a bit more complicated, but doesn't require any new ovn features.

Note You need to log in before you can comment on or make changes to this bug.