Bug 2128618 - [RFE] Add a flag to signal if hairpinning was applied
Summary: [RFE] Add a flag to signal if hairpinning was applied
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux Fast Datapath
Classification: Red Hat
Component: ovn22.12
Version: FDP 22.L
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: OVN Team
QA Contact: Jianlin Shi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-09-21 09:23 UTC by Nadia Pinaeva
Modified: 2022-09-22 16:01 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-09-22 16:01:28 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FD-2298 0 None None None 2022-09-21 09:35:56 UTC

Description Nadia Pinaeva 2022-09-21 09:23:53 UTC
Description of problem:
ACLs applied on egress pipeline (direction=to-lport) that match on source ip don't work for hairpinned traffic, because hairpinning SNATs to service ip.
If we know that hairpinning was applied, we know that ip.src == ip.dst, and can use the following expression to include hairpinned traffic:
ip.src == ip || pkt.hairpinned && ip.dst == ip

To do so, we need a new flag pkt.hairpinned (this name is not a requirement, but just a placeholder) that will signal if hairpinning happened on ingress pipeline.

This will be used for network policy implementation in ovn-k to make sure hairpinned traffic is affected by network policy rules.

Comment 1 Nadia Pinaeva 2022-09-22 16:01:28 UTC
We decided to use hairpin_snat_ip for that purpose, which is a bit more complicated, but doesn't require any new ovn features.


Note You need to log in before you can comment on or make changes to this bug.