+++ This bug was initially created as a clone of Bug #2137754 +++ Description of problem: When we have a ICMP related message from different source address the inner header does not get DNATed. How reproducible: 100% Steps to Reproduce: 1. Run the reproducer script Actual results: 06:09:43.044558 00:00:00:00:20:00 > 00:00:00:00:10:20, ethertype IPv4 (0x0800), length 70: (tos 0x0, ttl 255, id 287, offset 0, flags [none], proto ICMP (1), length 56) 192.168.20.1 > 192.168.10.20: ICMP 192.168.20.10 unreachable - need to frag (mtu 1400), length 36 (tos 0x0, ttl 10, id 0, offset 0, flags [DF], proto UDP (17), length 28) 192.168.20.20.2 > 192.168.20.10.1: UDP, length 0 Expected results: 06:09:43.044558 00:00:00:00:20:00 > 00:00:00:00:10:20, ethertype IPv4 (0x0800), length 70: (tos 0x0, ttl 255, id 287, offset 0, flags [none], proto ICMP (1), length 56) 192.168.20.1 > 192.168.10.20: ICMP 192.168.20.10 unreachable - need to frag (mtu 1400), length 36 (tos 0x0, ttl 10, id 0, offset 0, flags [DF], proto UDP (17), length 28) 192.168.10.20.2 > 192.168.20.10.1: UDP, length 0
Verified on openvswitch2.17-2.17.0-79.el8fdp Use the reproducer in https://bugzilla.redhat.com/show_bug.cgi?id=2137754
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: openvswitch2.17 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:1765