search

ovn-org / ovn

Open Virtual Network
Apache License 2.0
522 stars 255 forks source link

If a lsp has a host snat rule, then dnat_and_snat can not be accessed. #257

Open danieldin95 opened 3 months ago

danieldin95 commented 3 months ago

In our enviroment, we using ovn for openstack network. I create a load_balancer on logical router(named share_router) to forward ssh port to a lsp(as knowned as a vm1). 

()[root@ovn-tool-0 /]# ovn-nbctl create load_balancer vips:"172.16.10.111\:22"="192.168.33.217:22" protocol=tcp
2957dcc1-8d81-4e75-a8b7-c0a25127043a
()[root@ovn-tool-0 /]#
()[root@ovn-tool-0 /]# ovn-nbctl lr-lb-add 34ce470e-72e2-4346-be35-55eab94e2beb 2957dcc1-8d81-4e75-a8b7-c0a25127043a

And the vm1 already has a dnat_and_snat rule binding for floating ip. As you can see, the ssh port can be accessed by 172.16.10.111(load_balancer vip) and 172.16.10.122(dnat_and_snat external ip). But when I add a host(/32) snat rule using other external address for this vm1(just a test), the ssh port canot be accessed by 172.16.10.122, and I see the reply packets with source_address: 172.16.10.133. 

()[root@ovn-tool-0 /]# ovn-nbctl lr-nat-list 34ce470e-72e2-4346-be35-55eab94e2beb
TYPE                     EXTERNAL_IP        EXTERNAL_PORT    LOGICAL_IP            EXTERNAL_MAC         LOGICAL_PORT
dnat_and_snat            172.16.10.122                       192.168.33.217
snat                     172.16.10.28                        0.0.0.0/0
snat                     172.16.10.28                        192.168.33.0/24
snat                     172.16.10.133                      192.168.33.217/32
()[root@ovn-tool-0 /]#

I dont know why? or did I missunderstand?And I see the logical flow on logical_router, some things seem be wrong.

  table=2 (lr_out_snat        ), priority=161  , match=(ip && ip4.src == 172.16.10.122 && outport == "lrp-c6cd992a-9b86-46cb-9952-b5931844de38" && is_chassis_resident("cr-lrp-c6cd992a-9b86-46cb-9952-b5931844de38")), action=(next;)
  table=2 (lr_out_snat        ), priority=161  , match=(ip && ip4.src == 192.168.33.217 && outport == "lrp-c6cd992a-9b86-46cb-9952-b5931844de38" && is_chassis_resident("cr-lrp-c6cd992a-9b86-46cb-9952-b5931844de38")), action=(ip4.src=172.16.10.122; next;)
  table=2 (lr_out_snat        ), priority=161  , match=(ip && ip4.src == 192.168.33.217/32 && outport == "lrp-c6cd992a-9b86-46cb-9952-b5931844de38" && is_chassis_resident("cr-lrp-c6cd992a-9b86-46cb-9952-b5931844de38") && (!ct.trk || !ct.rpl)), action=(ct_snat(172.16.10.133);)

So If I understanding is right, the dnat_and_snat rule can not be effected by the host snat rule, or the dnat_and_snat has higher priority then a host snat?

almusil commented 3 months ago

Hi, which version of ovn is this? If this 24.03 and further you might be hitting issues that https://patchwork.ozlabs.org/project/ovn/patch/20240827085252.458355-1-amusil@redhat.com/ is trying to fix. If you have the option would you mind trying this commit if it helps?