Darrell, is this something you can help with?
On Fri, Feb 08, 2019 at 02:18:53PM +0000, Rostyslav Fridman via dev wrote:
> I've encountered the issue that SNAT on OVN logical_router in userspace works
> for ICMP but not TCP or UDP. I am seeing this behavior on version 2.10.1 as
> well as on top of the git tree.
>
> I try to access internet (216.58.215.110) from container (10.0.0.2). On the
> external-router I have SNAT configured. On the external server I see that
> container address is translated for ICMP request, but not for TCP.
> container:/# ping 216.58.215.110
> PING 216.58.215.110 (216.58.215.110) 56(84) bytes of data.
> 64 bytes from 216.58.215.110: icmp_seq=1 ttl=53 time=140 ms
> ^C
> --- 216.58.215.110 ping statistics ---
> 1 packets transmitted, 1 received, 0% packet loss, time 0ms
> rtt min/avg/max/mdev = 140.663/140.663/140.663/0.000 ms
> container:/# curl 216.58.215.110
> ^C
> ---
> external-server:~# tcpdump -i vlan111 host 216.58.215.110
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on vlan111, link-type EN10MB (Ethernet), capture size 262144 bytes
> 07:53:22.393289 IP 10.250.111.40 > waw02s17-in-f14.1e100.net: ICMP echo
> request, id 218, seq 1, length 64
> 07:53:22.533574 IP waw02s17-in-f14.1e100.net > 10.250.111.40: ICMP echo
> reply, id 218, seq 1, length 64
> 07:53:24.830595 IP 10.0.0.2.58050 > waw02s17-in-f14.1e100.net.http: Flags
> [S], seq 219699121, win 29200, options [mss 1460,sackOK,TS val 2742820693 ecr
> 0,nop,wscale 7], length 0
>
> In the bridge flows I see that NAT should be performed since flow packet
> count is increasing.
> ovs-appctl bridge/dump-flows br-int
> ...
> table_id=41, duration=5135s, n_packets=28, n_bytes=2408,
> priority=9,ip,metadata=0x1,nw_src=10.0.0.0/8,actions=ct(commit,table=42,zone=NXM_NX_REG12[0..15],nat(src=10.250.111.40))
>
> ovn-trace also confirms that it should be working.
>
> I have the following scheme:
> OVS: trunked bonded port --- netdev bridge (br-ext) --- patch --- netdev
> bridge (br-int)
> OVN: container --- logical_switch (internal-switch) --- logical_router
> (internal-router) --- logical_switch (interconnect) --- logical_router
> (external-router) --- logical_switch (external-switch with localnet port to
> br-ext)
>
> OVN configuration:
> switch d0f22f65-214f-422e-a5ba-68b7ef66581b (interconnect)
> port interconnect_to_internal-router
> type: router
> addresses: ["00:00:00:73:a8:30 100.64.1.2/24"]
> router-port: internal-router_to_interconnect
> port interconnect_to_external-router
> type: router
> addresses: ["00:00:00:da:6b:85 100.64.1.1/24"]
> router-port: external-router_to_interconnect
> switch bcdc365a-7c2c-4c32-9a51-8107864e879a (internal-switch)
> port internal-switch_to_internal-router
> type: router
> addresses: ["00:00:00:6b:83:b1 10.0.3.253/22"]
> router-port: internal-router_to_internal-switch
> port default_aaa_eth0
> addresses: ["0a:00:00:00:00:03 10.0.0.2"]
> switch 3feba85f-4c6f-4550-9435-7f27837c1fd8 (external-switch)
> port vlan111-mgmt
> addresses: ["a2:dc:3c:76:8f:27"]
> port vlan111
> type: localnet
> tag: 111
> addresses: ["unknown"]
> port external-switch_to_external-router
> type: router
> addresses: ["00:00:00:61:f0:c0 10.250.111.40/24"]
> router-port: external-router_to_external-switch
> router f97f9421-c727-488d-8575-bfaf7a7bde6b
> (vlan111-80973513-f2fe-48cb-904a-b205fb0bcc6f)
> port external-router_to_interconnect
> mac: "00:00:00:da:6b:85"
> networks: ["100.64.1.1/24"]
> port external-router_to_external-switch
> mac: "00:00:00:61:f0:c0"
> networks: ["10.250.111.40/24"]
> nat 486f81b0-491f-4c90-9ddd-04ea27e70ac5
> external ip: "10.250.111.40"
> logical ip: "10.0.0.0/8"
> type: "snat"
> router 5ca8fc47-1860-43c9-a0ee-a285fd877db5
> (overlay-vlan111-80973513-f2fe-48cb-904a-b205fb0bcc6f)
> port internal-router_to_interconnect
> mac: "00:00:00:73:a8:30"
> networks: ["100.64.1.2/24"]
> port internal-router_to_internal-switch
> mac: "00:00:00:6b:83:b1"
> networks: ["10.0.3.253/22"]
>
> OVS configuration:
> Bridge br-int
> Port patch-br-int-br-ext
> Interface patch-br-int-br-ext
> type: patch
> options: {peer=patch-br-ext-br-int}
> Port "patch-br-int-to-vlan111 "
> Interface "patch-br-int-to-vlan111 "
> type: patch
> options: {peer="patch-vlan111-to-br-int"}
> Port "vlan111-mgmt"
> Interface "vlan111-mgmt"
> type: internal
> Port br-int
> Interface br-int
> type: internal
> Port "veth51a477d8"
> Interface "veth51a477d8"
> Bridge br-ext
> Port "patch-vlan111-to-br-int"
> Interface "patch-vlan111-to-br-int"
> type: patch
> options: {peer="patch-br-int-to-vlan111 "}
> Port "bond0"
> trunks: [111]
> Interface "enp4s0f0"
> type: dpdk
> options: {dpdk-devargs="0000:04:00.0"}
> Interface "enp4s0f1"
> type: dpdk
> options: {dpdk-devargs="0000:04:00.1"}
> Port patch-br-ext-br-int
> Interface patch-br-ext-br-int
> type: patch
> options: {peer=patch-br-int-br-ext}
> Port br-ext
> Interface br-ext
> type: internal
> ovs_version: "2.11.90"
>
> What else should I try? Have I missed anything?
> Thanks in advance
>
> --
> Best regards,
> Rostyslav Fridman
> _______________________________________________
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
