When the LB is configured without any backend and doesn't report event or reject the packet just simply drop the packet.
Reported-at: https://bugzilla.redhat.com/2177173 Signed-off-by: Ales Musil <amu...@redhat.com> Signed-off-by: Dumitru Ceara <dce...@redhat.com> (cherry picked from commit 75b0bcbb019a8caa2cfebffeff1ecf155fcd1fbc) --- This version applies cleanly down to 21.12. --- northd/northd.c | 4 ++++ tests/ovn-northd.at | 50 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+) diff --git a/northd/northd.c b/northd/northd.c index 3165f4bc2..6866fb6b5 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -3912,6 +3912,10 @@ build_lb_vip_actions(struct ovn_lb_vip *lb_vip, } } else if (lb_vip->empty_backend_rej && !lb_vip->n_backends) { reject = true; + } else if (!lb_vip->empty_backend_rej && !lb_vip->n_backends) { + ds_clear(action); + ds_put_cstr(action, debug_drop_action()); + skip_hash_fields = true; } else { ds_put_format(action, "%s(backends=%s);", ct_lb_action, lb_vip_nb->backend_ips); diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 5a4c6a31f..5fea88f6f 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -4253,6 +4253,15 @@ AT_CHECK([grep "ls_out_stateful" sw0flows | sort], [0], [dnl table=7 (ls_out_stateful ), priority=100 , match=(reg0[[1]] == 1 && reg0[[13]] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_label.label = reg3; }; next;) ]) +# LB with event=false and reject=false +AT_CHECK([ovn-nbctl create load_balancer name=lb1 options:reject=false options:event=false vips:\"10.0.0.20\"=\"\" protocol=tcp], [0], [ignore]) +check ovn-nbctl --wait=sb ls-lb-add sw0 lb1 + +AT_CHECK([ovn-sbctl dump-flows sw0 | grep "ls_in_lb " | sort ], [0], [dnl + table=12(ls_in_lb ), priority=0 , match=(1), action=(next;) + table=12(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 10.0.0.20), action=(drop;) +]) + AT_CLEANUP ]) @@ -5629,6 +5638,47 @@ AT_CHECK([grep "lr_out_snat" lr0flows | sed 's/table=./table=?/' | sort], [0], [ table=? (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;) ]) +# LB with event=false and reject=false +check ovn-nbctl lr-lb-del lr0 +check ovn-nbctl remove logical_router lr0 options lb_force_snat_ip +AT_CHECK([ovn-nbctl create load_balancer name=lb6 options:reject=false options:event=false vips:\"172.168.10.30\"=\"\" protocol=tcp], [0], [ignore]) +check ovn-nbctl --wait=sb lr-lb-add lr0 lb6 + +AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | sort], [0], [dnl + table=7 (lr_in_dnat ), priority=0 , match=(1), action=(next;) + table=7 (lr_in_dnat ), priority=110 , match=(ct.est && !ct.rel && ip4 && reg0 == 172.168.10.30 && ct_mark.natted == 1), action=(next;) + table=7 (lr_in_dnat ), priority=110 , match=(ct.new && !ct.rel && ip4 && reg0 == 172.168.10.30), action=(drop;) + table=7 (lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) + table=7 (lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=7 (lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) +]) + +# LB with event=false, reject=false and skip_snat +check ovn-nbctl --wait=sb set load_balancer lb6 options:skip_snat=true + +AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | sort], [0], [dnl + table=7 (lr_in_dnat ), priority=0 , match=(1), action=(next;) + table=7 (lr_in_dnat ), priority=110 , match=(ct.est && !ct.rel && ip4 && reg0 == 172.168.10.30 && ct_mark.natted == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=7 (lr_in_dnat ), priority=110 , match=(ct.new && !ct.rel && ip4 && reg0 == 172.168.10.30), action=(flags.skip_snat_for_lb = 1; drop;) + table=7 (lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) + table=7 (lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=7 (lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) +]) + +check ovn-nbctl remove load_balancer lb6 options skip_snat + +# LB with event=false, reject=false and force_snat +check ovn-nbctl --wait=sb set logical_router lr0 options:lb_force_snat_ip="router_ip" + +AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | sort], [0], [dnl + table=7 (lr_in_dnat ), priority=0 , match=(1), action=(next;) + table=7 (lr_in_dnat ), priority=110 , match=(ct.est && !ct.rel && ip4 && reg0 == 172.168.10.30 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;) + table=7 (lr_in_dnat ), priority=110 , match=(ct.new && !ct.rel && ip4 && reg0 == 172.168.10.30), action=(flags.force_snat_for_lb = 1; drop;) + table=7 (lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) + table=7 (lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=7 (lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) +]) + AT_CLEANUP ]) -- 2.39.2 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
