northd: Don't SNAT reply packets on LBs with lb_force_snat_ip set.

In case of LB having client as VIP and lb_force_snat_ip being set to specific IP we would SNAT the reply traffic for the load balancer. That was caused by premature unDNAT due to the client IP being LB VIP with combination of match for SNAT that was checking only the flag "force_snat_for_lb == 1". Add match to ensure that the reply traffic is not being sent to SNAT. Reported-at: https://issues.redhat.com/browse/FDP-1009 Signed-off-by: Ales Musil <amusil@redhat.com> Signed-off-by: Dumitru Ceara <dceara@redhat.com>
dceara · Jan 16, 2025 · 0bc9628 · 0bc9628
1 parent fecf89f
commit 0bc9628
Show file tree

Hide file tree

Showing 3 changed files with 140 additions and 137 deletions.
diff --git a/northd/northd.c b/northd/northd.c
@@ -16724,7 +16724,7 @@ build_lrouter_nat_defrag_and_lb(
     if (lr_stateful_rec->has_lb_vip) {
         ds_clear(match);
 
-        ds_put_cstr(match, "ct.rel && !ct.est && !ct.new");
+        ds_put_cstr(match, "ct.rel && !ct.est && !ct.new && !ct.rpl");
         size_t match_len = match->length;
 
         ds_put_cstr(match, " && ct_mark.skip_snat == 1");
@@ -16749,7 +16749,8 @@ build_lrouter_nat_defrag_and_lb(
          */
         ds_clear(match);
 
-        ds_put_cstr(match, "ct.est && !ct.rel && !ct.new && ct_mark.natted");
+        ds_put_cstr(match, "ct.est && !ct.rel && !ct.new && !ct.rpl && "
+                           "ct_mark.natted");
         match_len = match->length;
 
         ds_put_cstr(match, " && ct_mark.skip_snat == 1");