Cann't learn mac binding for a external ip with a snat rule. #209

danieldin95 · 2023-09-05T07:09:32Z

On lr-4d4fad05 create snat rule with a external ip[172.16.10.27] that is not default external ip[172.16.10.210]:

()[root@ovn-tool-0 /]# ovn-nbctl show 4d4fad05-9150-4f6a-b66b-7b7f7021d103
router 4d4fad05-9150-4f6a-b66b-7b7f7021d103 (neutron-7e53f214-cfd0-4b54-86e7-92176c3adcc3) (aka cth-test-router)
    port lrp-e5fe50c0-c79d-4c34-b243-2678b224f446
        mac: "fa:16:3e:26:3b:a7"
        networks: ["172.16.10.210/24"]
        gateway chassis: [15a4496d-02b9-4b68-85e0-41999f4532d4 fb5de3a4-710c-47e9-9fd0-46f652f0a423 39d4b47c-ec98-43cf-9711-c27541a262b6]
    port lrp-8124342f-a0d7-46a8-8118-aca938f806c4
        mac: "fa:16:3e:4b:8d:d4"
        networks: ["192.168.131.1/24"]
    nat 5acadda7-1b55-4cb9-ad35-ae3b97acf95c
        external ip: "172.16.10.40"
        logical ip: "192.168.131.155"
        type: "dnat_and_snat"
    nat d473937e-10c9-4684-baa3-4915243fe65e
        external ip: "172.16.10.27"
        logical ip: "192.168.131.0/25"
        type: "snat"
    nat d8fced8f-fd62-47f3-9524-a7c61e643d79
        external ip: "172.16.10.210"
        logical ip: "0.0.0.0/0"
        type: "snat"
    nat dbaf8fb9-8057-400d-90e5-1dc08d801e8c
        external ip: "172.16.10.210"
        logical ip: "192.168.131.0/24"
        type: "snat"

And on lr-12e11990 create a dnat_and_snat to forward traffic destination is 172.16.10.23 to 192.168.0.235:

()[root@ovn-tool-0 /]# ovn-nbctl show 12e11990-ef78-4f04-907d-8ffb38d8c584
router 12e11990-ef78-4f04-907d-8ffb38d8c584 (neutron-1a6fac4b-5647-439e-b607-d7615209b37e) (aka share_router)
    port lrp-11c15734-a236-484c-8b8a-dc3bd0b0a3a8
        mac: "fa:16:3e:04:1f:ae"
        networks: ["192.168.0.1/24"]
    port lrp-2bc14fc0-d797-4786-9a01-237fec6d113d
        mac: "fa:16:3e:db:93:70"
        networks: ["192.168.111.1/24"]
    port lrp-43215760-af0b-480b-8f7d-a6d80de4f8e2
        mac: "fa:16:3e:91:0f:96"
        networks: ["172.16.10.78/24"]
        gateway chassis: [15a4496d-02b9-4b68-85e0-41999f4532d4 39d4b47c-ec98-43cf-9711-c27541a262b6 fb5de3a4-710c-47e9-9fd0-46f652f0a423]
    nat 30560111-4d82-49f2-b716-0f80892c13d6
        external ip: "172.16.10.78"
        logical ip: "192.168.111.0/24"
        type: "snat"
    nat b4b91358-15f1-4113-8e66-af510777507d
        external ip: "172.16.10.23"
        logical ip: "192.168.0.235"
        type: "dnat_and_snat"
    nat cfae5e82-9046-4d3e-92bd-c7c990db1b18
        external ip: "172.16.10.25"
        logical ip: "192.168.0.58"
        type: "dnat_and_snat"
    nat d4bfc784-d1d7-448c-9843-cafbf7586b39
        external ip: "172.16.10.78"
        logical ip: "192.168.0.0/24"
        type: "snat"
    nat e911876d-6f44-4bfe-8f49-d47b3585ee88
        external ip: "172.16.10.78"
        logical ip: "0.0.0.0/0"
        type: "snat"
()[root@ovn-tool-0 /]#

Then on lr-4d4fad05 we create a vm on lrp-d307bf99 and its' ip address in 192.168.131.0/25, so this vm will use 172.16.10.27 to visit 172.16.10.23, and not 172.16.10.210:

switch 4307e64e-4088-4b2d-8443-e59fe1b66025 (neutron-2b212c95-2342-4f2d-9b72-ed754b847ee9) (aka cth_test)
    port 8124342f-a0d7-46a8-8118-aca938f806c4 (aka router_iface_gjz8yVdE)
        type: router
        router-port: lrp-8124342f-a0d7-46a8-8118-aca938f806c4
    port d307bf99-45d1-4cfe-a15d-4d6477d569ec (aka cth-net-client_cth_test_df1313a1)
        addresses: ["fa:16:3e:ae:a2:26 192.168.131.247"]

But curl 172.16.10.23 is not working, and we see arp request from 172.16.10.23 for 172.16.10.27 on this public network lr connected to.

The text was updated successfully, but these errors were encountered:

danieldin95 · 2023-09-05T07:16:55Z

So we guess the mac binding not be learn for 172.16.10.27, and when we add a mac binding via ovn-sbctl, like this:

()[root@ovn-tool-0 /]# ovn-sbctl create mac_binding  datapath=675eac5c-b01b-4ea8-b425-03570cff0c7e logical_port=lrp-43215760-af0b-480b-8f7d-a6d80de4f8e2 ip="172.16.10.27" mac="fa\:16\:3e\:26\:3b\:a7"
7d135ef1-8750-4df9-937d-8c035df9b8aa
()[root@ovn-tool-0 /]#

The curl 172.16.10.23 is working. This maybe a bug from our above case. And when I to view code in northd.c, I may find a reason to fix it, but I ot sure why? anyone can help me to fix it?.

diff --git a/northd/northd.c b/northd/northd.c
index 08c262532..6b4e7422a 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -7140,6 +7140,9 @@ build_lswitch_rport_arp_req_flows(struct ovn_port *op,
         }
     }

+    struct sset snat_ips_v4 = SSET_INITIALIZER(&snat_ips_v4);
+    struct sset snat_ips_v6 = SSET_INITIALIZER(&snat_ips_v6);
+
     for (size_t i = 0; i < op->od->nbr->n_nat; i++) {
         struct ovn_nat *nat_entry = &op->od->nat_entries[i];
         const struct nbrec_nat *nat = nat_entry->nb;
@@ -7149,7 +7152,17 @@ build_lswitch_rport_arp_req_flows(struct ovn_port *op,
         }

         if (!strcmp(nat->type, "snat")) {
-            continue;
+            if (nat_entry_is_v6(nat_entry)) {
+                if (sset_contains(&snat_ips_v6, nat->external_ip)) {
+                    continue;
+                }
+                sset_add(&snat_ips_v6, nat->external_ip);
+            } else {
+                if (sset_contains(&snat_ips_v4, nat->external_ip)) {
+                    continue;
+                }
+                sset_add(&snat_ips_v4, nat->external_ip);
+            }
         }

If the router has a snat rule and it's external ip isn't lrp address, when the arp request from other router for this external ip, will be drop, because of this external ip use same mac address as lrp, so can not forward to MC_FLOOD. Fixes: 32f5ebb ("ovn-northd: Limit ARP/ND broadcast domain whenever possible.") Reported-at: ovn-org#209 Signed-off-by: Daniel Ding <zhihui.ding@easystack.cn>

If the router has a snat rule and it's external ip isn't lrp address, when the arp request from other router for this external ip, will be drop, because of this external ip use same mac address as lrp, so can not forward to MC_FLOOD. Fixes: 32f5ebb ("ovn-northd: Limit ARP/ND broadcast domain whenever possible.") Reported-at: ovn-org#209 Signed-off-by: Daniel Ding <danieldin186@gmail.com> Acked-by: Dumitru Ceara <dceara@redhat.com> Signed-off-by: 0-day Robot <robot@bytheb.org>

If the router has a snat rule and it's external ip isn't lrp address, when the arp request from other router for this external ip, will be drop, because of this external ip use same mac address as lrp, so can not forward to MC_FLOOD. Fixes: 32f5ebb ("ovn-northd: Limit ARP/ND broadcast domain whenever possible.") Reported-at: ovn-org#209 Signed-off-by: Daniel Ding <danieldin186@gmail.com> Signed-off-by: 0-day Robot <robot@bytheb.org>

If the router has a snat rule and it's external ip isn't lrp address, when the arp request from other router for this external ip, will be drop, because of this external ip use same mac address as lrp, so can not forward to MC_FLOOD. Fixes: 32f5ebb ("ovn-northd: Limit ARP/ND broadcast domain whenever possible.") Reported-at: ovn-org#209 Signed-off-by: Daniel Ding <danieldin186@gmail.com>

If the router has a snat rule and it's external ip isn't lrp address, when the arp request from other router for this external ip, will be drop, because of this external ip use same mac address as lrp, so can not forward to MC_FLOOD. Fixes: 32f5ebb ("ovn-northd: Limit ARP/ND broadcast domain whenever possible.") Reported-at: ovn-org#209 Signed-off-by: Daniel Ding <danieldin186@gmail.com> Signed-off-by: Dumitru Ceara <dceara@redhat.com>

If the router has a snat rule and it's external ip isn't lrp address, when the arp request from other router for this external ip, will be drop, because of this external ip use same mac address as lrp, so can not forward to MC_FLOOD. Fixes: 32f5ebb ("ovn-northd: Limit ARP/ND broadcast domain whenever possible.") Reported-at: ovn-org#209 Signed-off-by: Daniel Ding <danieldin186@gmail.com> Signed-off-by: Dumitru Ceara <dceara@redhat.com> (cherry picked from commit fe1c5df)

If the router has a snat rule and it's external ip isn't lrp address, when the arp request from other router for this external ip, will be drop, because of this external ip use same mac address as lrp, so can not forward to MC_FLOOD. Fixes: 32f5ebb ("ovn-northd: Limit ARP/ND broadcast domain whenever possible.") Reported-at: #209 Signed-off-by: Daniel Ding <danieldin186@gmail.com> Signed-off-by: Dumitru Ceara <dceara@redhat.com> (cherry picked from commit fe1c5df)

If the router has a snat rule and it's external ip isn't lrp address, when the arp request from other router for this external ip, will be drop, because of this external ip use same mac address as lrp, so can not forward to MC_FLOOD. Fixes: 32f5ebb ("ovn-northd: Limit ARP/ND broadcast domain whenever possible.") Reported-at: ovn-org#209 Signed-off-by: Daniel Ding <danieldin186@gmail.com> Signed-off-by: Dumitru Ceara <dceara@redhat.com> (cherry picked from commit fe1c5df)

danieldin95 mentioned this issue Sep 13, 2023

northd: forward arp request to lrp snat on. #216

Closed

danieldin95 mentioned this issue Sep 13, 2023

northd: forward arp request to lrp snat on. #217

Closed

danieldin95 closed this as completed Aug 16, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cann't learn mac binding for a external ip with a snat rule. #209

Cann't learn mac binding for a external ip with a snat rule. #209

danieldin95 commented Sep 5, 2023

danieldin95 commented Sep 5, 2023

Cann't learn mac binding for a external ip with a snat rule. #209

Cann't learn mac binding for a external ip with a snat rule. #209

Comments

danieldin95 commented Sep 5, 2023

danieldin95 commented Sep 5, 2023