-
Notifications
You must be signed in to change notification settings - Fork 338
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix missing ICMP SNAT for L2 UDNs GR #4729
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
what is a "ICMP SNAT" ? |
Explained on the message:
right, edited |
Registered new flake |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So IIUC @jcaamano correct me if I am wrong
Generally in OVN we have the lb_force_snat_ip=router_ip which should auto-take care of SNATing to joinIP, but for ICMP needs frag it seems there is a bug in OVN https://issues.redhat.com/browse/FDP-159 due to which we had to manually start adding this SNAT: 49e1d9f
which looks like this right?
snat 169.254.0.13 100.65.0.3
snat fd69::d fd99::3
We did #4722 that fixed up the whole joinIP util being wrong
So qq what's the difference between:
if gwLRPIPset.Has(routerNat.LogicalIP) {
continue
}
and
if gw.containsJoinIP(logicalIP) {
continue
}
to me it looks like both are trying to catch the SNAT with joinIP as the prefix right? I think I might be getting confused with stuff..
yea we discussed this also needs to be fixed: https://redhat-internal.slack.com/archives/C077NGF5HE1/p1726048908687809 opened an issue to track it at the very least |
|
ahhhh ack so its:
yeah go for that cleanup thanks! |
That's the join subnet address, I think that's the expectation. |
It is. But previously we used |
Is it worth it a follow up to segregate the node gatewa address and do the gateway things at the layer2 controller. |
On GRs we have an SNAT from the join port IP address to the external IP address for ICMP needs frag sent by OVN to the external network. In L2 UDNs, even though there is no join network, the internal port has two IPs, one for the pod subnet and another for the join subnet. The ICMP source address will be the first one in lexicographical order which might be the pod subnet one. The proper SNAT for the GR pod subnet address gets created in the gateway initialization. But: 1 when DisableSNATMultipleGWs=false, it is redundant because there is already a SNAT for the whole pod subnet 2 when DisableSNATMultipleGWs=true we end up with no SNAT because cleanupStalePodSNATs cleans it up becaause it never expected that SNAT This commit fixes #2 Signed-off-by: Jaime Caamaño Ruiz <[email protected]>
A comment somewhere could be nice. Or filtering them by |
ah woops I forgot to press merge last night... thanks Jaime! |
On GRs we have an SNAT from the join port IP address to the external IP address for ICMP needs frag sent by OVN to the external network.
In L2 UDNs, even though there is no join network, the internal port has two IPs, one for the pod subnet and another for the join subnet. The ICMP source address will be the first one in lexicographical order which might be the pod subnet one.
The proper SNAT for the GR pod subnet address gets created in the gateway initialization. But:
1 when DisableSNATMultipleGWs=false, it is redundant because there is
already a SNAT for the whole pod subnet
2 when DisableSNATMultipleGWs=true we end up with no SNAT because
cleanupStalePodSNATs cleans it up becaause it never expected that
SNAT
This commit fixes (2)