northd: Don't SNAT reply packets on LBs with lb_force_snat_ip set.

In case of LB having client as VIP and lb_force_snat_ip being set to specific IP we would SNAT the reply traffic for the load balancer. That was caused by premature unDNAT due to the client IP being LB VIP with combination of match for SNAT that was checking only the flag "force_snat_for_lb == 1". Add match to ensure that the reply traffic is not being sent to SNAT. Reported-at: https://issues.redhat.com/browse/FDP-1009 Signed-off-by: Ales Musil <[email protected]> Signed-off-by: Dumitru Ceara <[email protected]> (cherry picked from commit 0bc9628)
ovn-org · Jan 16, 2025 · b6e3a5d · b6e3a5d
1 parent 6af14b4
commit b6e3a5d
Show file tree

Hide file tree

Showing 3 changed files with 140 additions and 137 deletions.
diff --git a/northd/northd.c b/northd/northd.c
@@ -16452,7 +16452,7 @@ build_lrouter_nat_defrag_and_lb(
     if (lr_stateful_rec->has_lb_vip) {
         ds_clear(match);
 
-        ds_put_cstr(match, "ct.rel && !ct.est && !ct.new");
+        ds_put_cstr(match, "ct.rel && !ct.est && !ct.new && !ct.rpl");
         size_t match_len = match->length;
 
         ds_put_cstr(match, " && ct_mark.skip_snat == 1");
@@ -16477,7 +16477,8 @@ build_lrouter_nat_defrag_and_lb(
          */
         ds_clear(match);
 
-        ds_put_cstr(match, "ct.est && !ct.rel && !ct.new && ct_mark.natted");
+        ds_put_cstr(match, "ct.est && !ct.rel && !ct.new && !ct.rpl && "
+                           "ct_mark.natted");
         match_len = match->length;
 
         ds_put_cstr(match, " && ct_mark.skip_snat == 1");