northd: Don't SNAT reply packets on LBs with lb_force_snat_ip set.

In case of LB having client as VIP and lb_force_snat_ip being set to specific IP we would SNAT the reply traffic for the load balancer. That was caused by premature unDNAT due to the client IP being LB VIP with combination of match for SNAT that was checking only the flag "force_snat_for_lb == 1". Add match to ensure that the reply traffic is not being sent to SNAT. Reported-at: https://issues.redhat.com/browse/FDP-1009 Signed-off-by: Ales Musil <[email protected]> Signed-off-by: Dumitru Ceara <[email protected]> (cherry picked from commit 0bc9628)
ovn-org · Jan 17, 2025 · e7f754c · e7f754c
1 parent f35818a
commit e7f754c
Show file tree

Hide file tree

Showing 3 changed files with 176 additions and 173 deletions.
diff --git a/northd/northd.c b/northd/northd.c
@@ -15034,7 +15034,7 @@ build_lrouter_nat_defrag_and_lb(
     if (lr_stateful_rec->has_lb_vip && features->ct_lb_related) {
         ds_clear(match);
 
-        ds_put_cstr(match, "ct.rel && !ct.est && !ct.new");
+        ds_put_cstr(match, "ct.rel && !ct.est && !ct.new && !ct.rpl");
         size_t match_len = match->length;
 
         ds_put_format(match, " && %s.skip_snat == 1", ct_flag_reg);
@@ -15061,7 +15061,8 @@ build_lrouter_nat_defrag_and_lb(
     if (lr_stateful_rec->has_lb_vip) {
         ds_clear(match);
 
-        ds_put_format(match, "ct.est && !ct.rel && !ct.new && %s.natted",
+        ds_put_format(match, "ct.est && !ct.rel && !ct.new && !ct.rpl && "
+                             "%s.natted",
                       ct_flag_reg);
         size_t match_len = match->length;