Cann't learn mac binding for a external ip with a snat rule.

Question

Cann't learn mac binding for a external ip with a snat rule.

danieldin95 opened this issue 2 years ago · 1 comments

On lr-4d4fad05 create snat rule with a external ip[172.16.10.27] that is not default external ip[172.16.10.210]:

()[root@ovn-tool-0 /]# ovn-nbctl show 4d4fad05-9150-4f6a-b66b-7b7f7021d103
router 4d4fad05-9150-4f6a-b66b-7b7f7021d103 (neutron-7e53f214-cfd0-4b54-86e7-92176c3adcc3) (aka cth-test-router)
    port lrp-e5fe50c0-c79d-4c34-b243-2678b224f446
        mac: "fa:16:3e:26:3b:a7"
        networks: ["172.16.10.210/24"]
        gateway chassis: [15a4496d-02b9-4b68-85e0-41999f4532d4 fb5de3a4-710c-47e9-9fd0-46f652f0a423 39d4b47c-ec98-43cf-9711-c27541a262b6]
    port lrp-8124342f-a0d7-46a8-8118-aca938f806c4
        mac: "fa:16:3e:4b:8d:d4"
        networks: ["192.168.131.1/24"]
    nat 5acadda7-1b55-4cb9-ad35-ae3b97acf95c
        external ip: "172.16.10.40"
        logical ip: "192.168.131.155"
        type: "dnat_and_snat"
    nat d473937e-10c9-4684-baa3-4915243fe65e
        external ip: "172.16.10.27"
        logical ip: "192.168.131.0/25"
        type: "snat"
    nat d8fced8f-fd62-47f3-9524-a7c61e643d79
        external ip: "172.16.10.210"
        logical ip: "0.0.0.0/0"
        type: "snat"
    nat dbaf8fb9-8057-400d-90e5-1dc08d801e8c
        external ip: "172.16.10.210"
        logical ip: "192.168.131.0/24"
        type: "snat"

And on lr-12e11990 create a dnat_and_snat to forward traffic destination is 172.16.10.23 to 192.168.0.235:

()[root@ovn-tool-0 /]# ovn-nbctl show 12e11990-ef78-4f04-907d-8ffb38d8c584
router 12e11990-ef78-4f04-907d-8ffb38d8c584 (neutron-1a6fac4b-5647-439e-b607-d7615209b37e) (aka share_router)
    port lrp-11c15734-a236-484c-8b8a-dc3bd0b0a3a8
        mac: "fa:16:3e:04:1f:ae"
        networks: ["192.168.0.1/24"]
    port lrp-2bc14fc0-d797-4786-9a01-237fec6d113d
        mac: "fa:16:3e:db:93:70"
        networks: ["192.168.111.1/24"]
    port lrp-43215760-af0b-480b-8f7d-a6d80de4f8e2
        mac: "fa:16:3e:91:0f:96"
        networks: ["172.16.10.78/24"]
        gateway chassis: [15a4496d-02b9-4b68-85e0-41999f4532d4 39d4b47c-ec98-43cf-9711-c27541a262b6 fb5de3a4-710c-47e9-9fd0-46f652f0a423]
    nat 30560111-4d82-49f2-b716-0f80892c13d6
        external ip: "172.16.10.78"
        logical ip: "192.168.111.0/24"
        type: "snat"
    nat b4b91358-15f1-4113-8e66-af510777507d
        external ip: "172.16.10.23"
        logical ip: "192.168.0.235"
        type: "dnat_and_snat"
    nat cfae5e82-9046-4d3e-92bd-c7c990db1b18
        external ip: "172.16.10.25"
        logical ip: "192.168.0.58"
        type: "dnat_and_snat"
    nat d4bfc784-d1d7-448c-9843-cafbf7586b39
        external ip: "172.16.10.78"
        logical ip: "192.168.0.0/24"
        type: "snat"
    nat e911876d-6f44-4bfe-8f49-d47b3585ee88
        external ip: "172.16.10.78"
        logical ip: "0.0.0.0/0"
        type: "snat"
()[root@ovn-tool-0 /]#

Then on lr-4d4fad05 we create a vm on lrp-d307bf99 and its' ip address in 192.168.131.0/25, so this vm will use 172.16.10.27 to visit 172.16.10.23, and not 172.16.10.210:

switch 4307e64e-4088-4b2d-8443-e59fe1b66025 (neutron-2b212c95-2342-4f2d-9b72-ed754b847ee9) (aka cth_test)
    port 8124342f-a0d7-46a8-8118-aca938f806c4 (aka router_iface_gjz8yVdE)
        type: router
        router-port: lrp-8124342f-a0d7-46a8-8118-aca938f806c4
    port d307bf99-45d1-4cfe-a15d-4d6477d569ec (aka cth-net-client_cth_test_df1313a1)
        addresses: ["fa:16:3e:ae:a2:26 192.168.131.247"]

But curl 172.16.10.23 is not working, and we see arp request from 172.16.10.23 for 172.16.10.27 on this public network lr connected to.

Answer 1 · 2023-09-05T07:16:55.000Z

So we guess the mac binding not be learn for 172.16.10.27, and when we add a mac binding via ovn-sbctl, like this:

()[root@ovn-tool-0 /]# ovn-sbctl create mac_binding  datapath=675eac5c-b01b-4ea8-b425-03570cff0c7e logical_port=lrp-43215760-af0b-480b-8f7d-a6d80de4f8e2 ip="172.16.10.27" mac="fa\:16\:3e\:26\:3b\:a7"
7d135ef1-8750-4df9-937d-8c035df9b8aa
()[root@ovn-tool-0 /]#

The curl 172.16.10.23 is working. This maybe a bug from our above case. And when I to view code in northd.c, I may find a reason to fix it, but I ot sure why? anyone can help me to fix it?.

diff --git a/northd/northd.c b/northd/northd.c
index 08c262532..6b4e7422a 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -7140,6 +7140,9 @@ build_lswitch_rport_arp_req_flows(struct ovn_port *op,
         }
     }

+    struct sset snat_ips_v4 = SSET_INITIALIZER(&snat_ips_v4);
+    struct sset snat_ips_v6 = SSET_INITIALIZER(&snat_ips_v6);
+
     for (size_t i = 0; i < op->od->nbr->n_nat; i++) {
         struct ovn_nat *nat_entry = &op->od->nat_entries[i];
         const struct nbrec_nat *nat = nat_entry->nb;
@@ -7149,7 +7152,17 @@ build_lswitch_rport_arp_req_flows(struct ovn_port *op,
         }

         if (!strcmp(nat->type, "snat")) {
-            continue;
+            if (nat_entry_is_v6(nat_entry)) {
+                if (sset_contains(&snat_ips_v6, nat->external_ip)) {
+                    continue;
+                }
+                sset_add(&snat_ips_v6, nat->external_ip);
+            } else {
+                if (sset_contains(&snat_ips_v4, nat->external_ip)) {
+                    continue;
+                }
+                sset_add(&snat_ips_v4, nat->external_ip);
+            }
         }