[Bug 1967856] Re: Hairpin traffic does not work with centralized NAT gw

Numan Siddique 1967856 at bugs.launchpad.net
Thu Apr 7 18:29:58 UTC 2022 

It works fine for me

---------------------

[root at ovn-chassis-1 data]# ip netns exec vm1 ping 10.78.95.196
PING 10.78.95.196 (10.78.95.196) 56(84) bytes of data.
64 bytes from 10.78.95.196: icmp_seq=1 ttl=62 time=1.18 ms
64 bytes from 10.78.95.196: icmp_seq=2 ttl=62 time=0.651 ms
64 bytes from 10.78.95.196: icmp_seq=3 ttl=62 time=0.102 ms
64 bytes from 10.78.95.196: icmp_seq=4 ttl=62 time=0.141 ms
^C
--- 10.78.95.196 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3044ms
rtt min/avg/max/mdev = 0.102/0.518/1.179/0.438 ms
[root at ovn-chassis-1 data]# 
[root at ovn-chassis-1 data]# 
[root at ovn-chassis-1 data]# ip netns exec vm1 ping 10.78.95.196
PING 10.78.95.196 (10.78.95.196) 56(84) bytes of data.
64 bytes from 10.78.95.196: icmp_seq=1 ttl=62 time=0.113 ms
64 bytes from 10.78.95.196: icmp_seq=2 ttl=62 time=0.339 ms
64 bytes from 10.78.95.196: icmp_seq=3 ttl=62 time=0.242 ms
64 bytes from 10.78.95.196: icmp_seq=4 ttl=62 time=0.110 ms
64 bytes from 10.78.95.196: icmp_seq=5 ttl=62 time=0.251 ms
64 bytes from 10.78.95.196: icmp_seq=6 ttl=62 time=0.213 ms
64 bytes from 10.78.95.196: icmp_seq=7 ttl=62 time=0.260 ms
64 bytes from 10.78.95.196: icmp_seq=8 ttl=62 time=0.258 ms
64 bytes from 10.78.95.196: icmp_seq=9 ttl=62 time=0.259 ms
64 bytes from 10.78.95.196: icmp_seq=10 ttl=62 time=0.257 ms
64 bytes from 10.78.95.196: icmp_seq=11 ttl=62 time=0.264 ms
64 bytes from 10.78.95.196: icmp_seq=12 ttl=62 time=0.258 ms
64 bytes from 10.78.95.196: icmp_seq=13 ttl=62 time=0.311 ms
64 bytes from 10.78.95.196: icmp_seq=14 ttl=62 time=0.257 ms
64 bytes from 10.78.95.196: icmp_seq=15 ttl=62 time=0.264 ms
64 bytes from 10.78.95.196: icmp_seq=16 ttl=62 time=0.253 ms
64 bytes from 10.78.95.196: icmp_seq=17 ttl=62 time=0.249 ms
64 bytes from 10.78.95.196: icmp_seq=18 ttl=62 time=0.286 ms
64 bytes from 10.78.95.196: icmp_seq=19 ttl=62 time=0.264 ms
64 bytes from 10.78.95.196: icmp_seq=20 ttl=62 time=0.252 ms
64 bytes from 10.78.95.196: icmp_seq=21 ttl=62 time=0.239 ms
^C
--- 10.78.95.196 ping statistics ---
21 packets transmitted, 21 received, 0% packet loss, time 20515ms
rtt min/avg/max/mdev = 0.110/0.247/0.339/0.050 ms
[root at ovn-chassis-1 data]# ip netns exec vm1 ping 10.78.95.196
PING 10.78.95.196 (10.78.95.196) 56(84) bytes of data.
64 bytes from 10.78.95.196: icmp_seq=1 ttl=62 time=0.816 ms
64 bytes from 10.78.95.196: icmp_seq=2 ttl=62 time=0.258 ms
64 bytes from 10.78.95.196: icmp_seq=3 ttl=62 time=0.265 ms
64 bytes from 10.78.95.196: icmp_seq=4 ttl=62 time=0.269 ms
64 bytes from 10.78.95.196: icmp_seq=5 ttl=62 time=0.256 ms
64 bytes from 10.78.95.196: icmp_seq=6 ttl=62 time=0.273 ms
64 bytes from 10.78.95.196: icmp_seq=7 ttl=62 time=0.260 ms
64 bytes from 10.78.95.196: icmp_seq=8 ttl=62 time=0.239 ms
^C
--- 10.78.95.196 ping statistics ---
8 packets transmitted, 8 received, 0% packet loss, time 7165ms
rtt min/avg/max/mdev = 0.239/0.329/0.816/0.184 ms
[root at ovn-chassis-1 data]# ip netns exec vm1 ping 10.78.95.196
PING 10.78.95.196 (10.78.95.196) 56(84) bytes of data.
64 bytes from 10.78.95.196: icmp_seq=1 ttl=62 time=1.41 ms
64 bytes from 10.78.95.196: icmp_seq=2 ttl=62 time=2.10 ms
64 bytes from 10.78.95.196: icmp_seq=3 ttl=62 time=0.275 ms
64 bytes from 10.78.95.196: icmp_seq=4 ttl=62 time=0.262 ms
^C
--- 10.78.95.196 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3023ms
rtt min/avg/max/mdev = 0.262/1.012/2.102/0.783 ms


conntrack v1.4.5 (conntrack-tools): 11 flow entries have been shown.
icmp     1 23 src=10.78.95.196 dst=10.78.95.196 type=8 code=0 id=44853 src=192.168.0.52 dst=10.78.95.196 type=0 code=0 id=44853 mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=1 use=1
icmp     1 29 src=192.168.0.52 dst=10.78.95.196 type=8 code=0 id=41407 src=10.78.95.196 dst=10.78.95.196 type=0 code=0 id=41407 mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=4 use=1
icmp     1 2 src=192.168.0.52 dst=10.78.95.196 type=8 code=0 id=50072 src=10.78.95.196 dst=10.78.95.196 type=0 code=0 id=50072 mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=4 use=1
icmp     1 29 src=10.78.95.196 dst=10.78.95.196 type=8 code=0 id=41407 src=192.168.0.52 dst=10.78.95.196 type=0 code=0 id=41407 mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=1 use=1
icmp     1 23 src=192.168.0.52 dst=10.78.95.196 type=8 code=0 id=44853 src=10.78.95.196 dst=10.78.95.196 type=0 code=0 id=44853 mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=4 use=1
icmp     1 2 src=10.78.95.196 dst=10.78.95.196 type=8 code=0 id=50072 src=192.168.0.52 dst=10.78.95.196 type=0 code=0 id=50072 mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=1 use=1


-------------------


I noticed that NAT's had the option stateless=true set.  Is that intentional ?

If so,  the packet should not be sent to conntrack at all.  For me it
worked both for stateless=true and stateless=false.

I tested with the latest main.  Maybe you can test with the latest main
?


Thanks

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ovn in Ubuntu.
https://bugs.launchpad.net/bugs/1967856

Title:
  Hairpin traffic does not work with centralized NAT gw

Status in ovn package in Ubuntu:
  Triaged

Bug description:
  If you have two hvs where hv1 is the gateway chassis and you have an
  instance running on hv2.

  On instance on hv2 hairpin traffic works for the first session, but
  not for the next:

  $ ping -c1 10.78.95.89
  PING 10.78.95.89 (10.78.95.89) 56(84) bytes of data.
  64 bytes from 10.78.95.89: icmp_seq=1 ttl=62 time=1.07 ms

  --- 10.78.95.89 ping statistics ---
  1 packets transmitted, 1 received, 0% packet loss, time 0ms
  rtt min/avg/max/mdev = 1.078/1.078/1.078/0.000 ms

  $ sudo ovs-appctl -t ovs-vswitchd dpctl/dump-conntrack
  icmp,orig=(src=10.78.95.89,dst=192.168.0.211,id=7334,type=8,code=0),reply=(src=192.168.0.211,dst=10.78.95.89,id=7334,type=0,code=0),zone=7
  icmp,orig=(src=192.168.0.211,dst=10.78.95.89,id=7334,type=8,code=0),reply=(src=10.78.95.89,dst=192.168.0.211,id=7334,type=0,code=0),zone=7

  
  $ ping -c1 10.78.95.89
  PING 10.78.95.89 (10.78.95.89) 56(84) bytes of data.

  --- 10.78.95.89 ping statistics ---
  1 packets transmitted, 0 received, 100% packet loss, time 0ms

  $ sudo ovs-appctl -t ovs-vswitchd dpctl/dump-conntrack
  icmp,orig=(src=10.78.95.89,dst=192.168.0.211,id=7334,type=8,code=0),reply=(src=192.168.0.211,dst=10.78.95.89,id=7334,type=0,code=0),zone=7
  icmp,orig=(src=192.168.0.211,dst=10.78.95.89,id=7334,type=8,code=0),reply=(src=10.78.95.89,dst=192.168.0.211,id=7334,type=0,code=0),zone=7
  icmp,orig=(src=192.168.0.211,dst=10.78.95.89,id=7335,type=8,code=0),reply=(src=10.78.95.89,dst=192.168.0.211,id=7335,type=0,code=0),zone=7

  We made an attempt at using OVN built with [0], but that did
  unfortunately not help.

  If we however revert [1] it works again:
  $ ping -c1 10.78.95.89
  PING 10.78.95.89 (10.78.95.89) 56(84) bytes of data.
  64 bytes from 10.78.95.89: icmp_seq=1 ttl=62 time=1.31 ms

  --- 10.78.95.89 ping statistics ---
  1 packets transmitted, 1 received, 0% packet loss, time 0ms
  rtt min/avg/max/mdev = 1.318/1.318/1.318/0.000 ms

  $ sudo ovs-appctl -t ovs-vswitchd dpctl/dump-conntrack
  icmp,orig=(src=192.168.0.211,dst=10.78.95.89,id=7336,type=8,code=0),reply=(src=10.78.95.89,dst=192.168.0.211,id=7336,type=0,code=0),zone=7
  icmp,orig=(src=10.78.95.89,dst=192.168.0.211,id=7336,type=8,code=0),reply=(src=192.168.0.211,dst=10.78.95.89,id=7336,type=0,code=0),zone=7
  icmp,orig=(src=10.78.95.89,dst=192.168.0.211,id=7336,type=8,code=0),reply=(src=192.168.0.211,dst=10.78.95.89,id=7336,type=0,code=0),zone=1

  $ ping -c1 10.78.95.89
  PING 10.78.95.89 (10.78.95.89) 56(84) bytes of data.
  64 bytes from 10.78.95.89: icmp_seq=1 ttl=62 time=0.307 ms

  --- 10.78.95.89 ping statistics ---
  1 packets transmitted, 1 received, 0% packet loss, time 0ms
  rtt min/avg/max/mdev = 0.307/0.307/0.307/0.000 ms

  $ sudo ovs-appctl -t ovs-vswitchd dpctl/dump-conntrack
  icmp,orig=(src=10.78.95.89,dst=192.168.0.211,id=7337,type=8,code=0),reply=(src=192.168.0.211,dst=10.78.95.89,id=7337,type=0,code=0),zone=7
  icmp,orig=(src=10.78.95.89,dst=192.168.0.211,id=7337,type=8,code=0),reply=(src=192.168.0.211,dst=10.78.95.89,id=7337,type=0,code=0),zone=1
  icmp,orig=(src=192.168.0.211,dst=10.78.95.89,id=7337,type=8,code=0),reply=(src=10.78.95.89,dst=192.168.0.211,id=7337,type=0,code=0),zone=7
  icmp,orig=(src=192.168.0.211,dst=10.78.95.89,id=7336,type=8,code=0),reply=(src=10.78.95.89,dst=192.168.0.211,id=7336,type=0,code=0),zone=7
  icmp,orig=(src=10.78.95.89,dst=192.168.0.211,id=7336,type=8,code=0),reply=(src=192.168.0.211,dst=10.78.95.89,id=7336,type=0,code=0),zone=7
  icmp,orig=(src=10.78.95.89,dst=192.168.0.211,id=7336,type=8,code=0),reply=(src=192.168.0.211,dst=10.78.95.89,id=7336,type=0,code=0),zone=1

  
  0: https://patchwork.ozlabs.org/project/ovn/patch/20220401175516.2139179-1-mmichels@redhat.com/
  1: https://github.com/ovn-org/ovn/commit/4deac4509abbedd6ffaecf27eed01ddefccea40a

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1967856/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list