[R2.20] Incorrect vrf translate when both snat/dnat on same flow
| Affects | Status | Importance | Assigned to | Milestone | ||
|---|---|---|---|---|---|---|
| Juniper Openstack | Status tracked in Trunk | |||||
| R2.0 |
Fix Committed
|
High
|
Naveen N | |||
| R2.20 |
Fix Committed
|
High
|
Naveen N | |||
| R3.0 |
Invalid
|
High
|
Naveen N | |||
| Trunk |
Fix Committed
|
High
|
Naveen N | |||
Bug Description
VM1 (1.1.1.3) in VN1 pings FIP (7.1.1.10) of VM2(1.1.2.3) in VN2. The ICMP echo request goes via an SNAT instance (source gets translated to 7.1.1.13); the FIP for VM2 has been carved out of the GW n/w of the logical router doing the SNAT.
root@c4-fpc10:~# flow -l
Flow table(size 34078720, entries 532480)
Entries: Created 335 Added 333 Processed 335
(Created Flows/CPU: 39 8 31 34 13 8 23 20 37 18 12 12 15 10 8 15 2 7 0 0 0 3 0 2 2 2 4 1 2 1 2 4)(oflows 0)
Action:F=Forward, D=Drop N=NAT(S=SNAT, D=DNAT, Ps=SPAT, Pd=DPAT, L=Link Local Port)
Other:
Index Source:Port Destination:Port Proto(V)
-------
9432 7.1.1.10:23553 1.1.1.3:0 1 (5->6)
(K(nh):51, Action:F, S(nh):51, Statistics:0/0 UdpSrcPort 50768)
66732<=>134756 1.1.2.3:23553 7.1.1.13:0 1 (3->4)
(K(nh):26, Action:N(S), S(nh):26, Statistics:0/0 UdpSrcPort 56579)
134756<=>66732 7.1.1.13:23553 7.1.1.10:0 1 (4->7)
(K(nh):58, Action:N(D), S(nh):58, Statistics:4/392 UdpSrcPort 58741)
515184 1.1.1.3:23553 7.1.1.10:0 1 (1)
(K(nh):35, Action:F, S(nh):35, Statistics:4/392 UdpSrcPort 57048)
root@c4-fpc10:~#
packet entering the netns instance:
root@c4-fpc10:~# tcpdump -i veth279ff3d8-e
tcpdump: WARNING: veth279ff3d8-e: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on veth279ff3d8-e, link-type EN10MB (Ethernet), capture size 65535 bytes
08:19:22.539154 IP 1.1.1.3 > 7.1.1.10: ICMP echo request, id 23553, seq 112, length 64
08:19:23.539318 IP 1.1.1.3 > 7.1.1.10: ICMP echo request, id 23553, seq 113, length 64
packet exiting the netns instance (source IP is translated)
root@c4-fpc10:~# tcpdump -i veth39ce797e-2
tcpdump: WARNING: veth39ce797e-2: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on veth39ce797e-2, link-type EN10MB (Ethernet), capture size 65535 bytes
08:18:38.532298 IP 7.1.1.13 > 7.1.1.10: ICMP echo request, id 23553, seq 68, length 64
08:18:39.532453 IP 7.1.1.13 > 7.1.1.10: ICMP echo request, id 23553, seq 69, length 64
This packet is received in VRF 4, which has the stitched MAC entry for the destination:
7.1.1.10/32 32 PT - 26 2:2c:d0:
root@c4-fpc10:~# nh --get 26
Id:26 Type:Encap Fmly: AF_INET Flags:Valid, Policy, Rid:0 Ref_cnt:6 Vrf:3
However, instead of using this entry and routing to Vrf 3, the packet gets routed to Vrf 7 (as shown in flow table entry).
| information type: | Proprietary → Public |
| amit surana (asurana-t) wrote | #1 |
| OpenContrail Admin (ci-admin-f) wrote [Review update] master | #2 |
| tags: | added: releasenote |
| OpenContrail Admin (ci-admin-f) wrote [Review update] R2.20 | #4 |
| OpenContrail Admin (ci-admin-f) wrote A change has been merged | #6 |
| OpenContrail Admin (ci-admin-f) wrote [Review update] R2.0 | #7 |
| OpenContrail Admin (ci-admin-f) wrote A change has been merged | #9 |
| OpenContrail Admin (ci-admin-f) wrote | #10 |
| OpenContrail Admin (ci-admin-f) wrote [Review update] R2.22-dev | #11 |
This bug occurs when the SNAT instance and the destination VM are on the same compute. In other words, if SNAT and DNAT both happen on the same compute, then the ping will fail.