[ovs-dev] ovn lb_force_snat changes

Tim Rozet trozet at redhat.com
Mon Jan 25 22:02:36 UTC 2021


Hi All,
Today on a router we can do:
lb_force_snat_ip="100.64.0.2 fd98::2"

The issue with this is if you have a router with multiple egress paths
based on LB DNAT you could end up sending the packet out an interface with
an undesired SNAT. For example, consider this topology:
                    |---------- eth2 100.64.0.2
                    |
eth0----------GR--------eth1 169.254.169.2

GR has load balancer VIP 10.0.0.1, backends 100.64.0.5, 169.254.169.5 and
lb_force_snat_ip=100.64.0.2 configured.

A packet arrives to the GR from eth0, dst IP 10.0.0.1. Now, no matter which
backend it picks, the packet will always be SNAT'ed to 100.64.0.2 even when
it leaves on eth1. The request here is to be able to specify the egress
interface with the force SNAT. Therefore we could specify multiple (one per
interface) force SNATs on a GR:

lb_force_snat_ips={"eth2 100.64.0.2", "eth1 169.254.169.2"} ...or something
like that

Thoughts?

Tim Rozet
Red Hat OpenShift Networking Team


More information about the dev mailing list