[ovs-dev] [PATCH ovn] northd: Fix routing loop in LRs with one-to-many SNAT

Ben Pfaff blp at ovn.org
Tue Mar 23 16:57:14 UTC 2021

On Mon, Mar 22, 2021 at 10:14:46AM +0100, Krzysztof Klimonda wrote:
> If there are snat entries on the router, and some logical_ip are set to
> network instead of an IP address then given SNAT is masquerade. In such
> case ct_snat action is used in lr_in_unsnat table to ensure that the
> packet is matched against conntrack and destination IP is replaced with
> one from matching conntrack entry.
> This however breaks down for new connections sent to router's external IP
> address. In such case, when packet is checked against conntrack table,
> there is no match, and its destination IP remains unchanged. This causes a
> loop in lr_in_ip_routing.
> This commit installs a new logical flow in lr_in_ip_routing table for
> routers that have SNAT entry with logical_ip set to network (that being
> masquerade). This flow drops packets that, after going through conntrack
> via ct_snat action in lr_in_unsnat table, are not in established or
> related state (!ct.est && !ct.rel) and which destination IP still matches
> router's external IP. This prevents vswitchd from looping such packets
> until their TTL reaches zero, as well as installing bogus flows in
> datapath that lead to ovs module dropping such packages with "deferred
> action limit reached, drop recirc action" message.
> Signed-off-by: Krzysztof Klimonda <kklimonda at syntaxhighlighted.com>

Thanks for contributing to OVN.

I see that you've submitted a patch that updates ovn-northd.c, but not
the DDlog implementation of the same logic in ovn_northd.dl.  We would
like to keep these two implementations in sync.  If you need help
figuring out how to write the DDlog code for this change, please let me

More information about the dev mailing list