[ovs-git] [ovn-org/ovn] d91f35: northd: Add VIP port to established flows in DNAT ...

[Mark Gray]

  Branch: refs/heads/master
  Home:   https://github.com/ovn-org/ovn
  Commit: d91f359b76947a28d63b0b65491d1203a7dce1c4
      https://github.com/ovn-org/ovn/commit/d91f359b76947a28d63b0b65491d1203a7dce1c4
  Author: Mark Gray <mark.d.gray at redhat.com>
  Date:   2021-08-24 (Tue, 24 Aug 2021)

  Changed paths:
    M northd/ovn-northd.8.xml
    M northd/ovn-northd.c
    M northd/ovn_northd.dl
    M tests/ovn-northd.at
    M tests/ovn.at

  Log Message:
  -----------
  northd: Add VIP port to established flows in DNAT table for Load Balancers

When adding a load balancer to a logical router, two flows are added to
the ingress DNAT table. One flow is for established connections and one is
for new connections. They have the following form:

ct.est && ip4 && reg0 == 10.0.0.10 && ct_label.natted == 1 && tcp

As the established flow does not specify the VIP port, if two load
balancers are added with the same VIP but different VIP ports, then
two conflicting flows will be added. For example,

ct.est && ip4 && reg0 == 10.0.0.10 && ct_label.natted == 1 && tcp
ct.est && ip4 && reg0 == 10.0.0.10 && ct_label.natted == 1 && tcp

This normally does not give an issue as both flows will have the same
action: next.

However, if the logical router specifies "force_snat_for_lb" and one
load balancer specifies "skip_snat" then both flows will have the
same match but different, conflicting actions: "flags.force_snat_for_lb = 1; next;"
and "flags.skip_snat_for_lb = 1; next;". This can cause unintended
consequences.

This commit adds the VIP port to the DNAT flow. It also updates
the defrag table to save that port in a register (before it gets
DNATted).

Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1995326
Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
Acked-by: Mark Michelson <mmichels at redhat.com>
Signed-off-by: Numan Siddique <numans at ovn.org>