OCPBUGS-61454: [4.19] allow default network -> localnet on the same node for any localnet subnet#2753
Conversation
Fixes regression from 1448d5a The previous commit dropped matching on in_port so that localnet ports would also use table 1. This allows reply packets from a localnet pod towards the shared OVN/LOCAL IP to be sent to the correct port. However, a regression was introduced where traffic coming from these localnet ports to any destination would be sent to table 1. Egress traffic from the localnet ports is not committed to conntrack, so by sending to table=1 via CT we were getting a miss. This is especially bad for hardware offload where a localnet port is being used as the Geneve encap port. In this case all geneve traffic misses in CT lookup and is not offloaded. Table 1 is intended to be for handling IP traffic destined to the shared Gateway IP/MAC that both the Host and OVN use. It is also used to handle reply traffic for Egress IP. To fix this problem, we can add dl_dst match criteria to this flow, ensuring that only traffic destined to the Host/OVN goes to table 1. Furthermore, after fixing this problem there still exists the issue that localnet -> host/OVN egress traffic will still enter table 1 and CT miss. Potentially this can be fixed with always committing egress traffic, but it might have performance penalty, so deferring that fix to a later date. Signed-off-by: Tim Rozet <trozet@nvidia.com> (cherry picked from commit 318f8ce)
Add dl_dst=$breth0 to table=0, prio=50 for IPv6 We want to match in table=1 only conntrack'ed reply traffic whose next hop is either OVN or the host. As a consequence, localnet traffic whose next hop is an external router (and that might or might not be destined to OVN/host) should bypass table=1 and just hit the NORMAL flow in table=0. Signed-off-by: Riccardo Ravaioli <rravaiol@redhat.com> (cherry picked from commit ef1aa99)
Signed-off-by: Riccardo Ravaioli <rravaiol@redhat.com> (cherry picked from commit 4ce92a9)
We already tested localnet -> host, let's also cover connections initiated from the host. The localnet uses IPs in the same subnet as the host network. Signed-off-by: Riccardo Ravaioli <rravaiol@redhat.com> (cherry picked from commit a5029f8)
We have two non-InterConnect CI lanes for multihoming, while only one with IC enabled (and local gw). We need coverage with IC enabled for both gateway modes, so let's make an existing non-IC lane IC enabled, set it as dualstack and gateway=shared to have better coverage. Signed-off-by: Riccardo Ravaioli <rravaiol@redhat.com> (cherry picked from commit bf6f9c1)
Signed-off-by: Riccardo Ravaioli <rravaiol@redhat.com> (cherry picked from commit 6de44ef)
Signed-off-by: Riccardo Ravaioli <rravaiol@redhat.com> (cherry picked from commit c4cc25a)
This is needed because we will need to generate IPs from different subnets than just the host subnet. Signed-off-by: Riccardo Ravaioli <rravaiol@redhat.com> (cherry picked from commit eb5f3c1)
Signed-off-by: Riccardo Ravaioli <rravaiol@redhat.com> (cherry picked from commit f82e101)
The localnet is on a subnet different than the host subnet, the corresponding NAD is configured with a VLAN ID, the localnet pod uses an external router to communicate to cluster pods. Signed-off-by: Riccardo Ravaioli <rravaiol@redhat.com> (cherry picked from commit 69ec569)
Signed-off-by: Riccardo Ravaioli <rravaiol@redhat.com> (cherry picked from commit 51eae7a)
Signed-off-by: Riccardo Ravaioli <rravaiol@redhat.com> (cherry picked from commit dea42b4)
In testing we saw how an invalid conntrack state would drop all echo requests after the first one. Let's send three pings in each test then. Signed-off-by: Riccardo Ravaioli <rravaiol@redhat.com> (cherry picked from commit b004ed0)
openshift-ci-robot
added
jira/valid-reference
|
@ricky-rav: This pull request references Jira Issue OCPBUGS-61454, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/retest |
2 similar comments
|
/retest |
|
/retest |
|
@ricky-rav: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/retest |
|
@ricky-rav: trigger 5 job(s) of type blocking for the ci release of OCP 4.19
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/377ee090-9f74-11f0-8df4-85b9fb56a36c-0 trigger 11 job(s) of type blocking for the nightly release of OCP 4.19
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/377ee090-9f74-11f0-8df4-85b9fb56a36c-1 |
|
/verified by @asood-rh |
openshift-ci-robot
added
the
verified
|
@asood-rh: This PR has been marked as verified by DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
4.19 ci blocking 4.19 nightly blocking
/payload-aggregate periodic-ci-openshift-hypershift-release-4.19-periodics-e2e-aks 5 |
|
@ricky-rav: trigger 3 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/5abadb00-a06d-11f0-95dc-f3e7f32af62c-0 |
|
/override ci/prow/lint |
|
@tssurya: Overrode contexts on behalf of tssurya: ci/prow/lint DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/lgtm |
|
Next time lets use -x from 4.20 for the commits not master |
|
/label backport-risk-assessed |
openshift-ci
bot
added
the
backport-risk-assessed
openshift-ci
bot
assigned
tssurya,
anuragthehatter,
asood-rh,
barbora137,
huiran0826,
jechen0648,
Meina-rh,
mffiedler,
qiowang721 and
rbbratta
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ricky-rav, tssurya The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/label jira/valid-bug |
openshift-ci
bot
added
the
jira/valid-bug
|
@ricky-rav: Jira Issue OCPBUGS-61454: Some pull requests linked via external trackers have merged: The following pull request, linked via external tracker, has not merged:
All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with Jira Issue OCPBUGS-61454 has not been moved to the MODIFIED state. This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
sdodson
removed
the
jira/invalid-bug
|
/jira refresh |
|
@ricky-rav: Jira Issue Verification Checks: Jira Issue OCPBUGS-61454 Jira Issue OCPBUGS-61454 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Fix included in accepted release 4.19.0-0.nightly-2025-10-09-001851 |
15 participants
Upstream: ovn-kubernetes/ovn-kubernetes#5480
Downstream master: #2750
4.20: #2751
For the 4.18 backport, we'll need to wait for
#2745#2663 to merge first.