Skip to content

Commit

Permalink
northd: Don't SNAT reply packets on LBs with lb_force_snat_ip set.
Browse files Browse the repository at this point in the history
In case of LB having client as VIP and lb_force_snat_ip being set
to specific IP we would SNAT the reply traffic for the load balancer.
That was caused by premature unDNAT due to the client IP being
LB VIP with combination of match for SNAT that was checking only
the flag "force_snat_for_lb == 1".

Add match to ensure that the reply traffic is not being sent to SNAT.

Reported-at: https://issues.redhat.com/browse/FDP-1009
Signed-off-by: Ales Musil <amusil@redhat.com>
  • Loading branch information
almusil committed Dec 12, 2024
1 parent 29801e1 commit 8e04433
Show file tree
Hide file tree
Showing 3 changed files with 140 additions and 137 deletions.
5 changes: 3 additions & 2 deletions northd/northd.c
Original file line number Diff line number Diff line change
Expand Up @@ -16616,7 +16616,7 @@ build_lrouter_nat_defrag_and_lb(
if (lr_stateful_rec->has_lb_vip) {
ds_clear(match);

ds_put_cstr(match, "ct.rel && !ct.est && !ct.new");
ds_put_cstr(match, "ct.rel && !ct.est && !ct.new && !ct.rpl");
size_t match_len = match->length;

ds_put_cstr(match, " && ct_mark.skip_snat == 1");
Expand All @@ -16641,7 +16641,8 @@ build_lrouter_nat_defrag_and_lb(
*/
ds_clear(match);

ds_put_cstr(match, "ct.est && !ct.rel && !ct.new && ct_mark.natted");
ds_put_cstr(match, "ct.est && !ct.rel && !ct.new && !ct.rpl && "
"ct_mark.natted");
match_len = match->length;

ds_put_cstr(match, " && ct_mark.skip_snat == 1");
Expand Down
Loading

0 comments on commit 8e04433

Please sign in to comment.