Skip to content

Commit

Permalink
northd: Don't SNAT reply packets on LBs with lb_force_snat_ip set.
Browse files Browse the repository at this point in the history
In case of LB having client as VIP and lb_force_snat_ip being set
to specific IP we would SNAT the reply traffic for the load balancer.
That was caused by premature unDNAT due to the client IP being
LB VIP with combination of match for SNAT that was checking only
the flag "force_snat_for_lb == 1".

Add match to ensure that the reply traffic is not being sent to SNAT.
Also extend the test for LB related traffic to ensure that this
doesn't brake the scenaro when related traffic originates from
LB backend as reply.

Reported-at: https://issues.redhat.com/browse/FDP-1009
Signed-off-by: Ales Musil <amusil@redhat.com>
  • Loading branch information
almusil committed Dec 11, 2024
1 parent 7c7a975 commit e951da4
Show file tree
Hide file tree
Showing 3 changed files with 157 additions and 142 deletions.
3 changes: 2 additions & 1 deletion northd/northd.c
Original file line number Diff line number Diff line change
Expand Up @@ -16641,7 +16641,8 @@ build_lrouter_nat_defrag_and_lb(
*/
ds_clear(match);

ds_put_cstr(match, "ct.est && !ct.rel && !ct.new && ct_mark.natted");
ds_put_cstr(match, "ct.est && !ct.rel && !ct.new && !ct.rpl && "
"ct_mark.natted");
match_len = match->length;

ds_put_cstr(match, " && ct_mark.skip_snat == 1");
Expand Down
Loading

0 comments on commit e951da4

Please sign in to comment.