From patchwork Fri Apr 9 15:50:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lorenzo Bianconi X-Patchwork-Id: 1464445 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Xpj1ZwtM; dkim-atps=neutral Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FH2f05LVdz9sW5 for ; Sat, 10 Apr 2021 01:50:32 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id CD5A1402E2; Fri, 9 Apr 2021 15:50:29 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aZP7JD4bKhOI; Fri, 9 Apr 2021 15:50:28 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp2.osuosl.org (Postfix) with ESMTP id 8E7B140146; Fri, 9 Apr 2021 15:50:27 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 54D80C000C; Fri, 9 Apr 2021 15:50:27 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 85747C000A for ; Fri, 9 Apr 2021 15:50:25 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 7241C40146 for ; Fri, 9 Apr 2021 15:50:25 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X_dOXLY0sFvm for ; Fri, 9 Apr 2021 15:50:21 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by smtp2.osuosl.org (Postfix) with ESMTPS id 7A5B9401AF for ; Fri, 9 Apr 2021 15:50:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1617983420; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Q/wZ8x2PD+Yfee2OqdT02AjeVhJRClbfWv/Pm4bz2Rg=; b=Xpj1ZwtM1d7bEbKnAZdtvnBEoPRlBf/dbVkLBu4/g1S4Nsy/KtfSQpOSjc28Jj6x5kGyhf yUurMA/zBkx9RXHSiTwJhlevANzaa2haoAvam5psDTIdXgGxbVjvRryg6baSbnheok3M4+ c7GEmA4r4HGM8G3lHpVApPHuc7mY6+s= Received: from mail-ej1-f69.google.com (mail-ej1-f69.google.com [209.85.218.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-77-rCVi-ZraMy6HaOBKCpxigA-1; Fri, 09 Apr 2021 11:50:18 -0400 X-MC-Unique: rCVi-ZraMy6HaOBKCpxigA-1 Received: by mail-ej1-f69.google.com with SMTP id w17so440394ejn.16 for ; Fri, 09 Apr 2021 08:50:18 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Q/wZ8x2PD+Yfee2OqdT02AjeVhJRClbfWv/Pm4bz2Rg=; b=Xm9ZcxqHfwoEUcUh7TkILVPeqxVykCEgVyzGp3nHME017QrJzem7imBjiW1V0SZjGN AzrA+tD+NBQzb4vvEwOlcsAQLkSahj/LF0lbJUfSZF3GpZtb+jUosWjAXdk6NB95RNQI fRHdgTmPEe6iw0VMx/kz3oaQ5UaMojhMLOOcKHtDnN0+zvbPqpbuooWC6nJWHrWcNom2 kzugVh2o7nEFIN5JGOyO6abrXhOMvdBpJxmhkkiY0Wszu16ltRFSW71gIl93WmgMMOJS S/B053w5+UOuyBuz5JGqUZmIaKhroIHU93dJU4DYgV4OdMB4YP9IThElDAsbGoGnknTF VdNQ== X-Gm-Message-State: AOAM530xz7p4ibkboIm0w5tIZ7aem1FLF60b/4j6NpdDmZU8icyyFHO8 23fDaqbW7qPayrZFVObAlMgxqxDx98Zl8Ui+ZZu969V5GnkwtJ07uh+U8V3JNLtobroW1Qt2YKf sLN+bsGoLIFmw9Y0ponnjJDThdvn75K8C31VdVLBqdMrrKqUckgEiv/mfpse+eET4c8vPYnK+xC Q= X-Received: by 2002:a17:907:2666:: with SMTP id ci6mr16969109ejc.361.1617983416423; Fri, 09 Apr 2021 08:50:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxLUGyWFHN79+QdkeZmiAwxgWnGPEgvy9km9C725PLH8/1yfQstU9os7K6VSIRpnVPNO97/Dg== X-Received: by 2002:a17:907:2666:: with SMTP id ci6mr16969083ejc.361.1617983416076; Fri, 09 Apr 2021 08:50:16 -0700 (PDT) Received: from lore-desk.redhat.com ([151.66.38.94]) by smtp.gmail.com with ESMTPSA id f11sm1382109ejh.120.2021.04.09.08.50.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Apr 2021 08:50:15 -0700 (PDT) From: Lorenzo Bianconi To: dev@openvswitch.org Date: Fri, 9 Apr 2021 17:50:12 +0200 Message-Id: X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lorenzo.bianconi@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Cc: astoycos@redhat.com, trozet@redhat.com Subject: [ovs-dev] [PATCH v3 ovn] northd: introduce per-lb lb_skip_snat option X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Introduce skip_snat in load balancer option column in order to not force_snat traffic that is hitting a given load balancer applied on a logical router where lb_force_snat has been configured https://bugzilla.redhat.com/show_bug.cgi?id=1927540 Tested-by: Andrew Stoycos Acked-by: Mark Michelson Signed-off-by: Lorenzo Bianconi --- Changes since v2: - fix typo in ovn-nb.xml Changes since v1: - rename lb_skip_snat in skip_snat - add skip_snat documentation in ovn-nb.xml - fix typos - introduce enum for return value of snat_for_lb/ --- include/ovn/logical-fields.h | 5 ++++ lib/logical-fields.c | 4 +++ northd/lrouter.dl | 14 ++++++++-- northd/ovn-northd.8.xml | 24 ++++++++++++++++- northd/ovn-northd.c | 51 +++++++++++++++++++++++++----------- northd/ovn_northd.dl | 32 ++++++++++++++++------ ovn-nb.xml | 6 +++++ ovs | 2 +- tests/ovn-northd.at | 25 +++++++++++++++++- 9 files changed, 135 insertions(+), 28 deletions(-) diff --git a/include/ovn/logical-fields.h b/include/ovn/logical-fields.h index 017176f98..d44b30b30 100644 --- a/include/ovn/logical-fields.h +++ b/include/ovn/logical-fields.h @@ -66,6 +66,7 @@ enum mff_log_flags_bits { MLF_LOOKUP_MAC_BIT = 6, MLF_LOOKUP_LB_HAIRPIN_BIT = 7, MLF_LOOKUP_FDB_BIT = 8, + MLF_SKIP_SNAT_FOR_LB_BIT = 9, }; /* MFF_LOG_FLAGS_REG flag assignments */ @@ -102,6 +103,10 @@ enum mff_log_flags { /* Indicate that the lookup in the fdb table was successful. */ MLF_LOOKUP_FDB = (1 << MLF_LOOKUP_FDB_BIT), + + /* Indicate that a packet must not SNAT in the gateway router when + * load-balancing has taken place. */ + MLF_SKIP_SNAT_FOR_LB = (1 << MLF_SKIP_SNAT_FOR_LB_BIT), }; /* OVN logical fields diff --git a/lib/logical-fields.c b/lib/logical-fields.c index 9d08b44c2..72853013e 100644 --- a/lib/logical-fields.c +++ b/lib/logical-fields.c @@ -121,6 +121,10 @@ ovn_init_symtab(struct shash *symtab) MLF_FORCE_SNAT_FOR_LB_BIT); expr_symtab_add_subfield(symtab, "flags.force_snat_for_lb", NULL, flags_str); + snprintf(flags_str, sizeof flags_str, "flags[%d]", + MLF_SKIP_SNAT_FOR_LB_BIT); + expr_symtab_add_subfield(symtab, "flags.skip_snat_for_lb", NULL, + flags_str); /* Connection tracking state. */ expr_symtab_add_field_scoped(symtab, "ct_mark", MFF_CT_MARK, NULL, false, diff --git a/northd/lrouter.dl b/northd/lrouter.dl index 36cedd2dc..312ceb9fc 100644 --- a/northd/lrouter.dl +++ b/northd/lrouter.dl @@ -355,8 +355,18 @@ function lb_force_snat_router_ip(lr_options: Map): bool { lr_options.contains_key("chassis") } -function force_snat_for_lb(lr: nb::Logical_Router): bool { - not get_force_snat_ip(lr, "lb").is_empty() or lb_force_snat_router_ip(lr.options) +typedef LBForceSNAT = NoForceSNAT + | ForceSNAT + | SkipSNAT + +function snat_for_lb(lr: nb::Logical_Router, lb: Ref): LBForceSNAT { + if (lb.options.get_bool_def("skip_snat", false)) { + return SkipSNAT + }; + if (not get_force_snat_ip(lr, "lb").is_empty() or lb_force_snat_router_ip(lr.options)) { + return ForceSNAT + }; + return NoForceSNAT } /* For each router, collect the set of IPv4 and IPv6 addresses used for SNAT, diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index a62f5c057..8197aa513 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -2754,7 +2754,11 @@ icmp6 { (and optional port numbers) to load balance to. If the router is configured to force SNAT any load-balanced packets, the above action will be replaced by flags.force_snat_for_lb = 1; - ct_lb(args);. If health check is enabled, then + ct_lb(args);. + If the load balancing rule is configured with skip_snat + set to true, the above action will be replaced by + flags.skip_snat_for_lb = 1; ct_lb(args);. + If health check is enabled, then args will only contain those endpoints whose service monitor status entry in OVN_Southbound db is either online or empty. @@ -2771,6 +2775,9 @@ icmp6 { with an action of ct_dnat;. If the router is configured to force SNAT any load-balanced packets, the above action will be replaced by flags.force_snat_for_lb = 1; ct_dnat;. + If the load balancing rule is configured with skip_snat + set to true, the above action will be replaced by + flags.skip_snat_for_lb = 1; ct_dnat;.
  • @@ -2785,6 +2792,9 @@ icmp6 { to force SNAT any load-balanced packets, the above action will be replaced by flags.force_snat_for_lb = 1; ct_lb(args);. + If the load balancing rule is configured with skip_snat + set to true, the above action will be replaced by + flags.skip_snat_for_lb = 1; ct_lb(args);.
  • @@ -2797,6 +2807,9 @@ icmp6 { If the router is configured to force SNAT any load-balanced packets, the above action will be replaced by flags.force_snat_for_lb = 1; ct_dnat;. + If the load balancing rule is configured with skip_snat + set to true, the above action will be replaced by + flags.skip_snat_for_lb = 1; ct_dnat;.
  • @@ -3829,6 +3842,15 @@ nd_ns {

    • +
  • +

    + If a load balancer configured to skip snat has been applied to + the Gateway router pipeline, a priority-120 flow matches + flags.skip_snat_for_lb == 1 && ip with an + action next;. +

    +
    • +

  • If the Gateway router in the OVN Northbound database has been diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 9839b8c4f..8de106c84 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -8573,10 +8573,16 @@ get_force_snat_ip(struct ovn_datapath *od, const char *key_type, return true; } +enum lb_snat_type { + NO_FORCE_SNAT, + FORCE_SNAT, + SKIP_SNAT, +}; + static void add_router_lb_flow(struct hmap *lflows, struct ovn_datapath *od, struct ds *match, struct ds *actions, int priority, - bool force_snat_for_lb, struct ovn_lb_vip *lb_vip, + enum lb_snat_type snat_type, struct ovn_lb_vip *lb_vip, const char *proto, struct nbrec_load_balancer *lb, struct shash *meter_groups, struct sset *nat_entries) { @@ -8585,9 +8591,10 @@ add_router_lb_flow(struct hmap *lflows, struct ovn_datapath *od, /* A match and actions for new connections. */ char *new_match = xasprintf("ct.new && %s", ds_cstr(match)); - if (force_snat_for_lb) { - char *new_actions = xasprintf("flags.force_snat_for_lb = 1; %s", - ds_cstr(actions)); + if (snat_type == FORCE_SNAT || snat_type == SKIP_SNAT) { + char *new_actions = xasprintf("flags.%s_snat_for_lb = 1; %s", + snat_type == SKIP_SNAT ? "skip" : "force", + ds_cstr(actions)); ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_DNAT, priority, new_match, new_actions, &lb->header_); free(new_actions); @@ -8598,11 +8605,12 @@ add_router_lb_flow(struct hmap *lflows, struct ovn_datapath *od, /* A match and actions for established connections. */ char *est_match = xasprintf("ct.est && %s", ds_cstr(match)); - if (force_snat_for_lb) { + if (snat_type == FORCE_SNAT || snat_type == SKIP_SNAT) { + char *est_actions = xasprintf("flags.%s_snat_for_lb = 1; ct_dnat;", + snat_type == SKIP_SNAT ? "skip" : "force"); ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_DNAT, priority, - est_match, - "flags.force_snat_for_lb = 1; ct_dnat;", - &lb->header_); + est_match, est_actions, &lb->header_); + free(est_actions); } else { ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_DNAT, priority, est_match, "ct_dnat;", &lb->header_); @@ -8675,11 +8683,13 @@ add_router_lb_flow(struct hmap *lflows, struct ovn_datapath *od, ds_put_format(&undnat_match, ") && outport == %s && " "is_chassis_resident(%s)", od->l3dgw_port->json_key, od->l3redirect_port->json_key); - if (force_snat_for_lb) { + if (snat_type == FORCE_SNAT || snat_type == SKIP_SNAT) { + char *action = xasprintf("flags.%s_snat_for_lb = 1; ct_dnat;", + snat_type == SKIP_SNAT ? "skip" : "force"); ovn_lflow_add_with_hint(lflows, od, S_ROUTER_OUT_UNDNAT, 120, - ds_cstr(&undnat_match), - "flags.force_snat_for_lb = 1; ct_dnat;", + ds_cstr(&undnat_match), action, &lb->header_); + free(action); } else { ovn_lflow_add_with_hint(lflows, od, S_ROUTER_OUT_UNDNAT, 120, ds_cstr(&undnat_match), "ct_dnat;", @@ -8706,6 +8716,12 @@ build_lrouter_lb_flows(struct hmap *lflows, struct ovn_datapath *od, ovn_northd_lb_find(lbs, &nb_lb->header_.uuid); ovs_assert(lb); + bool lb_skip_snat = smap_get_bool(&nb_lb->options, "skip_snat", false); + if (lb_skip_snat) { + ovn_lflow_add(lflows, od, S_ROUTER_OUT_SNAT, 120, + "flags.skip_snat_for_lb == 1 && ip", "next;"); + } + for (size_t j = 0; j < lb->n_vips; j++) { struct ovn_lb_vip *lb_vip = &lb->vips[j]; struct ovn_northd_lb_vip *lb_vip_nb = &lb->vips_nb[j]; @@ -8767,11 +8783,16 @@ build_lrouter_lb_flows(struct hmap *lflows, struct ovn_datapath *od, ds_put_format(match, " && is_chassis_resident(%s)", od->l3redirect_port->json_key); } - bool force_snat_for_lb = - lb_force_snat_ip || od->lb_force_snat_router_ip; + + enum lb_snat_type snat_type = NO_FORCE_SNAT; + if (lb_skip_snat) { + snat_type = SKIP_SNAT; + } else if (lb_force_snat_ip || od->lb_force_snat_router_ip) { + snat_type = FORCE_SNAT; + } add_router_lb_flow(lflows, od, match, actions, prio, - force_snat_for_lb, lb_vip, proto, - nb_lb, meter_groups, nat_entries); + snat_type, lb_vip, proto, nb_lb, + meter_groups, nat_entries); } } sset_destroy(&all_ips); diff --git a/northd/ovn_northd.dl b/northd/ovn_northd.dl index 0063021e1..4c02e2d5a 100644 --- a/northd/ovn_northd.dl +++ b/northd/ovn_northd.dl @@ -5367,6 +5367,16 @@ for (&Router(.lr = lr)) { .external_ids = map_empty()) } +Flow(.logical_datapath = lr, + .stage = s_ROUTER_OUT_SNAT(), + .priority = 120, + .__match = "flags.skip_snat_for_lb == 1 && ip", + .actions = "next;", + .external_ids = stage_hint(lb._uuid)) :- + LogicalRouterLB(lr, lb), + lb.options.get_bool_def("skip_snat", false) + . + function lrouter_nat_is_stateless(nat: NAT): bool = { Some{"true"} == nat.nat.options.get("stateless") } @@ -6010,14 +6020,15 @@ for (RouterLBVIP( (Some{gwport}, true) -> " && is_chassis_resident(${redirect_port_name})", _ -> "" } in - var force_snat_for_lb = force_snat_for_lb(lr) in + var snat_for_lb = snat_for_lb(lr, lb) in { /* A match and actions for established connections. */ var est_match = "ct.est && " ++ __match in var actions = - match (force_snat_for_lb) { - true -> "flags.force_snat_for_lb = 1; ct_dnat;", - false -> "ct_dnat;" + match (snat_for_lb) { + SkipSNAT -> "flags.skip_snat_for_lb = 1; ct_dnat;", + ForceSNAT -> "flags.force_snat_for_lb = 1; ct_dnat;", + _ -> "ct_dnat;" } in Flow(.logical_datapath = lr._uuid, .stage = s_ROUTER_IN_DNAT(), @@ -6076,9 +6087,10 @@ for (RouterLBVIP( ") && outport == ${json_string_escape(gwport.name)} && " "is_chassis_resident(${redirect_port_name})" in var action = - match (force_snat_for_lb) { - true -> "flags.force_snat_for_lb = 1; ct_dnat;", - false -> "ct_dnat;" + match (snat_for_lb) { + SkipSNAT -> "flags.skip_snat_for_lb = 1; ct_dnat;", + ForceSNAT -> "flags.force_snat_for_lb = 1; ct_dnat;", + _ -> "ct_dnat;" } in Flow(.logical_datapath = lr._uuid, .stage = s_ROUTER_OUT_UNDNAT(), @@ -6113,7 +6125,11 @@ Flow(.logical_datapath = r.lr._uuid, _ -> "" }, var priority = if (lbvip.vip_port != 0) 120 else 110, - var force_snat = if (force_snat_for_lb(r.lr)) "flags.force_snat_for_lb = 1; " else "", + var force_snat = match (snat_for_lb(r.lr, lb)) { + SkipSNAT -> "flags.skip_snat_for_lb = 1; ", + ForceSNAT -> "flags.force_snat_for_lb = 1; ", + _ -> "" + }, var actions = build_lb_vip_actions(lbvip, s_ROUTER_OUT_SNAT(), force_snat). diff --git a/ovn-nb.xml b/ovn-nb.xml index b0a4adffe..408c98090 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -1653,6 +1653,12 @@ exactly one IPv4 and/or one IPv6 address on it, separated by a space character. + + + If the load balancing rule is configured with skip_snat + option, the force_snat_for_lb option configured for the router + pipeline will not be applied for this load balancer. + diff --git a/ovs b/ovs index ac85cdb38..ac09cbfcb 160000 --- a/ovs +++ b/ovs @@ -1 +1 @@ -Subproject commit ac85cdb38c1f33e7952bc4c0347d6c7873fb56a1 +Subproject commit ac09cbfcb70ac6f443f039d5934448bd80f74493 diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 96476497d..037ea98c5 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -2847,6 +2847,29 @@ AT_CHECK([grep "lr_out_snat" lr0flows | sort], [0], [dnl table=1 (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;) ]) +check ovn-nbctl --wait=sb lb-add lb2 10.0.0.20:80 10.0.0.40:8080 +check ovn-nbctl --wait=sb set load_balancer lb2 options:skip_snat=true +check ovn-nbctl lr-lb-add lr0 lb2 +check ovn-nbctl --wait=sb lb-del lb1 +ovn-sbctl dump-flows lr0 > lr0flows + +AT_CHECK([grep "lr_in_unsnat" lr0flows | sort], [0], [dnl + table=5 (lr_in_unsnat ), priority=0 , match=(1), action=(next;) + table=5 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-public" && ip4.dst == 172.168.0.100), action=(ct_snat;) + table=5 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-sw0" && ip4.dst == 10.0.0.1), action=(ct_snat;) + table=5 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-sw1" && ip4.dst == 20.0.0.1), action=(ct_snat;) + table=5 (lr_in_unsnat ), priority=110 , match=(inport == "lr0-sw1" && ip6.dst == bef0::1), action=(ct_snat;) +]) + +AT_CHECK([grep "lr_in_dnat" lr0flows | grep skip_snat_for_lb | sort], [0], [dnl + table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip && ip4.dst == 10.0.0.20 && tcp && tcp.dst == 80), action=(flags.skip_snat_for_lb = 1; ct_dnat;) + table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip && ip4.dst == 10.0.0.20 && tcp && tcp.dst == 80), action=(flags.skip_snat_for_lb = 1; ct_lb(backends=10.0.0.40:8080);) +]) + +AT_CHECK([grep "lr_out_snat" lr0flows | grep skip_snat_for_lb | sort], [0], [dnl + table=1 (lr_out_snat ), priority=120 , match=(flags.skip_snat_for_lb == 1 && ip), action=(next;) +]) + AT_CLEANUP ]) @@ -2950,4 +2973,4 @@ wait_row_count FDB 0 ovn-sbctl list FDB AT_CLEANUP -]) \ No newline at end of file +])