New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 2105444: ITP=local, host->svc case failure #1196
Bug 2105444: ITP=local, host->svc case failure #1196
Conversation
@tssurya: An error was encountered querying GitHub for users with public email (huirwang@redhat.com) for bug 2078691 on the Bugzilla server at https://bugzilla.redhat.com. No known errors were detected, please see the full error message for details. Full error message.
Post "http://ghproxy/graphql": dial tcp 172.30.229.2:80: connect: connection refused
Please contact an administrator to resolve this issue, then request a bug refresh with In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@tssurya: This pull request references Bugzilla bug 2078691, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@tssurya: This pull request references Bugzilla bug 2078691, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@tssurya: This pull request references Bugzilla bug 2105444, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Currently the default value for all interfaces is 0 while rp_filter for "all" is set to 1. rp_filter - INTEGER 0 - No source validation. 1 - Strict mode as defined in RFC3704 Strict Reverse Path Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded. 2 - Loose mode as defined in RFC3704 Loose Reverse Path Each incoming packet's source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail. Current recommended practice in RFC3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended. The max value from conf/{all,interface}/rp_filter is used when doing source validation on the {interface}. As per the definitions to avail other FIB table based routing we should set rp_filter for ovn-k8s-mp0 to 2 to support ITP=local feature. Security wise we are still ok since we are enabling this only on ovnk interface mp0 and not on any other interface. NOTE: Pkt from host goes into ovn via mp0 destined for clusterIP and it goes in via the new routing table 7 that was added. Return packet with srcIP=clusterIP comes out via mp0 and default routing table says all clusterIP traffic should go to br-ex and this is why reverse path filter check fails since onward packet went in via mp0. Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com> (cherry picked from commit 944b5c2) Conflicts in 4.11: go-controller/pkg/util/ovs.go go-controller/pkg/util/ovs_unit_test.go because openshift@0d9e4aa is missing
@tssurya: This pull request references Bugzilla bug 2105444, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
1 similar comment
@tssurya: This pull request references Bugzilla bug 2105444, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest-required |
/bugzilla refresh |
@tssurya: This pull request references Bugzilla bug 2105444, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test e2e-metal-ipi-ovn-dualstack |
/bugzilla refresh |
@tssurya: This pull request references Bugzilla bug 2105444, which is valid. 6 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test e2e-metal-ipi-ovn-dualstack |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: trozet, tssurya The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test e2e-metal-ipi-ovn-dualstack |
@tssurya: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/retest-required |
/label qe-approved |
/label backport-risk-assessed |
/label cherry-pick-approved |
@tssurya: All pull requests linked via external trackers have merged: Bugzilla bug 2105444 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Cherry picked from 944b5c2 NOT CLEAN, conflict mentioned in commit message
works!