Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPBUGS-13885: [release-4.12] Drop packets that were not properly SNATed #1679

Merged
merged 4 commits into from Jul 11, 2023
Merged

OCPBUGS-13885: [release-4.12] Drop packets that were not properly SNATed #1679

merged 4 commits into from Jul 11, 2023

Conversation

kyrtapz
Copy link
Contributor

@kyrtapz kyrtapz commented May 22, 2023

Manual backport of #1662 and ovn-org/ovn-kubernetes#3349.
There were conflicts in all but the second commit due to the general differences between 4.12 and 4.13 releases.

@kyrtapz
Rename MatchIPNetFamily to MatchFirstIPNetFamily
879314a 
Signed-off-by: Patryk Diak <pdiak@redhat.com>
(cherry picked from commit 7c856ae)
@kyrtapz
Refactor handleEgressReroutePolicy into separate functions
20ba617 
This commit doesn't bring any logical changes.
It tries to improve readability and enable future changes.

Signed-off-by: Patryk Diak <pdiak@redhat.com>
(cherry picked from commit 9604a9c)
@kyrtapz
Commit egress IP pod config as one libovsdb transaction
8dd42a0 
Commit egress IP pod assignment as one transaction with the following ops:
 1. Add SNAT towards egress IP on egress gw router
 2. Add a router policy to forward pod traffic to the egress node
 3. Delete SNAT towards nodeIP(only if the egress node is the same as the pod host)

Commit egress IP pod removal as one transaction with the following ops:
 1. Add SNAT towards nodeIP(only if the egress node is the same as the pod host)
 2. Remove router policy that forwards pod traffic to the egress node
 3. Remove SNAT towards egress IP from the egress node

Signed-off-by: Patryk Diak <pdiak@redhat.com>
(cherry picked from commit ead05f8)
@kyrtapz
Drop packets coming from pods headed externally that were not properl…
45838ae 
…y SNATed

Egress IP is often configured on a node different from the one hosting the affected pod.
Due to the fact that ovn-controllers on different nodes apply the changes independently,
there is a chance that the pod traffic will reach the egress node before it configures the SNAT flows.
Drop pod traffic that is not SNATed, excluding local pods(required for ICNI)

Signed-off-by: Patryk Diak <pdiak@redhat.com>
(cherry picked from commit 39b55de)
(cherry picked from commit 3fd2a22)
@kyrtapz
Copy link
Contributor Author

kyrtapz commented May 22, 2023

/jira cherrypick OCPBUGS-12864

@openshift-ci-robot
Copy link
Contributor

@kyrtapz: Jira Issue OCPBUGS-12864 has been cloned as Jira Issue OCPBUGS-13885. Will retitle bug to link to clone.
/retitle OCPBUGS-13885: [release-4.12] Drop packets that were not properly SNATed

In response to this:

/jira cherrypick OCPBUGS-12864

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot changed the title [release-4.12] Drop packets that were not properly SNATed OCPBUGS-13885: [release-4.12] Drop packets that were not properly SNATed May 22, 2023
@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels May 22, 2023
@openshift-ci-robot
Copy link
Contributor

@kyrtapz: This pull request references Jira Issue OCPBUGS-13885, which is invalid:

  • expected dependent Jira Issue OCPBUGS-12864 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), but it is POST instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Manual backport of #1662 and ovn-org/ovn-kubernetes#3349.
There were conflicts in all but the second commit due to the general differences between 4.12 and 4.13 releases.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@kyrtapz
Copy link
Contributor Author

kyrtapz commented May 29, 2023

/retest-required

@jechen0648
Copy link

/ocpbugs cc-qa

@jechen0648
Copy link

/label qe-approved

@openshift-ci openshift-ci bot added the qe-approved Signifies that QE has signed off on this PR label May 31, 2023
@kyrtapz
Copy link
Contributor Author

kyrtapz commented May 31, 2023

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels May 31, 2023
@openshift-ci-robot
Copy link
Contributor

@kyrtapz: This pull request references Jira Issue OCPBUGS-13885, which is valid.

6 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.12.z) matches configured target version for branch (4.12.z)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
  • dependent bug Jira Issue OCPBUGS-12864 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE))
  • dependent Jira Issue OCPBUGS-12864 targets the "4.13.0" version, which is one of the valid target versions: 4.13.0, 4.13.z
  • bug has dependents

Requesting review from QA contact:
/cc @anuragthehatter

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@kyrtapz
Copy link
Contributor Author

kyrtapz commented May 31, 2023

/retest-required

@martinkennelly
Copy link
Contributor

/assign @martinkennelly

@kyrtapz
Copy link
Contributor Author

kyrtapz commented Jun 13, 2023

@martinkennelly @trozet ptal

@jechen0648
Copy link

/retest

@jcaamano
Copy link
Contributor

jcaamano commented Jul 5, 2023

/lgtm
/approve
/label backport-risk-assessed

@openshift-ci openshift-ci bot added the backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. label Jul 5, 2023
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jul 5, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jul 5, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jcaamano, kyrtapz, martinkennelly

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 5, 2023
@asood-rh
Copy link

asood-rh commented Jul 5, 2023

/label cherry-pick-approved

@openshift-ci openshift-ci bot added the cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. label Jul 5, 2023
@openshift-ci-robot
Copy link
Contributor

/retest-required

Remaining retests: 0 against base HEAD 3aa743c and 2 for PR HEAD 45838ae in total

@openshift-ci-robot
Copy link
Contributor

/retest-required

Remaining retests: 0 against base HEAD 3448f1c and 1 for PR HEAD 45838ae in total

@kyrtapz
Copy link
Contributor Author

kyrtapz commented Jul 7, 2023

/retest-required

@openshift-ci-robot
Copy link
Contributor

/retest-required

Remaining retests: 0 against base HEAD 393bd8d and 0 for PR HEAD 45838ae in total

@openshift-ci-robot
Copy link
Contributor

/hold

Revision 45838ae was retested 3 times: holding

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 11, 2023
@kyrtapz
Copy link
Contributor Author

kyrtapz commented Jul 11, 2023

/retest-required

@kyrtapz
Copy link
Contributor Author

kyrtapz commented Jul 11, 2023

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 11, 2023
@openshift-ci-robot
Copy link
Contributor

/retest-required

Remaining retests: 0 against base HEAD 393bd8d and 2 for PR HEAD 45838ae in total

@jechen0648
Copy link

/test e2e-aws-ovn-upgrade-local-gateway

@jechen0648
Copy link

/test e2e-gcp-ovn

@jechen0648
Copy link

/test 4.12-upgrade-from-stable-4.11-e2e-aws-ovn-upgrade

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jul 11, 2023

@kyrtapz: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-merge-robot openshift-merge-robot merged commit 58fff18 into openshift:release-4.12 Jul 11, 2023
26 checks passed
@openshift-ci-robot
Copy link
Contributor

@kyrtapz: Jira Issue OCPBUGS-13885: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-13885 has been moved to the MODIFIED state.

In response to this:

Manual backport of #1662 and ovn-org/ovn-kubernetes#3349.
There were conflicts in all but the second commit due to the general differences between 4.12 and 4.13 releases.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@martinkennelly martinkennelly martinkennelly approved these changes

@abhat abhat Awaiting requested review from abhat

@JacobTanenbaum JacobTanenbaum Awaiting requested review from JacobTanenbaum

@anuragthehatter anuragthehatter Awaiting requested review from anuragthehatter

Assignees

@mffiedler mffiedler

@rbbratta rbbratta

@weliang1 weliang1

@martinkennelly martinkennelly

@anuragthehatter anuragthehatter

@huiran0826 huiran0826

@asood-rh asood-rh

@jechen0648 jechen0648

@yingwang-0320 yingwang-0320

@qiowang721 qiowang721

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. qe-approved Signifies that QE has signed off on this PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet