Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 1903414: Do not use egressIP on reply packets #236

Merged
merged 1 commit into from Feb 5, 2021
Merged

Bug 1903414: Do not use egressIP on reply packets #236

merged 1 commit into from Feb 5, 2021

Conversation

juanluisvaladas
Copy link
Contributor

EgressIP namespaces should only force the egressIP when the pod is the
client. If the pod is the server we want to reply normally.

@openshift-ci-robot openshift-ci-robot added the bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. label Jan 5, 2021
@openshift-ci-robot
Copy link
Contributor

@juanluisvaladas: This pull request references Bugzilla bug 1903414, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.7.0) matches configured target release for branch (4.7.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1903414: Do not use egressIP on reply packets

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added the bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. label Jan 5, 2021
@juanluisvaladas
Copy link
Contributor Author

/Hold
I need to test this properly

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 5, 2021
Do not use egressIP on reply packets
4b3847f 
EgressIP namespaces should only force the egressIP when the pod is the
client. If the pod is the server we want to reply normally.
@JacobTanenbaum
Copy link
Contributor

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Feb 3, 2021
@juanluisvaladas
Copy link
Contributor Author

/hold cancel

@openshift-ci-robot openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 3, 2021
@abhat
Copy link
Contributor

abhat commented Feb 3, 2021

do we need an e2e to capture this bug?

abhat
abhat reviewed Feb 3, 2021
View reviewed changes
pkg/network/node/ovscontroller.go
@@ -203,6 +203,7 @@ func (oc *ovsController) SetupOVS(clusterNetworkCIDR []string, serviceNetworkCID
otx.AddFlow("table=100, priority=300,udp,udp_dst=%d,actions=drop", vxlanPort)
otx.AddFlow("table=100, priority=200,tcp,tcp_dst=53,nw_dst=%s,actions=output:2", oc.localIP)
otx.AddFlow("table=100, priority=200,udp,udp_dst=53,nw_dst=%s,actions=output:2", oc.localIP)
otx.AddFlow("table=100, priority=150,ct_state=+rpl,actions=goto_table:101")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this need +trk too?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this need +trk too?

no, if any other bit is set then trk logically has to be set, so ct_state=+rpl+trk would be the same as ct_state=+rpl

@abhat
Copy link
Contributor

abhat commented Feb 3, 2021

I am a bit unsure if this needs to get in to 4.7 so late in the cycle unless we have enough test coverage for egress IP as a feature. Alternatively, if we can get QE to validate that this doesn't break egress IP for openshift-sdn, we can get this in. But I would think at the very least we should have an e2e test to capture the bug itself.

@abhat
Copy link
Contributor

abhat commented Feb 3, 2021
edited

/bugzilla cc-qa

@huiran0826
Copy link

Verified this PR, see steps in https://bugzilla.redhat.com/show_bug.cgi?id=1903414#c30. Did EgressIP regression testing, no issue found. Test run. https://polarion.engineering.redhat.com/polarion/#/project/OSE/testrun?id=OS-20210204-0117&tab=records&result=passed

@huiran0826
Copy link

/lgtm

@abhat
Copy link
Contributor

abhat commented Feb 4, 2021

@danwinship can you PTAL as well?

danwinship
danwinship approved these changes Feb 4, 2021
View reviewed changes
pkg/network/node/ovscontroller.go
@@ -203,6 +203,7 @@ func (oc *ovsController) SetupOVS(clusterNetworkCIDR []string, serviceNetworkCID
otx.AddFlow("table=100, priority=300,udp,udp_dst=%d,actions=drop", vxlanPort)
otx.AddFlow("table=100, priority=200,tcp,tcp_dst=53,nw_dst=%s,actions=output:2", oc.localIP)
otx.AddFlow("table=100, priority=200,udp,udp_dst=53,nw_dst=%s,actions=output:2", oc.localIP)
otx.AddFlow("table=100, priority=150,ct_state=+rpl,actions=goto_table:101")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this need +trk too?

no, if any other bit is set then trk logically has to be set, so ct_state=+rpl+trk would be the same as ct_state=+rpl

@openshift-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danwinship, huiran0826, JacobTanenbaum, juanluisvaladas

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 4, 2021
@openshift-merge-robot openshift-merge-robot merged commit 6cc7a66 into openshift:master Feb 5, 2021
@openshift-ci-robot
Copy link
Contributor

@juanluisvaladas: All pull requests linked via external trackers have merged:

Bugzilla bug 1903414 has been moved to the MODIFIED state.

In response to this:

Bug 1903414: Do not use egressIP on reply packets

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@stevekuznetsov
Copy link
Contributor

/bugzilla assign-qa

@openshift-ci-robot
Copy link
Contributor

@stevekuznetsov: Bugzilla bug 1903414 is in an unrecognized state (ON_QA) and will not be moved to the MODIFIED state.

In response to this:

/bugzilla assign-qa

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@stevekuznetsov
Copy link
Contributor

/bugzilla assign-qe

@juanluisvaladas
Copy link
Contributor Author

/cherry-pick release-4.6

@juanluisvaladas juanluisvaladas deleted the egress_ip_not_on_rpl branch February 9, 2021 09:17
@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Feb 9, 2021
Merged
@openshift-cherrypick-robot
Copy link

@juanluisvaladas: new pull request created: #257

In response to this:

/cherry-pick release-4.6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@danwinship danwinship mentioned this pull request Aug 10, 2021
Merged
astoycos added a commit to astoycos/sdn that referenced this pull request Aug 16, 2021
@astoycos
Fix 4.7 SDN Egress Network Policy
26fb61e 
Previoulsy [we added a flow](openshift#236) to send reply traffic
to table 101(the ENP table) but in reality ENP
should never match on repy traffic so instead
just send it out.

Signed-off-by: astoycos <astoycos@redhat.com>
@astoycos astoycos mentioned this pull request Aug 16, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abhat abhat abhat left review comments

@danwinship danwinship danwinship approved these changes

@alexanderConstantinescu alexanderConstantinescu Awaiting requested review from alexanderConstantinescu

@squeed squeed Awaiting requested review from squeed

Assignees

@JacobTanenbaum JacobTanenbaum

@huiran0826 huiran0826

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
9 participants
@juanluisvaladas @openshift-ci-robot @JacobTanenbaum @abhat @huiran0826 @stevekuznetsov @openshift-cherrypick-robot @danwinship @openshift-merge-robot