k8s_5.0: egress/ingress traffic is bocked by the firewall policy when dsnat is enabled
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Juniper Openstack | Status tracked in Trunk | |||||
R5.0 |
Fix Released
|
Critical
|
Naveen N | |||
Trunk |
Fix Released
|
Critical
|
Naveen N |
Bug Description
orchestration :k8s
build :5.0.0-
provisioning :contrail-ansible
setup
master/controller :nodei21
node/minion :nodei22
with DSNAT enabled , unable to reach the public network as it being dropped by the FWPolicy .
I tried with 5.0.0-34 build also,
though default rules exists to allow the traffic to/from isolated namespace
Action Services Endpoint1 Direction Endpoint2
pass any:0-65535 any > namespace=snattest-
pass any:0-65535 namespace=snattest > any
traffic flows only if I ad additional rule to allow any to any
pass any:any:any any <> any
[root@nodei22 /]# flow -l
Flow table(size 80609280, entries 629760)
Entries: Created 4237 Added 3831 Deleted 646 Changed 244Processed 4237 Used Overflow entries 0
(Created Flows/CPU: 365 88 272 149 164 132 118 142 113 74 135 131 122 118 128 132 71 304 157 127 114 79 107 80 69 169 133 93 99 84 90 78)(oflows 0)
Action:F=Forward, D=Drop N=NAT(S=SNAT, D=DNAT, Ps=SPAT, Pd=DPAT, L=Link Local Port)
Other:
Flags:E=Evicted, Ec=Evict Candidate, N=New Flow, M=Modified Dm=Delete Marked
TCP(r=reverse)
Index Source:
-------
114740<=>165868 8.8.8.8:111 1 (0)
(Gen: 1, K(nh):5, Action:D(Unknown), Flags:, QOS:-1, S(nh):15, Stats:0/0,
SPort 51981, TTL 0, Sinfo 0.0.0.0)
165868<=>114740 10.47.255.250:111 1 (5)
(Gen: 1, K(nh):41, Action:D(FwPolicy), Flags:, QOS:-1, S(nh):41, Stats:1/98,
SPort 65225, TTL 0, Sinfo 6.0.0.0)
contrail-version
Package Version Build-ID | Repo | RPM Name
-------
contrail-
tags: | added: blocker |
Review in progress for https:/ /review. opencontrail. org/41656
Submitter: Naveen N (<email address hidden>)