[OVN]Unable to access port forwarding

Hello:

I'm deploying an environment to try to reproduce the issue.

One question: did you correctly set the needed security group rules to allow SSH access?

Regards.

hi Rodolfo, there is no problem with the security group, I switch the gateway chassis of the RouterA to hostB, VM-A can ssh 100.7.50.236:22 to VM-B.

Hello:

I can confirm the bug. I created two VMs, both in the same compute node (same OVN chassis). Then I've created the corresponding port forwarding for each fixed IP.

When I try to access from outside the chassis, using the FIP, I can connect to the VM via SSH.

But when I try from VM-A to VM-B, the traffic goes from the VM-A port to the br-int geneve port and then this traffic is sent outside the chassis.

BTW, connecting from VM-A to VM-B using fixed IP works (as expected).

I'll try to ping any OVN folk to share this problem.

Regards.

Bugzilla reference: https://bugzilla.redhat.com/show_bug.cgi?id=1982601

This looks same as other bug https://bugs.launchpad.net/neutron/+bug/1957185, i have pushed a workaround as suggested in corresponding ovn bug[1] https://review.opendev.org/c/openstack/neutron/+/833620.

Noticed https://bugzilla.redhat.com/show_bug.cgi?id=1982601#c1 says a series of patches in ovn could solve the issue, but doesn't look those patches targetting the same issue. But would be good to confirm.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=2043543

thanks yatai, you are right, your patch https://review.opendev.org/c/openstack/neutron/+/833620 can solve the issue. But there is a problem with another scenario.

NetA(geneve) 192.168.10.0/24
external NetB(flat) 100.7.50.0/24

VM-B ip is 192.168.10.20 on host HostA

RouterA gateway network is NetB, NetA is internal interface.

Apply for a floating ip 100.7.50.236, configure port forwarding 100.7.50.236:22 -> 192.168.10.20:22

we can in VM-B access VM-B self, through 100.7.50.236:22.

another scenario:

we add an ip 192.168.10.21(not bind vm) to VM-B, and configure port forwarding 100.7.50.237:22 -> 192.168.10.21:22
we can access 100.7.50.237:22 in external network, but can't in VM-B access self.

Thanks ZhouHeng for checking.

For the scenario that is not working for you, i am able to reproduce it and what i see it's happening as both nics are from same network and as default route is of first nic it tries to go out via first nic. I am not sure if something can be handled on neutron/ovn side.

One way it worked for me was using ssh -b 192.168.10.21 100.7.50.237 or curl --interface eth1 100.7.50.237:22, also changing default route to be with eth1 instead of eth0 also worked.