Skip to content

[WIP] Configures ephemeral port range for OVN SNAT'ing #2584

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[WIP] Configures ephemeral port range for OVN SNAT'ing #2584

wants to merge 1 commit into from

Conversation

trozet
Copy link
Contributor

@trozet trozet commented May 22, 2025

There was a previous bug where when an egress packet would be SNAT'ed to the node IP, using a nodeport source port, it would cause reply traffic to get DNAT'ed to the nodeport load balancer. This happened because the egress connections were not conntracked correctly.

This was fixed via:

https://issues.redhat.com/browse/OCPBUGS-25889
https://issues.redhat.com/browse/FDP-291

However, that fix was not hardware offloadable. The ideal fix here would be to always commit to conntrack and have it be HW offloadable. Until we have a better solution, we can configure the port range for OVN to use on its SNAT. This applies to all SNATs for traffic that enters the local host or leaves the host.

The new config option --ephemeral-port-range "-" can be used to specify the port range to use with OVN. If not provided, this value will be automatically derived from the ephemeral port range in /proc/sys/net/ipv4/ip_local_port_range, which is typically set already to avoid nodeport range conflicts.

📑 Description

Fixes #

Additional Information for reviewers

✅ Checks

  • My code requires changes to the documentation
  • if so, I have updated the documentation as required
  • My code requires tests
  • if so, I have added and/or updated the tests as required
  • All the tests have passed in the CI

How to verify it

@trozet
Configures ephemeral port range for OVN SNAT'ing
a35df63 
There was a previous bug where when an egress packet would be SNAT'ed to
the node IP, using a nodeport source port, it would cause reply traffic
to get DNAT'ed to the nodeport load balancer. This happened because the
egress connections were not conntracked correctly.

This was fixed via:

https://issues.redhat.com/browse/OCPBUGS-25889
https://issues.redhat.com/browse/FDP-291

However, that fix was not hardware offloadable. The ideal fix here would
be to always commit to conntrack and have it be HW offloadable. Until we
have a better solution, we can configure the port range for OVN to use
on its SNAT. This applies to all SNATs for traffic that enters the local
host or leaves the host.

The new config option --ephemeral-port-range "<minPort>-<maxPort>" can
be used to specify the port range to use with OVN. If not provided, this
value will be automatically derived from the ephemeral port range in
/proc/sys/net/ipv4/ip_local_port_range, which is typically set already
to avoid nodeport range conflicts.

Signed-off-by: Tim Rozet <[email protected]>
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 22, 2025
@trozet trozet mentioned this pull request May 22, 2025
Open
@openshift-ci openshift-ci bot requested review from abhat and jcaamano May 22, 2025 13:07
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented May 22, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: trozet

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 22, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented May 22, 2025

@trozet: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ovn-hypershift-kubevirt a35df63 link false /test e2e-aws-ovn-hypershift-kubevirt
ci/prow/e2e-metal-ipi-ovn-dualstack a35df63 link true /test e2e-metal-ipi-ovn-dualstack
ci/prow/okd-scos-e2e-aws-ovn a35df63 link false /test okd-scos-e2e-aws-ovn
ci/prow/e2e-aws-ovn-hypershift-conformance-techpreview a35df63 link false /test e2e-aws-ovn-hypershift-conformance-techpreview
ci/prow/security a35df63 link false /test security
ci/prow/4.20-upgrade-from-stable-4.19-e2e-aws-ovn-upgrade a35df63 link true /test 4.20-upgrade-from-stable-4.19-e2e-aws-ovn-upgrade
ci/prow/4.20-upgrade-from-stable-4.19-e2e-gcp-ovn-rt-upgrade a35df63 link true /test 4.20-upgrade-from-stable-4.19-e2e-gcp-ovn-rt-upgrade

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abhat abhat Awaiting requested review from abhat

@jcaamano jcaamano Awaiting requested review from jcaamano

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@trozet