Message ID | 20241126110817.583224-1-amusil@redhat.com |
---|---|
State | Changes Requested |
Headers | show |
Series | [ovs-dev] northd: Don't SNAT reply packets on LBs with lb_force_snat_ip set. | expand |
Context | Check | Description |
---|---|---|
ovsrobot/apply-robot | success | apply and check: success |
ovsrobot/github-robot-_Build_and_Test | success | github build: passed |
ovsrobot/github-robot-_ovn-kubernetes | fail | github build: failed |
On 11/26/24 12:08 PM, Ales Musil wrote: > In case of LB having client as VIP and lb_force_snat_ip being set > to specific IP we would SNAT the reply traffic for the load balancer. > That was caused by premature unDNAT due to the client IP being > LB VIP with combination of match for SNAT that was checking only > the flag "force_snat_for_lb == 1". > > Add match to ensure that the reply traffic is not being sent to SNAT. > > Reported-at: https://issues.redhat.com/browse/FDP-1009 > Signed-off-by: Ales Musil <amusil@redhat.com> > --- Hi Ales, > northd/northd.c | 5 +- > tests/ovn-northd.at | 268 ++++++++++++++++++++++---------------------- > tests/system-ovn.at | 4 +- > 3 files changed, 140 insertions(+), 137 deletions(-) > > diff --git a/northd/northd.c b/northd/northd.c > index 2aa6c0958..9938c683e 100644 > --- a/northd/northd.c > +++ b/northd/northd.c > @@ -16601,7 +16601,7 @@ build_lrouter_nat_defrag_and_lb( > if (lr_stateful_rec->has_lb_vip) { > ds_clear(match); > > - ds_put_cstr(match, "ct.rel && !ct.est && !ct.new"); > + ds_put_cstr(match, "ct.rel && !ct.est && !ct.new && !ct.rpl"); I think like this we won't unNAT related packets in the reply direction (e.g., ICMP port unreachable). Would it be possible to add a test that covers that case too? Thanks, Dumitru > size_t match_len = match->length; > > ds_put_cstr(match, " && ct_mark.skip_snat == 1"); > @@ -16626,7 +16626,8 @@ build_lrouter_nat_defrag_and_lb( > */ > ds_clear(match); > > - ds_put_cstr(match, "ct.est && !ct.rel && !ct.new && ct_mark.natted"); > + ds_put_cstr(match, "ct.est && !ct.rel && !ct.new && !ct.rpl && " > + "ct_mark.natted"); > match_len = match->length; > > ds_put_cstr(match, " && ct_mark.skip_snat == 1"); > diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at > index e3b7b0cb5..be92a23af 100644 > --- a/tests/ovn-northd.at > +++ b/tests/ovn-northd.at > @@ -4292,12 +4292,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl > table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.4:8080);) > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.100 && tcp && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.40:8080);) > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > ]) > > > @@ -4323,12 +4323,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl > table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080; force_snat);) > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.100 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080; force_snat);) > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > ]) > > AT_CHECK([grep "lr_out_snat" lr0flows | ovn_strip_lflows], [0], [dnl > @@ -4374,12 +4374,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl > table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080; force_snat);) > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.100 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080; force_snat);) > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > ]) > > AT_CHECK([grep "lr_out_snat" lr0flows | ovn_strip_lflows], [0], [dnl > @@ -4439,12 +4439,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl > table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080; force_snat);) > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.100 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080; force_snat);) > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > ]) > > AT_CHECK([grep "lr_out_snat" lr0flows | ovn_strip_lflows], [0], [dnl > @@ -4489,8 +4489,8 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | ovn_strip_lflows], [0], [dnl > > AT_CHECK([grep "lr_in_dnat" lr0flows | grep skip_snat_for_lb | ovn_strip_lflows], [0], [dnl > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.20 && tcp && tcp.dst == 80), action=(flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080; skip_snat);) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > ]) > > AT_CHECK([grep "lr_out_snat" lr0flows | grep skip_snat_for_lb | ovn_strip_lflows], [0], [dnl > @@ -5902,12 +5902,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80 && is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=10.0.0.4:8080);) > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082 && is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);) > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60 && is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);) > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > ]) > > AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl > @@ -5972,12 +5972,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80 && is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=10.0.0.4:8080);) > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082 && is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);) > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60 && is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);) > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > ]) > > AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl > @@ -6046,12 +6046,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.4:8080);) > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082), action=(ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);) > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60), action=(ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);) > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > ]) > > AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl > @@ -6109,12 +6109,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080; force_snat);) > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82; force_snat);) > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062; force_snat);) > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > ]) > > AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl > @@ -6175,12 +6175,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.10 && tcp && tcp.dst == 9082), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82; force_snat);) > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82; force_snat);) > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062; force_snat);) > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > ]) > > AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl > @@ -6253,12 +6253,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82; force_snat);) > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062; force_snat);) > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip6 && ip6.dst == def0::2 && tcp && tcp.dst == 8000), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=[[aef0::2]]:80,[[aef0::3]]:80; force_snat);) > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > ]) > > AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl > @@ -6315,12 +6315,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl > table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && tcp && tcp.dst == 60), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062; force_snat);) > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062; force_snat);) > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > ]) > > AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl > @@ -6372,12 +6372,12 @@ check ovn-nbctl --wait=sb sync > AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | ovn_strip_lflows], [0], [dnl > table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) > table=??(lr_in_dnat ), priority=110 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.10.10), action=(reg0 = 0; reject { outport <-> inport; next(pipeline=egress,table=??);};) > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > ]) > > # LB with reject and skip_snat > @@ -6386,12 +6386,12 @@ check ovn-nbctl --wait=sb set load_balancer lb5 options:skip_snat=true > AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | ovn_strip_lflows], [0], [dnl > table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) > table=??(lr_in_dnat ), priority=110 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.10.10), action=(flags.skip_snat_for_lb = 1; reg0 = 0; reject { outport <-> inport; next(pipeline=egress,table=??);};) > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > ]) > > check ovn-nbctl --wait=sb remove load_balancer lb5 options skip_snat > @@ -6402,12 +6402,12 @@ check ovn-nbctl --wait=sb set logical_router lr0 options:lb_force_snat_ip="route > AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | ovn_strip_lflows], [0], [dnl > table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) > table=??(lr_in_dnat ), priority=110 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.10.10), action=(flags.force_snat_for_lb = 1; reg0 = 0; reject { outport <-> inport; next(pipeline=egress,table=??);};) > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > ]) > > # LB with event=false and reject=false > @@ -6419,12 +6419,12 @@ check ovn-nbctl --wait=sb lr-lb-add lr0 lb6 > AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | ovn_strip_lflows], [0], [dnl > table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) > table=??(lr_in_dnat ), priority=110 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.10.30), action=(drop;) > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > ]) > > # LB with event=false, reject=false and skip_snat > @@ -6433,12 +6433,12 @@ check ovn-nbctl --wait=sb set load_balancer lb6 options:skip_snat=true > AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | ovn_strip_lflows], [0], [dnl > table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) > table=??(lr_in_dnat ), priority=110 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.10.30), action=(flags.skip_snat_for_lb = 1; drop;) > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > ]) > > check ovn-nbctl remove load_balancer lb6 options skip_snat > @@ -6449,12 +6449,12 @@ check ovn-nbctl --wait=sb set logical_router lr0 options:lb_force_snat_ip="route > AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | ovn_strip_lflows], [0], [dnl > table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) > table=??(lr_in_dnat ), priority=110 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.10.30), action=(flags.force_snat_for_lb = 1; drop;) > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > ]) > > AT_CLEANUP > @@ -9438,12 +9438,12 @@ AT_CHECK([grep "lr_in_dnat " R1flows | ovn_strip_lflows], [0], [dnl > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80);) > table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; ct_lb_mark(backends=10.0.0.2:80);) > table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; ct_lb_mark(backends=20.0.0.2:80);) > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > ]) > AT_CHECK([grep "lr_in_lb_aff_learn" R1flows | ovn_strip_lflows], [0], [dnl > table=??(lr_in_lb_aff_learn ), priority=0 , match=(1), action=(next;) > @@ -9462,12 +9462,12 @@ AT_CHECK([grep "lr_in_dnat " R1flows_skip_snat | ovn_strip_lflows], [0], [dnl > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), action=(flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80; skip_snat);) > table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80; skip_snat);) > table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; skip_snat);) > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > ]) > > check ovn-nbctl remove load_balancer lb0 options skip_snat > @@ -9483,12 +9483,12 @@ AT_CHECK([grep "lr_in_dnat " R1flows_force_snat | ovn_strip_lflows], [0], [dnl > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80; force_snat);) > table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80; force_snat);) > table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.force_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; force_snat);) > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > ]) > > AS_BOX([Test LR flows - lb_force_snat_ip="172.16.0.1" + skip_snat=true]) > @@ -9503,12 +9503,12 @@ AT_CHECK([grep "lr_in_dnat " R1flows_force_skip_snat | ovn_strip_lflows], [0], [ > table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), action=(flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80; skip_snat);) > table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80; skip_snat);) > table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; skip_snat);) > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > ]) > > AS_BOX([Test LR flows - 2 LBs, lb0 skip_snat=true, lb1 lb_force_snat_ip="172.16.0.1"]) > @@ -9530,12 +9530,12 @@ AT_CHECK([grep "lr_in_dnat " R1flows_2lbs | ovn_strip_lflows], [0], [dnl > table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; skip_snat);) > table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.20 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.20; flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80; force_snat);) > table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.20 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.20; flags.force_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; force_snat);) > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > ]) > > > diff --git a/tests/system-ovn.at b/tests/system-ovn.at > index 145399ded..aef732233 100644 > --- a/tests/system-ovn.at > +++ b/tests/system-ovn.at > @@ -3068,8 +3068,10 @@ ovn-nbctl lsp-add bob bob16 \ > -- lsp-set-addresses bob16 "f0:00:06:01:02:06 fd72::4" > > # Config OVN load-balancer with a VIP. > +# In addition add client VIP to force premature unDNAT. > uuid=`ovn-nbctl create load_balancer vips:30.0.0.1="192.168.1.2,192.168.2.2" \ > -vips:\"fd30::1\"=\"fd11::2,fd12::2\"` > +vips:172.16.1.3="192.168.1.2,192.168.2.2" vips:\"fd30::1\"=\"fd11::2,fd12::2\" \ > +vips:\"fd72::3\"=\"fd11::2,fd12::2\"` > ovn-nbctl set logical_router R2 load_balancer=$uuid > ovn-nbctl set logical_router R3 load_balancer=$uuid >
On Wed, Dec 11, 2024 at 3:54 PM Dumitru Ceara <dceara@redhat.com> wrote: > On 11/26/24 12:08 PM, Ales Musil wrote: > > In case of LB having client as VIP and lb_force_snat_ip being set > > to specific IP we would SNAT the reply traffic for the load balancer. > > That was caused by premature unDNAT due to the client IP being > > LB VIP with combination of match for SNAT that was checking only > > the flag "force_snat_for_lb == 1". > > > > Add match to ensure that the reply traffic is not being sent to SNAT. > > > > Reported-at: https://issues.redhat.com/browse/FDP-1009 > > Signed-off-by: Ales Musil <amusil@redhat.com> > > --- > > Hi Ales, > Hi Dumitru, thank you for the review. > > > northd/northd.c | 5 +- > > tests/ovn-northd.at | 268 ++++++++++++++++++++++---------------------- > > tests/system-ovn.at | 4 +- > > 3 files changed, 140 insertions(+), 137 deletions(-) > > > > diff --git a/northd/northd.c b/northd/northd.c > > index 2aa6c0958..9938c683e 100644 > > --- a/northd/northd.c > > +++ b/northd/northd.c > > @@ -16601,7 +16601,7 @@ build_lrouter_nat_defrag_and_lb( > > if (lr_stateful_rec->has_lb_vip) { > > ds_clear(match); > > > > - ds_put_cstr(match, "ct.rel && !ct.est && !ct.new"); > > + ds_put_cstr(match, "ct.rel && !ct.est && !ct.new && !ct.rpl"); > > I think like this we won't unNAT related packets in the reply direction > (e.g., ICMP port unreachable). > > Would it be possible to add a test that covers that case too? > After walking through the pipeline once again with the updated test we should be actually fine because the reply direction doesn't hit those flows at all. Those are covered by unDNAT stage. Ask agreed offline I'll send v2 series that will contain updated system test that covers the reply direction and this patch on top of that. > Thanks, > Dumitru > > > size_t match_len = match->length; > > > > ds_put_cstr(match, " && ct_mark.skip_snat == 1"); > > @@ -16626,7 +16626,8 @@ build_lrouter_nat_defrag_and_lb( > > */ > > ds_clear(match); > > > > - ds_put_cstr(match, "ct.est && !ct.rel && !ct.new && > ct_mark.natted"); > > + ds_put_cstr(match, "ct.est && !ct.rel && !ct.new && !ct.rpl && " > > + "ct_mark.natted"); > > match_len = match->length; > > > > ds_put_cstr(match, " && ct_mark.skip_snat == 1"); > > diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at > > index e3b7b0cb5..be92a23af 100644 > > --- a/tests/ovn-northd.at > > +++ b/tests/ovn-northd.at > > @@ -4292,12 +4292,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | > ovn_strip_lflows], [0], [dnl > > table=??(lr_in_dnat ), priority=0 , match=(1), > action=(next;) > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), > action=(ct_lb_mark(backends=10.0.0.4:8080);) > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 10.0.0.100 && tcp && tcp.dst == 80), > action=(ct_lb_mark(backends=10.0.0.40:8080);) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted), action=(next;) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == > 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > ]) > > > > > > @@ -4323,12 +4323,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | > ovn_strip_lflows], [0], [dnl > > table=??(lr_in_dnat ), priority=0 , match=(1), > action=(next;) > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080; > force_snat);) > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 10.0.0.100 && tcp && tcp.dst == 80), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080; > force_snat);) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted), action=(next;) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == > 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > ]) > > > > AT_CHECK([grep "lr_out_snat" lr0flows | ovn_strip_lflows], [0], [dnl > > @@ -4374,12 +4374,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | > ovn_strip_lflows], [0], [dnl > > table=??(lr_in_dnat ), priority=0 , match=(1), > action=(next;) > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080; > force_snat);) > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 10.0.0.100 && tcp && tcp.dst == 80), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080; > force_snat);) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted), action=(next;) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == > 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > ]) > > > > AT_CHECK([grep "lr_out_snat" lr0flows | ovn_strip_lflows], [0], [dnl > > @@ -4439,12 +4439,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | > ovn_strip_lflows], [0], [dnl > > table=??(lr_in_dnat ), priority=0 , match=(1), > action=(next;) > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080; > force_snat);) > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 10.0.0.100 && tcp && tcp.dst == 80), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080; > force_snat);) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted), action=(next;) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == > 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > ]) > > > > AT_CHECK([grep "lr_out_snat" lr0flows | ovn_strip_lflows], [0], [dnl > > @@ -4489,8 +4489,8 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | > ovn_strip_lflows], [0], [dnl > > > > AT_CHECK([grep "lr_in_dnat" lr0flows | grep skip_snat_for_lb | > ovn_strip_lflows], [0], [dnl > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 10.0.0.20 && tcp && tcp.dst == 80), > action=(flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080; > skip_snat);) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > ]) > > > > AT_CHECK([grep "lr_out_snat" lr0flows | grep skip_snat_for_lb | > ovn_strip_lflows], [0], [dnl > > @@ -5902,12 +5902,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | > ovn_strip_lflows], [0], [dnl > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80 && > is_chassis_resident("cr-lr0-public")), > action=(ct_lb_mark(backends=10.0.0.4:8080);) > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082 && > is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends= > 10.0.0.50:82,10.0.0.60:82);) > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60 && > is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends= > 10.0.0.50:6062,10.0.0.60:6062);) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted), action=(next;) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == > 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > ]) > > > > AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], > [0], [dnl > > @@ -5972,12 +5972,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | > ovn_strip_lflows], [0], [dnl > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80 && > is_chassis_resident("cr-lr0-public")), > action=(ct_lb_mark(backends=10.0.0.4:8080);) > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082 && > is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends= > 10.0.0.50:82,10.0.0.60:82);) > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60 && > is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends= > 10.0.0.50:6062,10.0.0.60:6062);) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted), action=(next;) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == > 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > ]) > > > > AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], > [0], [dnl > > @@ -6046,12 +6046,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | > ovn_strip_lflows], [0], [dnl > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), > action=(ct_lb_mark(backends=10.0.0.4:8080);) > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082), > action=(ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);) > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60), > action=(ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted), action=(next;) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == > 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > ]) > > > > AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], > [0], [dnl > > @@ -6109,12 +6109,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | > ovn_strip_lflows], [0], [dnl > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080; > force_snat);) > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82, > 10.0.0.60:82; force_snat);) > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062, > 10.0.0.60:6062; force_snat);) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted), action=(next;) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == > 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > ]) > > > > AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], > [0], [dnl > > @@ -6175,12 +6175,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | > ovn_strip_lflows], [0], [dnl > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 172.168.0.10 && tcp && tcp.dst == 9082), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82, > 10.0.0.60:82; force_snat);) > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82, > 10.0.0.60:82; force_snat);) > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062, > 10.0.0.60:6062; force_snat);) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted), action=(next;) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == > 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > ]) > > > > AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], > [0], [dnl > > @@ -6253,12 +6253,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | > ovn_strip_lflows], [0], [dnl > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82, > 10.0.0.60:82; force_snat);) > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062, > 10.0.0.60:6062; force_snat);) > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip6 && ip6.dst == def0::2 && tcp && tcp.dst == 8000), > action=(flags.force_snat_for_lb = 1; > ct_lb_mark(backends=[[aef0::2]]:80,[[aef0::3]]:80; force_snat);) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted), action=(next;) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == > 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > ]) > > > > AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], > [0], [dnl > > @@ -6315,12 +6315,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | > ovn_strip_lflows], [0], [dnl > > table=??(lr_in_dnat ), priority=0 , match=(1), > action=(next;) > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 172.168.0.210 && tcp && tcp.dst == 60), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062, > 10.0.0.60:6062; force_snat);) > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062, > 10.0.0.60:6062; force_snat);) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted), action=(next;) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == > 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > ]) > > > > AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], > [0], [dnl > > @@ -6372,12 +6372,12 @@ check ovn-nbctl --wait=sb sync > > AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | > ovn_strip_lflows], [0], [dnl > > table=??(lr_in_dnat ), priority=0 , match=(1), > action=(next;) > > table=??(lr_in_dnat ), priority=110 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 172.168.10.10), action=(reg0 = 0; reject { > outport <-> inport; next(pipeline=egress,table=??);};) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted), action=(next;) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == > 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > ]) > > > > # LB with reject and skip_snat > > @@ -6386,12 +6386,12 @@ check ovn-nbctl --wait=sb set load_balancer lb5 > options:skip_snat=true > > AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | > ovn_strip_lflows], [0], [dnl > > table=??(lr_in_dnat ), priority=0 , match=(1), > action=(next;) > > table=??(lr_in_dnat ), priority=110 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 172.168.10.10), action=(flags.skip_snat_for_lb > = 1; reg0 = 0; reject { outport <-> inport; > next(pipeline=egress,table=??);};) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted), action=(next;) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == > 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > ]) > > > > check ovn-nbctl --wait=sb remove load_balancer lb5 options skip_snat > > @@ -6402,12 +6402,12 @@ check ovn-nbctl --wait=sb set logical_router lr0 > options:lb_force_snat_ip="route > > AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | > ovn_strip_lflows], [0], [dnl > > table=??(lr_in_dnat ), priority=0 , match=(1), > action=(next;) > > table=??(lr_in_dnat ), priority=110 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 172.168.10.10), > action=(flags.force_snat_for_lb = 1; reg0 = 0; reject { outport <-> inport; > next(pipeline=egress,table=??);};) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted), action=(next;) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == > 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > ]) > > > > # LB with event=false and reject=false > > @@ -6419,12 +6419,12 @@ check ovn-nbctl --wait=sb lr-lb-add lr0 lb6 > > AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | > ovn_strip_lflows], [0], [dnl > > table=??(lr_in_dnat ), priority=0 , match=(1), > action=(next;) > > table=??(lr_in_dnat ), priority=110 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 172.168.10.30), action=(drop;) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted), action=(next;) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == > 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > ]) > > > > # LB with event=false, reject=false and skip_snat > > @@ -6433,12 +6433,12 @@ check ovn-nbctl --wait=sb set load_balancer lb6 > options:skip_snat=true > > AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | > ovn_strip_lflows], [0], [dnl > > table=??(lr_in_dnat ), priority=0 , match=(1), > action=(next;) > > table=??(lr_in_dnat ), priority=110 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 172.168.10.30), action=(flags.skip_snat_for_lb > = 1; drop;) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted), action=(next;) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == > 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > ]) > > > > check ovn-nbctl remove load_balancer lb6 options skip_snat > > @@ -6449,12 +6449,12 @@ check ovn-nbctl --wait=sb set logical_router lr0 > options:lb_force_snat_ip="route > > AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | > ovn_strip_lflows], [0], [dnl > > table=??(lr_in_dnat ), priority=0 , match=(1), > action=(next;) > > table=??(lr_in_dnat ), priority=110 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 172.168.10.30), > action=(flags.force_snat_for_lb = 1; drop;) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted), action=(next;) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == > 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > ]) > > > > AT_CLEANUP > > @@ -9438,12 +9438,12 @@ AT_CHECK([grep "lr_in_dnat " R1flows | > ovn_strip_lflows], [0], [dnl > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), > action=(ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80);) > > table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 > && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] == > 80), action=(reg0 = 172.16.0.10; ct_lb_mark(backends=10.0.0.2:80);) > > table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 > && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == > 80), action=(reg0 = 172.16.0.10; ct_lb_mark(backends=20.0.0.2:80);) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted), action=(next;) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == > 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > ]) > > AT_CHECK([grep "lr_in_lb_aff_learn" R1flows | ovn_strip_lflows], [0], > [dnl > > table=??(lr_in_lb_aff_learn ), priority=0 , match=(1), > action=(next;) > > @@ -9462,12 +9462,12 @@ AT_CHECK([grep "lr_in_dnat " R1flows_skip_snat | > ovn_strip_lflows], [0], [dnl > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), > action=(flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80, > 20.0.0.2:80; skip_snat);) > > table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 > && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] == > 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; > ct_lb_mark(backends=10.0.0.2:80; skip_snat);) > > table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 > && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == > 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; > ct_lb_mark(backends=20.0.0.2:80; skip_snat);) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted), action=(next;) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == > 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > ]) > > > > check ovn-nbctl remove load_balancer lb0 options skip_snat > > @@ -9483,12 +9483,12 @@ AT_CHECK([grep "lr_in_dnat " R1flows_force_snat > | ovn_strip_lflows], [0], [dnl > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), > action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80, > 20.0.0.2:80; force_snat);) > > table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 > && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] == > 80), action=(reg0 = 172.16.0.10; flags.force_snat_for_lb = 1; > ct_lb_mark(backends=10.0.0.2:80; force_snat);) > > table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 > && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == > 80), action=(reg0 = 172.16.0.10; flags.force_snat_for_lb = 1; > ct_lb_mark(backends=20.0.0.2:80; force_snat);) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted), action=(next;) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == > 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > ]) > > > > AS_BOX([Test LR flows - lb_force_snat_ip="172.16.0.1" + skip_snat=true]) > > @@ -9503,12 +9503,12 @@ AT_CHECK([grep "lr_in_dnat " > R1flows_force_skip_snat | ovn_strip_lflows], [0], [ > > table=??(lr_in_dnat ), priority=120 , match=(ct.new && > !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), > action=(flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80, > 20.0.0.2:80; skip_snat);) > > table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 > && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] == > 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; > ct_lb_mark(backends=10.0.0.2:80; skip_snat);) > > table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 > && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == > 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; > ct_lb_mark(backends=20.0.0.2:80; skip_snat);) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted), action=(next;) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == > 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > ]) > > > > AS_BOX([Test LR flows - 2 LBs, lb0 skip_snat=true, lb1 > lb_force_snat_ip="172.16.0.1"]) > > @@ -9530,12 +9530,12 @@ AT_CHECK([grep "lr_in_dnat " R1flows_2lbs | > ovn_strip_lflows], [0], [dnl > > table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 > && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == > 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; > ct_lb_mark(backends=20.0.0.2:80; skip_snat);) > > table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 > && ct.new && ip4.dst == 172.16.0.20 && reg4 == 10.0.0.2 && reg8[[0..15]] == > 80), action=(reg0 = 172.16.0.20; flags.force_snat_for_lb = 1; > ct_lb_mark(backends=10.0.0.2:80; force_snat);) > > table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 > && ct.new && ip4.dst == 172.16.0.20 && reg4 == 20.0.0.2 && reg8[[0..15]] == > 80), action=(reg0 = 172.16.0.20; flags.force_snat_for_lb = 1; > ct_lb_mark(backends=20.0.0.2:80; force_snat);) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted), action=(next;) > > - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new), action=(ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) > > + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == > 1), action=(flags.force_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.est && > !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; next;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), > action=(flags.force_snat_for_lb = 1; ct_commit_nat;) > > + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && > !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), > action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) > > ]) > > > > > > diff --git a/tests/system-ovn.at b/tests/system-ovn.at > > index 145399ded..aef732233 100644 > > --- a/tests/system-ovn.at > > +++ b/tests/system-ovn.at > > @@ -3068,8 +3068,10 @@ ovn-nbctl lsp-add bob bob16 \ > > -- lsp-set-addresses bob16 "f0:00:06:01:02:06 fd72::4" > > > > # Config OVN load-balancer with a VIP. > > +# In addition add client VIP to force premature unDNAT. > > uuid=`ovn-nbctl create load_balancer > vips:30.0.0.1="192.168.1.2,192.168.2.2" \ > > -vips:\"fd30::1\"=\"fd11::2,fd12::2\"` > > +vips:172.16.1.3="192.168.1.2,192.168.2.2" > vips:\"fd30::1\"=\"fd11::2,fd12::2\" \ > > +vips:\"fd72::3\"=\"fd11::2,fd12::2\"` > > ovn-nbctl set logical_router R2 load_balancer=$uuid > > ovn-nbctl set logical_router R3 load_balancer=$uuid > > > > Thanks, Ales
diff --git a/northd/northd.c b/northd/northd.c index 2aa6c0958..9938c683e 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -16601,7 +16601,7 @@ build_lrouter_nat_defrag_and_lb( if (lr_stateful_rec->has_lb_vip) { ds_clear(match); - ds_put_cstr(match, "ct.rel && !ct.est && !ct.new"); + ds_put_cstr(match, "ct.rel && !ct.est && !ct.new && !ct.rpl"); size_t match_len = match->length; ds_put_cstr(match, " && ct_mark.skip_snat == 1"); @@ -16626,7 +16626,8 @@ build_lrouter_nat_defrag_and_lb( */ ds_clear(match); - ds_put_cstr(match, "ct.est && !ct.rel && !ct.new && ct_mark.natted"); + ds_put_cstr(match, "ct.est && !ct.rel && !ct.new && !ct.rpl && " + "ct_mark.natted"); match_len = match->length; ds_put_cstr(match, " && ct_mark.skip_snat == 1"); diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index e3b7b0cb5..be92a23af 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -4292,12 +4292,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.4:8080);) table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.100 && tcp && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.40:8080);) - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) @@ -4323,12 +4323,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080; force_snat);) table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.100 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080; force_snat);) - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) AT_CHECK([grep "lr_out_snat" lr0flows | ovn_strip_lflows], [0], [dnl @@ -4374,12 +4374,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080; force_snat);) table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.100 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080; force_snat);) - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) AT_CHECK([grep "lr_out_snat" lr0flows | ovn_strip_lflows], [0], [dnl @@ -4439,12 +4439,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080; force_snat);) table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.100 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080; force_snat);) - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) AT_CHECK([grep "lr_out_snat" lr0flows | ovn_strip_lflows], [0], [dnl @@ -4489,8 +4489,8 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | ovn_strip_lflows], [0], [dnl AT_CHECK([grep "lr_in_dnat" lr0flows | grep skip_snat_for_lb | ovn_strip_lflows], [0], [dnl table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.20 && tcp && tcp.dst == 80), action=(flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080; skip_snat);) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) AT_CHECK([grep "lr_out_snat" lr0flows | grep skip_snat_for_lb | ovn_strip_lflows], [0], [dnl @@ -5902,12 +5902,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80 && is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=10.0.0.4:8080);) table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082 && is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);) table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60 && is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);) - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl @@ -5972,12 +5972,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80 && is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=10.0.0.4:8080);) table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082 && is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);) table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60 && is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);) - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl @@ -6046,12 +6046,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.4:8080);) table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082), action=(ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);) table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60), action=(ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);) - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl @@ -6109,12 +6109,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080; force_snat);) table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82; force_snat);) table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062; force_snat);) - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl @@ -6175,12 +6175,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.10 && tcp && tcp.dst == 9082), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82; force_snat);) table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82; force_snat);) table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062; force_snat);) - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl @@ -6253,12 +6253,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82; force_snat);) table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062; force_snat);) table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip6 && ip6.dst == def0::2 && tcp && tcp.dst == 8000), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=[[aef0::2]]:80,[[aef0::3]]:80; force_snat);) - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl @@ -6315,12 +6315,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && tcp && tcp.dst == 60), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062; force_snat);) table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062; force_snat);) - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl @@ -6372,12 +6372,12 @@ check ovn-nbctl --wait=sb sync AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | ovn_strip_lflows], [0], [dnl table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) table=??(lr_in_dnat ), priority=110 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.10.10), action=(reg0 = 0; reject { outport <-> inport; next(pipeline=egress,table=??);};) - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) # LB with reject and skip_snat @@ -6386,12 +6386,12 @@ check ovn-nbctl --wait=sb set load_balancer lb5 options:skip_snat=true AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | ovn_strip_lflows], [0], [dnl table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) table=??(lr_in_dnat ), priority=110 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.10.10), action=(flags.skip_snat_for_lb = 1; reg0 = 0; reject { outport <-> inport; next(pipeline=egress,table=??);};) - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) check ovn-nbctl --wait=sb remove load_balancer lb5 options skip_snat @@ -6402,12 +6402,12 @@ check ovn-nbctl --wait=sb set logical_router lr0 options:lb_force_snat_ip="route AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | ovn_strip_lflows], [0], [dnl table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) table=??(lr_in_dnat ), priority=110 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.10.10), action=(flags.force_snat_for_lb = 1; reg0 = 0; reject { outport <-> inport; next(pipeline=egress,table=??);};) - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) # LB with event=false and reject=false @@ -6419,12 +6419,12 @@ check ovn-nbctl --wait=sb lr-lb-add lr0 lb6 AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | ovn_strip_lflows], [0], [dnl table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) table=??(lr_in_dnat ), priority=110 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.10.30), action=(drop;) - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) # LB with event=false, reject=false and skip_snat @@ -6433,12 +6433,12 @@ check ovn-nbctl --wait=sb set load_balancer lb6 options:skip_snat=true AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | ovn_strip_lflows], [0], [dnl table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) table=??(lr_in_dnat ), priority=110 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.10.30), action=(flags.skip_snat_for_lb = 1; drop;) - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) check ovn-nbctl remove load_balancer lb6 options skip_snat @@ -6449,12 +6449,12 @@ check ovn-nbctl --wait=sb set logical_router lr0 options:lb_force_snat_ip="route AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | ovn_strip_lflows], [0], [dnl table=??(lr_in_dnat ), priority=0 , match=(1), action=(next;) table=??(lr_in_dnat ), priority=110 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.10.30), action=(flags.force_snat_for_lb = 1; drop;) - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) AT_CLEANUP @@ -9438,12 +9438,12 @@ AT_CHECK([grep "lr_in_dnat " R1flows | ovn_strip_lflows], [0], [dnl table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80);) table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; ct_lb_mark(backends=10.0.0.2:80);) table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; ct_lb_mark(backends=20.0.0.2:80);) - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) AT_CHECK([grep "lr_in_lb_aff_learn" R1flows | ovn_strip_lflows], [0], [dnl table=??(lr_in_lb_aff_learn ), priority=0 , match=(1), action=(next;) @@ -9462,12 +9462,12 @@ AT_CHECK([grep "lr_in_dnat " R1flows_skip_snat | ovn_strip_lflows], [0], [dnl table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), action=(flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80; skip_snat);) table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80; skip_snat);) table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; skip_snat);) - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) check ovn-nbctl remove load_balancer lb0 options skip_snat @@ -9483,12 +9483,12 @@ AT_CHECK([grep "lr_in_dnat " R1flows_force_snat | ovn_strip_lflows], [0], [dnl table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80; force_snat);) table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80; force_snat);) table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.force_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; force_snat);) - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) AS_BOX([Test LR flows - lb_force_snat_ip="172.16.0.1" + skip_snat=true]) @@ -9503,12 +9503,12 @@ AT_CHECK([grep "lr_in_dnat " R1flows_force_skip_snat | ovn_strip_lflows], [0], [ table=??(lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), action=(flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80; skip_snat);) table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80; skip_snat);) table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; skip_snat);) - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) AS_BOX([Test LR flows - 2 LBs, lb0 skip_snat=true, lb1 lb_force_snat_ip="172.16.0.1"]) @@ -9530,12 +9530,12 @@ AT_CHECK([grep "lr_in_dnat " R1flows_2lbs | ovn_strip_lflows], [0], [dnl table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; skip_snat);) table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.20 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.20; flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80; force_snat);) table=??(lr_in_dnat ), priority=150 , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.20 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.20; flags.force_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; force_snat);) - table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;) - table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) - table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=50 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;) + table=??(lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;) + table=??(lr_in_dnat ), priority=70 , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;) ]) diff --git a/tests/system-ovn.at b/tests/system-ovn.at index 145399ded..aef732233 100644 --- a/tests/system-ovn.at +++ b/tests/system-ovn.at @@ -3068,8 +3068,10 @@ ovn-nbctl lsp-add bob bob16 \ -- lsp-set-addresses bob16 "f0:00:06:01:02:06 fd72::4" # Config OVN load-balancer with a VIP. +# In addition add client VIP to force premature unDNAT. uuid=`ovn-nbctl create load_balancer vips:30.0.0.1="192.168.1.2,192.168.2.2" \ -vips:\"fd30::1\"=\"fd11::2,fd12::2\"` +vips:172.16.1.3="192.168.1.2,192.168.2.2" vips:\"fd30::1\"=\"fd11::2,fd12::2\" \ +vips:\"fd72::3\"=\"fd11::2,fd12::2\"` ovn-nbctl set logical_router R2 load_balancer=$uuid ovn-nbctl set logical_router R3 load_balancer=$uuid
In case of LB having client as VIP and lb_force_snat_ip being set to specific IP we would SNAT the reply traffic for the load balancer. That was caused by premature unDNAT due to the client IP being LB VIP with combination of match for SNAT that was checking only the flag "force_snat_for_lb == 1". Add match to ensure that the reply traffic is not being sent to SNAT. Reported-at: https://issues.redhat.com/browse/FDP-1009 Signed-off-by: Ales Musil <amusil@redhat.com> --- northd/northd.c | 5 +- tests/ovn-northd.at | 268 ++++++++++++++++++++++---------------------- tests/system-ovn.at | 4 +- 3 files changed, 140 insertions(+), 137 deletions(-)