Colleagues,
I can't get working forwarding of redirected (externally) packets through Linux host. There is network model I'm experimenting with:
+----+(enp2) +----+ +----+
| H2 +---------+ o- +---+ H3 | (192.0.2.153)
+--+-+ | br | +----+
|(enp1) +-+--+
| |
| |
| |
+-------+--------+ +-+--+
| ovs i-br +--+ R1 |
+-------+--------+ +----+
|
|
+--+-+
| H1 | (10.9.8.100)
+----+
for traffic from H1 to H3 there is regular routing exists (through R1), but for some reasons I need to divert some kinds of the traffic through H2, using OVS rules for this. After I've added the rule:
ovs-ofctl add-flow i-br dl_type=0x0800,in_port=1,nw_proto=6,tp_dst=80,actions=output:4
I'm seeing incoming packets on enp1@H2:
15:21:51.596752 IP (tos 0x0, ttl 64, id 48926, offset 0, flags [DF], proto TCP (6), length 60)
10.9.8.100.44444 > 192.0.2.153.http: Flags [S], cksum 0x5f93 (correct), seq 774826047, win 64860, options [mss 1410,sackOK,TS val 3466298181 ecr 0,nop,wscale 7], length 0
While forwarding on H2 is allowed (net.ipv4.ip_forward=1), rpf switched off (net.ipv4.conf.(default|all).rp_filter=0), pings from H2 to both sides are working, iptables FORWARD accepts everything and routing is configured:
10.9.8.0/24 dev enp1s0 proto kernel scope link src 10.9.8.135
192.0.2.0/24 dev enp2s0 proto kernel scope link src 192.0.2.135
I don't see these packets on egress on enp2@H2.
Any ideas why this can happen and what to troubleshoot in order to find the cause?
Thank you.
Solved. It is required to rewrite dst MAC address on OVS as well, so rule must be:
ovs-ofctl add-flow i-br dl_type=0x0800,in_port=1,nw_proto=6,tp_dst=80,actions=mod_dl_dst:xx:xx:xx:xx:xx:xx,output:4
where xx:xx:xx:xx:xx:xx is H2's mac address. This is because H1, when forming ethernet header of outgoing packet, set R1's dst mac (according to H1's routing table). After being redirected on OVS, this packet comes to H2 and the latter ignores it since it's destined to another host.