Colleagues,
I can't get working forwarding of redirected (externally) packets through Linux host. There is network model I'm experimenting with:
+----+(enp2) +----+ +----+
| H2 +---------+ o- +---+ H3 | (192.0.2.153)
+--+-+ | br | +----+
|(enp1) +-+--+
| |
| |
| |
+-------+--------+ +-+--+
| ovs i-br +--+ R1 |
+-------+--------+ +----+
|
|
+--+-+
| H1 | (10.9.8.100)
+----+
for traffic from H1 to H3 there is regular routing exists (through R1), but for some reasons I need to divert some kinds of the traffic through H2, using OVS rules for this. After I've added the rule:
ovs-ofctl add-flow i-br dl_type=0x0800,in_port=1,nw_proto=6,tp_dst=80,actions=output:4
I'm seeing incoming packets on enp1@H2:
15:21:51.596752 IP (tos 0x0, ttl 64, id 48926, offset 0, flags [DF], proto TCP (6), length 60)
10.9.8.100.44444 > 192.0.2.153.http: Flags [S], cksum 0x5f93 (correct), seq 774826047, win 64860, options [mss 1410,sackOK,TS val 3466298181 ecr 0,nop,wscale 7], length 0
While forwarding on H2 is allowed (net.ipv4.ip_forward=1), rpf switched off (net.ipv4.conf.(default|all).rp_filter=0), pings from H2 to both sides are working, iptables FORWARD accepts everything and routing is configured:
10.9.8.0/24 dev enp1s0 proto kernel scope link src 10.9.8.135
192.0.2.0/24 dev enp2s0 proto kernel scope link src 192.0.2.135
I don't see these packets on egress on enp2@H2.
Any ideas why this can happen and what to troubleshoot in order to find the cause?
Thank you.
