Hi Joe,
Following on from my earlier message, I have tested a few more scenarios. It seems that Conntrack works fine for UDP and ICMP packet flows. Earlier I had been testing with TCP traffic. This is still not working. Any ideas on why TCP would be failing on the conntrack commit? I have also noticed that if I replay UDP packets shorter than 64 bytes into OVS they are rejected by conntract and can cause the kernel panic issue. The NULL check on the nf_ct_is_confirmed() you mentioned earlier is required to prevent this from happening. John On Tue, Mar 24, 2015 at 9:56 AM, John Hurley <[email protected]> wrote: > Hi Joe, > > Thanks for the response. > I have ensured the nf_conntrack_ipv4 module is loaded but still cannot get > the commit to work. > > I am running Ubuntu 14.04 > Kernel version: 3.16.0-30-generic > > John > > On Mon, Mar 23, 2015 at 6:27 PM, Joe Stringer <[email protected]> > wrote: > >> Hi John, >> >> I strongly suspect in this case, conntrack has been unable to identify >> the connection. There's two parts to this: Perhaps you need to load >> nf_conntrack_ipv4? if that module is not loaded, then conntrack cannot >> identify any IP traffic. Separately, to address the crash, the line >> with the nf_ct_is_confirmed() call likely needs to check if ct is >> non-NULL first. >> >> One useful datapoint is what kernel version/distro are you running? >> I've been testing on the latest net-next, although I should expect it >> work on anything back to linux-3.10. Perhaps earlier depending on the >> particular features required, YMMV. >> >> Apologies, there's a few bugs like this which I have found in local >> testing but I have not pushed the changes yet. This is in part because >> the ongoing development is against the linux tree, so I haven't >> backported the current development code to build inside the OVS tree. >> >> Without the commit, the nf_conntrack tables will not be populated. >> >> On 23 March 2015 at 09:49, John Hurley <[email protected]> wrote: >> > Hi, >> > I am interested in using Conntrack within OVS and have installed the >> latest >> > version from the banch ( >> https://github.com/justinpettit/ovs/tree/conntrack). >> > >> > When I run an example mentioned in the tests: >> > >> > ovs-ofctl del-flows br0 >> > ovs-ofctl add-flow br0 \ >> > "in_port=1,conn_state=-trk,tcp,action=ct(commit,zone=9),2" >> > ovs-ofctl add-flow br0 \ >> > "in_port=2,conn_state=-trk,tcp,action=ct(recirc,zone=9)" >> > ovs-ofctl add-flow br0 "in_port=2,conn_state=+trk+est-new,tcp,action=1" >> > ovs-ofctl add-flow br0 >> "in_port=2,conn_state=+trk-est+new,tcp,action=drop" >> > ovs-ofctl add-flow br0 priority=10,action=normal >> > >> > I am seeing a kernel panic for the 'commit' action. >> > I have traced this to the nf_ct_is_confirmed(ct) call on the >> nf_conntrack >> > module. >> > If I edit the code to avoid this check I avoid the panic but am getting >> an >> > error response from calls such as 'nf_ct_get(skb, &ctinfo)'. >> > >> > It appears that ovs-conntrack is not populating the nf_conntrack tables >> for >> > me. >> > Is there any information on installing/running the ovs-conntrack branch >> > specifically or is there anything else that should be done on top of the >> > standard OVS installation. >> > Doing an lsmod I can see both openvswitch and nf_conntrack modules >> running. >> > >> > Thanks, >> > >> > John >> > >> > >> > >> > >> > _______________________________________________ >> > discuss mailing list >> > [email protected] >> > http://openvswitch.org/mailman/listinfo/discuss >> > >> > >
_______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss
