Public bug reported:
* Explain the bug
Netfilter conntrack maintains NAT flags per connection indicating
whether NAT was configured for the connection. Openvswitch maintains
NAT flags on the per packet flow key ct_state field, indicating
whether NAT was actually executed on the packet.
When a packet misses from tc to ovs the conntrack NAT flags are set.
However, NAT was not necessarily executed on the packet because the
connection's state might still be in NEW state. As such, openvswitch
wrongly assumes that NAT was executed and sets an incorrect flow key
NAT flags.
This can lead to incorrect matching on ct_state nat flags, and nat not being
executed
by ovs.
* How to test
Create OVS bridge (br-ovs below) with 2 devices $dev1, $dev2 (can be any
devices), with hw offload enabled.
Configure NAT connection tracking OpenFlow rules which would only be partially
offloaded to tc/hw
because of dp_hash/hash (groups in openflow) not being offloaded, so we would
have misses from tc to ovs:
ovs-ofctl del-flows br-ovs
ovs-ofctl add-flow br-ovs arp,actions=normal
ovs-ofctl -O OpenFlow12 add-group ovs-br \
'group_id=2,type=select,bucket=ct(table=4,zone=5,nat(src=1.1.1.128),commit)'
#rules
ovs-ofctl del-flows ovs-br
ovs-ofctl add-flow ovs-br "table=0, arp, action=normal"
ovs-ofctl add-flow ovs-br "table=0, ip, nw_src=1.1.1.1
actions=ct(zone=5,table=1,nat)"
ovs-ofctl add-flow ovs-br "table=1, in_port=1, actions=group:2"
ovs-ofctl add-flow ovs-br "table=4, ip, nw_src=1.1.1.128 actions=2" #good
flow
ovs-ofctl add-flow ovs-br "table=4, ip, nw_src=1.1.1.1 actions=drop" #bad
flow
Run single sided UDP traffic from $dev1 to $dev2, and observe source nat not
being done,
and hit of drop rule in table=4.
With the fix, the src nat will be done, and table=4 rule which matches
new ip (128) will be hit.
* What it could break.
NA
** Affects: linux-bluefield (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-bluefield in Ubuntu.
https://bugs.launchpad.net/bugs/1957807
Title:
Fix ct_state nat matching and nat action not being executed
Status in linux-bluefield package in Ubuntu:
New
Bug description:
* Explain the bug
Netfilter conntrack maintains NAT flags per connection indicating
whether NAT was configured for the connection. Openvswitch maintains
NAT flags on the per packet flow key ct_state field, indicating
whether NAT was actually executed on the packet.
When a packet misses from tc to ovs the conntrack NAT flags are set.
However, NAT was not necessarily executed on the packet because the
connection's state might still be in NEW state. As such, openvswitch
wrongly assumes that NAT was executed and sets an incorrect flow key
NAT flags.
This can lead to incorrect matching on ct_state nat flags, and nat not being
executed
by ovs.
* How to test
Create OVS bridge (br-ovs below) with 2 devices $dev1, $dev2 (can be any
devices), with hw offload enabled.
Configure NAT connection tracking OpenFlow rules which would only be
partially offloaded to tc/hw
because of dp_hash/hash (groups in openflow) not being offloaded, so we would
have misses from tc to ovs:
ovs-ofctl del-flows br-ovs
ovs-ofctl add-flow br-ovs arp,actions=normal
ovs-ofctl -O OpenFlow12 add-group ovs-br \
'group_id=2,type=select,bucket=ct(table=4,zone=5,nat(src=1.1.1.128),commit)'
#rules
ovs-ofctl del-flows ovs-br
ovs-ofctl add-flow ovs-br "table=0, arp, action=normal"
ovs-ofctl add-flow ovs-br "table=0, ip, nw_src=1.1.1.1
actions=ct(zone=5,table=1,nat)"
ovs-ofctl add-flow ovs-br "table=1, in_port=1, actions=group:2"
ovs-ofctl add-flow ovs-br "table=4, ip, nw_src=1.1.1.128 actions=2" #good
flow
ovs-ofctl add-flow ovs-br "table=4, ip, nw_src=1.1.1.1 actions=drop" #bad
flow
Run single sided UDP traffic from $dev1 to $dev2, and observe source nat not
being done,
and hit of drop rule in table=4.
With the fix, the src nat will be done, and table=4 rule which matches
new ip (128) will be hit.
* What it could break.
NA
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/1957807/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
