** Also affects: linux-bluefield (Ubuntu Focal) Importance: Undecided Status: New
** Changed in: linux-bluefield (Ubuntu Focal) Importance: Undecided => Medium ** Changed in: linux-bluefield (Ubuntu Focal) Status: New => In Progress ** Changed in: linux-bluefield (Ubuntu Focal) Assignee: (unassigned) => Bodong Wang (bodong-wang) ** Changed in: linux-bluefield (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-bluefield in Ubuntu. https://bugs.launchpad.net/bugs/1979009 Title: fix ref leak when switching zones Status in linux-bluefield package in Ubuntu: Invalid Status in linux-bluefield source package in Focal: In Progress Bug description: * Explain the bug(s) When switching zones or network namespaces without doing a ct clear in between, it is now leaking a reference to the old ct entry. That's because tcf_ct_skb_nfct_cached() returns false and tcf_ct_flow_table_lookup() may simply overwrite it. The fix is to, as the ct entry is not reusable, free it already at tcf_ct_skb_nfct_cached(). * brief explanation of fixes The fix is to, as the ct entry is not reusable, free it already at tcf_ct_skb_nfct_cached(). * How to test Setup ovs with ovs offload enabled on veth or other software only devices (so it will only be offloaded to TC and not also to HW which will take longer), example: function config_veth() { local ns=$1 local ip=$2 local peer=${ns}_peer local veth=${ns}_veth echo "Create namespace $ns, veths: hv $veth <-> ns $peer ($ip)" ip netns add $ns ip link del $veth &>/dev/null ip link add $veth type veth peer name $peer ip link set $veth up ip link set $peer netns $ns ip netns exec $ns ifconfig $peer $ip/24 mtu 1400 up } IP1="7.7.7.1" IP2="7.7.7.2" config_veth ns0 $IP1 config_veth ns1 $IP2 ovs-vsctl add-br ovs-br ovs-vsctl add-port ovs-br ns0_veth ovs-vsctl add-port ovs-br ns1_veth Add openflow rules configuring two or more chained zones, example: function configure_rules() { local orig_dev=$1 local reply_dev=$2 ovs-ofctl del-flows ovs-br ovs-ofctl add-flow ovs-br "table=0, arp, actions=normal" #ORIG ovs-ofctl add-flow ovs-br "table=0, ip,in_port=$orig_dev,ct_state=-trk, actions=ct(zone=5, table=5)" ovs-ofctl add-flow ovs-br "table=5, ip,in_port=$orig_dev,ct_state=+trk+new, actions=ct(zone=5, commit),ct(zone=7, table=7)" ovs-ofctl add-flow ovs-br "table=5, ip,in_port=$orig_dev,ct_state=+trk+est, actions=ct(zone=7, table=7)" ovs-ofctl add-flow ovs-br "table=7, ip,in_port=$orig_dev,ct_state=+trk+new, actions=ct(zone=7, commit),output:$reply_dev" ovs-ofctl add-flow ovs-br "table=7, ip,in_port=$orig_dev,ct_state=+trk+est, actions=output:$reply_dev" #REPLY ovs-ofctl add-flow ovs-br "table=0, ip,in_port=$reply_dev,ct_state=-trk,ip actions=ct(zone=7, table=8)" ovs-ofctl add-flow ovs-br "table=8, ip,in_port=$reply_dev,ct_state=+trk+est,ip actions=ct(zone=5, table=9)" ovs-ofctl add-flow ovs-br "table=9, ip,in_port=$reply_dev,ct_state=+trk+est,ip actions=output:$orig_dev" ovs-ofctl dump-flows ovs-br --color } configure_rules veth1 veth2 run udp/tcp traffic from veth1 to veth2 such that it will pass both zones in the resuling tc rules, and check conntrack dying table after ending traffic: conntrack -L dying If bug occurs, dying table won't be empty and will have entries with refcount > 0: tcp 6 0 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=47180 dport=6538 src=127.0.0.1 dst=127.0.0.1 sport=6538 dport=47180 ... mark=0 use=2 * What it could break. Reaching full conntrack table and then dropping packets To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/1979009/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp