On 2/10/26 12:23 PM, Dumitru Ceara via dev wrote:
> Commit 9c3ae6f27475 ("northd: Add ECMP symmetric replies for egress.")
> tried to add ECMP-symmetric-reply semantics to traffic forwarded on
> sessions initiating from "behind" the static route, i.e., traffic
> hitting the route in the original direction.
>
> However, it decided to commit the session to conntrack only when we
> finally received reply traffic on the session.
>
> As shown in https://issues.redhat.com/browse/FDP-1983, if the hash
> function of the ECMP route changes in between the original SYN and the
> last ACK of the 3-way-handshake of a TCP session (e.g., if ECMP paths
> are added to the route) then traffic in the original direction might
> incorrectly migrate and be forwarded via a different next-hop than the
> original SYN.
>
> In order to fix this, we now commit the traffic on the first SYN instead
> of waiting for replies. That happens in a new logical router pipeline
> stage 'lr_in_ecmp_stateful_egr', just after 'lr_in_arp_request' where
> which we store the (resolved) next-hop MAC and packet out-port in
> conntrack for traffic forwarded by ECMP-symmetric-reply static routes
> (in the original direction).
>
> The system-ovn.at tests also had to be updated because, due to the fact
> that traffic was committed to conntrack only on the first
> non-session-setup reply, the tuples were "wrong". I.e., the conntrack
> session looked as if it had been created from "outside" the static
> route.
>
> Fixes: 9c3ae6f27475 ("northd: Add ECMP symmetric replies for egress.")
> Reported-at: https://issues.redhat.com/browse/FDP-1983
> Signed-off-by: Dumitru Ceara <[email protected]>
> ---
Recheck-request: github-robot-_ovn-kubernetes
Infra issue likely:
Failed to FinalizeArtifact: Received non-retryable error: Failed
request: (403) Forbidden: Error from intermediary with HTTP status code
403 "Forbidden"
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
