On 8/5/22 17:08, Paolo Valerio wrote: > The following test sequence: > > conntrack - IPv4 fragmentation incomplete reassembled packet > conntrack - IPv4 fragmentation with fragments specified > > leads to a systematic failure of the latter test on the kernel > datapath (linux). Multiple executions of the former may also lead to > multiple failures. > This is due to the fact that fragments not yet reassembled are kept in > a queue for /proc/sys/net/ipv4/ipfrag_time seconds, and if the > kernel receives a fragment already present in the queue, it returns > -EINVAL.
Thanks for the patch! I've been looking at the issue earlier this week. One thing I don't understand is that we're reloading all the netfilter modules between tests, shouldn't this clear all the pending queues? Or this re-assembly is happening outside of the conntrack? > > Below the related log message: > |00058|dpif|WARN|system@ovs-system: execute ct(commit) failed (Invalid > argument) > on packet > udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a, > > nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,nw_frag=first,tp_src=1, > tp_dst=2 udp_csum:0 > > Fix the sequence by sending the second fragment in "conntrack - IPv4 > fragmentation incomplete reassembled packet", once the checks are > done. > > IPv6 tests are not affected as the defrag kernel code path pretends to > add the duplicate fragment to the queue returning -EINPROGRESS, when a > duplicate is detected. > > Signed-off-by: Paolo Valerio <[email protected]> > --- > tests/system-traffic.at | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/tests/system-traffic.at b/tests/system-traffic.at > index 1a864057c..8497b4d9e 100644 > --- a/tests/system-traffic.at > +++ b/tests/system-traffic.at > @@ -3452,6 +3452,11 @@ AT_CHECK([ovs-ofctl bundle br0 bundle.txt]) > AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl > ]) > > +dnl Send the second fragment in order to avoid keeping the first fragment > +dnl in the queue until the expiration occurs. Fragments already queued, if > resent, > +dnl may lead to failures on the kernel datapath. > +AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1, > packet=50540000000a505400000009080045000030000100320011a4860a0101010a01010200010002000800000010203040506070809000010203040506070809, > actions=ct(commit)"]) > + > OVS_TRAFFIC_VSWITCHD_STOP > AT_CLEANUP > > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
