Hi, we’ve noticed that after port binding is released, the conntrack entries in the associated to deleted port-binding zone are left in conntrack. I’ve ran through the code, it seems that conntrack zone flushing after port binding release should be done, but for some reason it isn't.
I’ve done a small proof-test. Create a one-LS topology with two LSPs and configure allow-related acl to trigger conntrack: # enable debug log for ovn-controller "main": ovn-appctl -t ovn-controller vlog/set file:main:dbg # create topology ovn-nbctl ls-add test ovn-nbctl lsp-add test lsp1 -- lsp-set-addresses lsp1 '00:00:00:00:00:01 192.168.20.10' ovn-nbctl lsp-add test lsp2 -- lsp-set-addresses lsp2 '00:00:00:00:00:02 192.168.20.20' ovs-vsctl add-port br-int lsp1 -- set int lsp1 type=internal external_ids:iface-id=lsp1 ovs-vsctl add-port br-int lsp2 -- set int lsp2 type=internal external_ids:iface-id=lsp2 ovn-nbctl acl-add test from-lport 1 1 allow-related ip li set lsp1 addr 00:00:00:00:00:01 ip a add 192.168.20.10/24 dev lsp1 ip li set lsp1 up # determine zone id for lsp1: ovn-appctl -t ovn-controller ct-zone-list | grep lsp1 # run ping and quit ping -c1 192.168.20.20 & # check if ping appeared in conntrack ovs-appctl dpctl/dump-conntrack zone=<zone id for lsp1> # in my case the output was: # # ovs-appctl dpctl/dump-conntrack zone=20 # icmp,orig=(src=192.168.20.10,dst=192.168.20.20,id=31415,type=8,code=0),reply=(src=192.168.20.20,dst=192.168.20.10,id=31415,type=0,code=0),zone=20 # clear iface-id external_id from OVS to trigger port_binding release and check conntrack again: ovs-appctl dpctl/dump-conntrack zone=<zone id for lsp1> The empty output is expected here, but in my case it was not: # # ovs-appctl dpctl/dump-conntrack zone=20 # icmp,orig=(src=192.168.20.10,dst=192.168.20.20,id=31415,type=8,code=0),reply=(src=192.168.20.20,dst=192.168.20.10,id=31415,type=0,code=0),zone=20 Check ovn-controller logs: 2022-09-06T18:17:55.162Z|00976|binding|INFO|Claiming lport lsp1 for this chassis. 2022-09-06T18:17:55.162Z|00977|binding|INFO|lsp1: Claiming 00:00:00:00:00:01 192.168.20.10 2022-09-06T18:17:55.162Z|00978|main|DBG|assigning ct zone 20 for 'lsp1' 2022-09-06T18:17:55.163Z|00979|binding|INFO|Setting lport lsp1 ovn-installed in OVS 2022-09-06T18:17:55.164Z|00980|binding|INFO|Setting lport lsp1 up in Southbound 2022-09-06T18:18:08.037Z|00981|binding|INFO|Releasing lport lsp1 from this chassis (sb_readonly=0) 2022-09-06T18:18:08.037Z|00982|main|DBG|removing ct zone 20 for 'lsp1' Regards, Vladislav Odintsov _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
