On Tue, Sep 6, 2022 at 2:40 PM Vladislav Odintsov <[email protected]> wrote: > > Hi, > > we’ve noticed that after port binding is released, the conntrack entries in > the associated to deleted port-binding zone are left in conntrack. > I’ve ran through the code, it seems that conntrack zone flushing after port > binding release should be done, but for some reason it isn't.
You're right. ovn-controller clears the zone when the zone id is allocated to a port binding during claim but not when a port binding is released. Probably we should add this support. Thanks Numan > > I’ve done a small proof-test. > Create a one-LS topology with two LSPs and configure allow-related acl to > trigger conntrack: > > # enable debug log for ovn-controller "main": > ovn-appctl -t ovn-controller vlog/set file:main:dbg > > # create topology > ovn-nbctl ls-add test > ovn-nbctl lsp-add test lsp1 -- lsp-set-addresses lsp1 '00:00:00:00:00:01 > 192.168.20.10' > ovn-nbctl lsp-add test lsp2 -- lsp-set-addresses lsp2 '00:00:00:00:00:02 > 192.168.20.20' > ovs-vsctl add-port br-int lsp1 -- set int lsp1 type=internal > external_ids:iface-id=lsp1 > ovs-vsctl add-port br-int lsp2 -- set int lsp2 type=internal > external_ids:iface-id=lsp2 > ovn-nbctl acl-add test from-lport 1 1 allow-related > ip li set lsp1 addr 00:00:00:00:00:01 > ip a add 192.168.20.10/24 dev lsp1 > ip li set lsp1 up > > # determine zone id for lsp1: > ovn-appctl -t ovn-controller ct-zone-list | grep lsp1 > > # run ping and quit > ping -c1 192.168.20.20 & > > # check if ping appeared in conntrack > ovs-appctl dpctl/dump-conntrack zone=<zone id for lsp1> > > # in my case the output was: > # # ovs-appctl dpctl/dump-conntrack zone=20 > # > icmp,orig=(src=192.168.20.10,dst=192.168.20.20,id=31415,type=8,code=0),reply=(src=192.168.20.20,dst=192.168.20.10,id=31415,type=0,code=0),zone=20 > > # clear iface-id external_id from OVS to trigger port_binding release and > check conntrack again: > ovs-appctl dpctl/dump-conntrack zone=<zone id for lsp1> > > The empty output is expected here, but in my case it was not: > # # ovs-appctl dpctl/dump-conntrack zone=20 > # > icmp,orig=(src=192.168.20.10,dst=192.168.20.20,id=31415,type=8,code=0),reply=(src=192.168.20.20,dst=192.168.20.10,id=31415,type=0,code=0),zone=20 > > Check ovn-controller logs: > 2022-09-06T18:17:55.162Z|00976|binding|INFO|Claiming lport lsp1 for this > chassis. > 2022-09-06T18:17:55.162Z|00977|binding|INFO|lsp1: Claiming 00:00:00:00:00:01 > 192.168.20.10 > 2022-09-06T18:17:55.162Z|00978|main|DBG|assigning ct zone 20 for 'lsp1' > 2022-09-06T18:17:55.163Z|00979|binding|INFO|Setting lport lsp1 ovn-installed > in OVS > 2022-09-06T18:17:55.164Z|00980|binding|INFO|Setting lport lsp1 up in > Southbound > > 2022-09-06T18:18:08.037Z|00981|binding|INFO|Releasing lport lsp1 from this > chassis (sb_readonly=0) > 2022-09-06T18:18:08.037Z|00982|main|DBG|removing ct zone 20 for 'lsp1' > > > Regards, > Vladislav Odintsov > > _______________________________________________ > dev mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-dev _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
