On 4/7/23 16:37, Lorenzo Bianconi wrote: > Partially revert the following commit since it introduces a regression > when we want to directly connect to a backend ip from a client outside > the cluster for gw-router-port scenario. For this kind of traffic we do > not commit to CT the 'original' incoming packet but we send the reply one > to CT in undnat and snat stages in the router egress pipeline. Since we > do not have any entry in CT table for the original traffic the reply one > is marked as invalid. > Even if the issue is not directly introduced by the commit below, it is > not easy to fix it without committing all IP traffic to connection > tracking or adding a flow per load-balancer backend. > > commit e3bc68c3be6967916674119b14fe2bef081ac6ad > Author: Lorenzo Bianconi <[email protected]> > Date: Mon Mar 20 19:30:13 2023 +0100 > > northd: drop ct.inv packets in post snat and lb_aff_learn stages > > Drop ip packets with ct status set to invalid in post snat and > lb_aff_learn router stages. > Skip ICMPv{4,6} error messages packet in ct.inv rules in order to > avoid to introduce too complicated code. > > Reviewed-by: Simon Horman <[email protected]> > Signed-off-by: Lorenzo Bianconi <[email protected]> > ---
Thanks, Lorenzo and Simon! I applied this to the main branch and backported it to 22.03. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
