On Thu, Jan 04, 2024 at 04:27:49PM +1300, Brad Cowie wrote:
> Linux kernel commit ebddb1404900 ("net: move the nat function to
> nf_nat_ovs for ovs and tc") introduced a regression into the kernel
> datapath which prevented the openvswitch match key from being updated
> when nat was undone for packets in the related conntrack state. This
> issue caused these packets (usually ICMP/ICMPv6 error packets) to
> match the wrong openflow rule.
>
> This issue was fixed in linux kernel commit e6345d2824a3 ("netfilter:
> nf_nat: fix action not being set for all ct states").
>
> This test will reproduce the issue and fail for kernel versions
> v6.2 to v6.6, and will pass on earlier kernel versions where the issue
> wasn't present, or on later kernel versions that have the fix applied.
>
> Link: https://lore.kernel.org/netdev/[email protected]/
> Suggested-by: Aaron Conole <[email protected]>
> Signed-off-by: Brad Cowie <[email protected]>
Hi Brad,
thanks for following-up on this.
One question from my side is, given that this is currently broken in many
kernels in use today, how we should integrate this. For one thing,
applying this patch causes the CI to fail.
https://github.com/ovsrobot/ovs/actions/runs/7405341045
It might be nice if we could detect known to be broken kernels.
But I'm not sure, there is an easy way to do that, other than
running the test itself.
Do you have any thoughts on this?
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
