On 11/5/24 18:05, Vladislav Odintsov wrote:
> Hi all,
>
Hi Vladislav,
> I've tried to upgrade OVN from 22.09.1 to the fresh version and our
> internal tests showed that commit [0] broke scenario where we do use in
> logical switches both: Load Balancers AND allow-stateless ACLs at the
> same time.
>
Thanks for the report! I added Venu (original author of [0]) and Han in CC.
> Prior to this change all traffic directed to load balancer's IP address
> passed to conntrack and finally worked correctly, while there were
> allow-stateless rules, which, for example covered all other traffic,
> except this LB.
>
> We use such mix because of need both: LBs and stateless handling for all
> traffic except LB.
>
If I understand the change in [0] correctly it will only skip the egress
pre-LB stage if traffic _matched_ the "allow-stateless" to-lport ACL.
Is that your case too?
>From the ovn-nb documentation (even before [0] was committed):
allow-stateless: Always forward the packet in stateless
manner, omitting connection tracking mechanism, regardless of other
rules defined for the switch.
If I'm reading this correctly, it already implied that the CMS needs to
ensure that the stateless ACLs don't match any traffic that might have
to go to conntrack (including reply traffic that's part of a load
balanced session).
> Also, this patch was backported to a minor releases, which brought major
> behavior changes (now we can't upgrade to 22.09.2+ without reverting
> mentioned patch).
>
> Is there any advice, how this can be fixed (except revert in our local
> repo)?
>
Would it be possible to change your allow-stateless to-lport ACLs to
exclude LB backend IPs (because your problem seems to be related to
reply traffic)?
I'm not sure how feasible it is, but an option might be to create a
higher priority allow-related to-lport ACL that matches on all traffic
coming from load balancer backends. There's still a chance that we
match more traffic than we should and send it through conntrack (e.g.,
if the backend IP+port is actually the originator of other connections -
non LB). But that might be acceptable.
> 0:
> https://github.com/ovn-org/ovn/commit/a0f82efdd9dfd3ef2d9606c1890e353df1097a51
>
Regards,
Dumitru
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
