This patch fix the behavior introduced by the commit 40136a2,
where a regular communication between an external IP to a
dnat_and_snat rule IP would always keep an unreplied
conntrack entry:
nat d8b589d8-7948-4470-a3ee-a8ae7edb6425
external ip: "172.16.1.101"
logical ip: "192.168.10.10"
type: "dnat_and_snat"
The conntrack entry would be like below:
tcp 6 118 SYN_SENT src=172.16.1.50 dst=192.168.10.10 \
sport=44742 dport=80 [UNREPLIED] src=192.168.10.10 \
dst=172.16.1.50 sport=80 dport=44742 mark=0 zone=13 use=1
When we have many connections on the chassis gateways, more
than 50% of the conntrack entries stay in this UNREPLIED state
until the entry is expired according with the
nf_conntrack_tcp_timeout_syn_sent setting.
Running the ab(apache benchmarking tool) test with 3000 requests
to a dnat_and_snat IP, without this patch we would have 2997
SYN_SENT unreplied entries and with this patch applied
we would have 0 entries.
Fixes: 40136a2 ("northd: Fix direct access to SNAT network.")
Signed-off-by: Tiago Pires <tiago.pi...@luizalabs.com>
---
northd/northd.c | 2 +-
tests/ovn-northd.at | 18 +++++++++---------
2 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/northd/northd.c b/northd/northd.c
index d027d5c66..ad9fabc8e 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -16521,7 +16521,7 @@ build_lrouter_out_snat_flow(struct lflow_table *lflows,
ds_cstr(match), "ct_snat;",
lflow_ref);
- ds_put_cstr(match, " && ct.new");
+ ds_put_cstr(match, " && ct.new && flags.unsnat_not_tracked == 1");
ovn_lflow_add(lflows, od, S_ROUTER_OUT_POST_SNAT, priority,
ds_cstr(match), "ct_commit_to_zone(snat);",
lflow_ref);
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index 5ddb15587..a0d6cfc66 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -1248,7 +1248,7 @@ AT_CHECK([grep -e "lr_out_snat" drflows |
ovn_strip_lflows], [0], [dnl
AT_CHECK([grep -e "lr_out_post_snat" drflows | ovn_strip_lflows], [0], [dnl
table=??(lr_out_post_snat ), priority=0 , match=(1), action=(next;)
- table=??(lr_out_post_snat ), priority=161 , match=(ip && ip4.dst ==
50.0.0.11 && inport == "DR-S1" && is_chassis_resident("cr-DR-S1") && ip4.src ==
$allowed_range && ct.new), action=(ct_commit_to_zone(snat);)
+ table=??(lr_out_post_snat ), priority=161 , match=(ip && ip4.dst ==
50.0.0.11 && inport == "DR-S1" && is_chassis_resident("cr-DR-S1") && ip4.src ==
$allowed_range && ct.new && flags.unsnat_not_tracked == 1),
action=(ct_commit_to_zone(snat);)
])
AT_CHECK([grep -e "lr_out_snat" crflows | ovn_strip_lflows], [0], [dnl
@@ -1288,7 +1288,7 @@ AT_CHECK([grep -e "lr_out_snat" drflows2 |
ovn_strip_lflows], [0], [dnl
AT_CHECK([grep -e "lr_out_post_snat" drflows2 | ovn_strip_lflows], [0], [dnl
table=??(lr_out_post_snat ), priority=0 , match=(1), action=(next;)
- table=??(lr_out_post_snat ), priority=161 , match=(ip && ip4.dst ==
50.0.0.11 && inport == "DR-S1" && is_chassis_resident("cr-DR-S1") && ct.new),
action=(ct_commit_to_zone(snat);)
+ table=??(lr_out_post_snat ), priority=161 , match=(ip && ip4.dst ==
50.0.0.11 && inport == "DR-S1" && is_chassis_resident("cr-DR-S1") && ct.new &&
flags.unsnat_not_tracked == 1), action=(ct_commit_to_zone(snat);)
])
AT_CHECK([grep -e "lr_out_snat" crflows2 | ovn_strip_lflows], [0], [dnl
@@ -6013,8 +6013,8 @@ AT_CHECK([grep "lr_out_snat" lr0flows |
ovn_strip_lflows], [0], [dnl
AT_CHECK([grep "lr_out_post_snat" lr0flows | ovn_strip_lflows], [0], [dnl
table=??(lr_out_post_snat ), priority=0 , match=(1), action=(next;)
- table=??(lr_out_post_snat ), priority=153 , match=(ip && ip4.dst ==
10.0.0.0/24 && inport == "lr0-public" && is_chassis_resident("cr-lr0-public")
&& ct.new), action=(ct_commit_to_zone(snat);)
- table=??(lr_out_post_snat ), priority=161 , match=(ip && ip4.dst ==
10.0.0.10 && inport == "lr0-public" && is_chassis_resident("cr-lr0-public") &&
ct.new), action=(ct_commit_to_zone(snat);)
+ table=??(lr_out_post_snat ), priority=153 , match=(ip && ip4.dst ==
10.0.0.0/24 && inport == "lr0-public" && is_chassis_resident("cr-lr0-public")
&& ct.new && flags.unsnat_not_tracked == 1), action=(ct_commit_to_zone(snat);)
+ table=??(lr_out_post_snat ), priority=161 , match=(ip && ip4.dst ==
10.0.0.10 && inport == "lr0-public" && is_chassis_resident("cr-lr0-public") &&
ct.new && flags.unsnat_not_tracked == 1), action=(ct_commit_to_zone(snat);)
])
# Associate load balancer to lr0
@@ -6171,8 +6171,8 @@ AT_CHECK([grep "lr_out_snat" lr0flows |
ovn_strip_lflows], [0], [dnl
AT_CHECK([grep "lr_out_post_snat" lr0flows | ovn_strip_lflows], [0], [dnl
table=??(lr_out_post_snat ), priority=0 , match=(1), action=(next;)
- table=??(lr_out_post_snat ), priority=153 , match=(ip && ip4.dst ==
10.0.0.0/24 && inport == "lr0-public" && is_chassis_resident("cr-lr0-public")
&& ct.new), action=(ct_commit_to_zone(snat);)
- table=??(lr_out_post_snat ), priority=161 , match=(ip && ip4.dst ==
10.0.0.10 && inport == "lr0-public" && is_chassis_resident("cr-lr0-public") &&
ct.new), action=(ct_commit_to_zone(snat);)
+ table=??(lr_out_post_snat ), priority=153 , match=(ip && ip4.dst ==
10.0.0.0/24 && inport == "lr0-public" && is_chassis_resident("cr-lr0-public")
&& ct.new && flags.unsnat_not_tracked == 1), action=(ct_commit_to_zone(snat);)
+ table=??(lr_out_post_snat ), priority=161 , match=(ip && ip4.dst ==
10.0.0.10 && inport == "lr0-public" && is_chassis_resident("cr-lr0-public") &&
ct.new && flags.unsnat_not_tracked == 1), action=(ct_commit_to_zone(snat);)
])
# Make the logical router as Gateway router
@@ -8399,9 +8399,9 @@ AT_CHECK([grep lr_out_snat lrflows | grep ct_snat |
ovn_strip_lflows], [0], [dnl
AT_CHECK([grep lr_out_post_snat lrflows | ovn_strip_lflows], [0], [dnl
table=??(lr_out_post_snat ), priority=0 , match=(1), action=(next;)
- table=??(lr_out_post_snat ), priority=161 , match=(ip && ip4.dst ==
20.0.0.10 && inport == "DR-S1" && is_chassis_resident("cr-DR-S1") && ct.new),
action=(ct_commit_to_zone(snat);)
- table=??(lr_out_post_snat ), priority=161 , match=(ip && ip4.dst ==
20.0.0.10 && inport == "DR-S2" && is_chassis_resident("cr-DR-S2") && ct.new),
action=(ct_commit_to_zone(snat);)
- table=??(lr_out_post_snat ), priority=161 , match=(ip && ip4.dst ==
20.0.0.10 && inport == "DR-S3" && is_chassis_resident("cr-DR-S3") && ct.new),
action=(ct_commit_to_zone(snat);)
+ table=??(lr_out_post_snat ), priority=161 , match=(ip && ip4.dst ==
20.0.0.10 && inport == "DR-S1" && is_chassis_resident("cr-DR-S1") && ct.new &&
flags.unsnat_not_tracked == 1), action=(ct_commit_to_zone(snat);)
+ table=??(lr_out_post_snat ), priority=161 , match=(ip && ip4.dst ==
20.0.0.10 && inport == "DR-S2" && is_chassis_resident("cr-DR-S2") && ct.new &&
flags.unsnat_not_tracked == 1), action=(ct_commit_to_zone(snat);)
+ table=??(lr_out_post_snat ), priority=161 , match=(ip && ip4.dst ==
20.0.0.10 && inport == "DR-S3" && is_chassis_resident("cr-DR-S3") && ct.new &&
flags.unsnat_not_tracked == 1), action=(ct_commit_to_zone(snat);)
])
check ovn-nbctl --wait=sb lr-nat-del DR snat 20.0.0.10
--
2.43.0
--
_'Esta mensagem é direcionada apenas para os endereços constantes no
cabeçalho inicial. Se você não está listado nos endereços constantes no
cabeçalho, pedimos-lhe que desconsidere completamente o conteúdo dessa
mensagem e cuja cópia, encaminhamento e/ou execução das ações citadas estão
imediatamente anuladas e proibidas'._
* **'Apesar do Magazine Luiza tomar
todas as precauções razoáveis para assegurar que nenhum vírus esteja
presente nesse e-mail, a empresa não poderá aceitar a responsabilidade por
quaisquer perdas ou danos causados por esse e-mail ou por seus anexos'.*
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
