Hi, Continuing my posting on "ovs-vswitchd crashes several times a day", it seems that I find some racing conditions on the conntrack update. Without enabling debugging logs, I find logs like the following frequently.
2023-05-25T12:48:07.270Z|02757|conntrack(pmd-c47/id:101)|WARN|Unable to NAT due to tuple space exhaustion - if DoS attack, use firewalling and/or zone partitioning. 2023-05-25T12:48:09.318Z|02758|conntrack(pmd-c47/id:101)|WARN|Unable to NAT due to tuple space exhaustion - if DoS attack, use firewalling and/or zone partitioning. After enabling debugging logs, I find the logs like the following before the above logs. 2023-05-25T12:48:06.979Z|00030|conntrack_tp(pmd-c71/id:103)|DBG|Update timeout TCP_ESTABLISHED zone=4 with policy id=0 val=86400 sec. At that time, the conntrack table is only like the following with only a single ESTABLISHED entry. root@controller02:~# ovs-appctl dpctl/dump-conntrack -s icmp,orig=(src=192.168.14.14,dst=8.8.8.8,id=6,type=8,code=0),reply=(src=8.8.8.8,dst=10.10.141.153,id=6,type=0,code=0),zone=4,timeout=29 icmp,orig=(src=192.168.14.11,dst=10.10.41.70,id=4,type=8,code=0),reply=(src=10.10.41.70,dst=10.10.141.153,id=4,type=0,code=0),zone=4,timeout=27 tcp,orig=(src=192.168.14.14,dst=10.10.41.73,sport=49852,dport=3306),reply=(src=10.10.41.73,dst=10.10.141.153,sport=3306,dport=49852),zone=4,timeout=86399,protoinfo=(state=ESTABLISHED) It seems that OVS fails on searching conntrack entries whenever there is an update. Is there any idea how to deal with this? Best regards.
_______________________________________________ discuss mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
