Public bug reported:
* Explain the bug
Flow table lookup is skipped if packet either went through ct clear action
(which set the IP_CT_UNTRACKED flag on the packet),
or while switching zones and there is already a connection associated with the
packet. This will result in no SW offload of the connection,
and the and connection not being removed from flow table with TCP teardown
(fin/rst packet).
* How to test
Create OVS bridge with 2 veth pairs, put each veth peer device in a different
namespace - ns0, ns1, and add
the other side veth devices (named ns[01]_veth below) to OVS bridge. Configure
the namespace devices with
an ip, and bring all devices up.
Enable HW offload in ovs and configure connection tracking OpenFlow rules that
pass via two zones (but drop the FIN packets on the reply side
or they will still teardown the connection in second zone from the reply side
as it happens first):
ovs-ofctl add-flow br-ovs "arp actions=NORMAL"
ovs-ofctl add-flow br-ovs "ct_state=-trk,ip,in_port=ns0_veth
actions=ct(table=5,zone=5)"
ovs-ofctl add-flow br-ovs "ct_state=-trk,tcp,in_port=ns1_veth,tcp_flags=-fin
actions=ct(table=8,zone=7)"
ovs-ofctl add-flow br-ovs "ct_state=+new+trk,ip,in_port=ns0_veth
actions=ct(commit,zone=5),ct(table=7,zone=7)"
ovs-ofctl add-flow br-ovs "ct_state=+est+trk,ip,in_port=ns0_veth
actions=ct(table=7,zone=7)"
ovs-ofctl add-flow br-ovs "ct_state=+new+trk,ip,in_port=ns0_veth
actions=ct(commit,zone=7),output:ns1_veth"
ovs-ofctl add-flow br-ovs "ct_state=+est+trk,ip,in_port=ns0_veth
actions=output:ns1_veth"
ovs-ofctl add-flow br-ovs "ct_state=+est+trk,tcp,in_port=ns1_veth
actions=ct(table=9,zone=5)"
ovs-ofctl add-flow br-ovs "ct_state=+est+trk,tcp,in_port=ns1_veth
actions=output:ns0_veth"
Run TCP iperf from ns0 namespace to an iperf server on ns1 namepsace
with the given ip.
After traffic ends, check
cat /proc/net/nf_conntrack | grep -i offload
If bug occurs, connections will remain offloaded till timeout, otherwise, they
will be in
teardown state.
* What it could break.
NA
** Affects: linux-bluefield (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-bluefield in Ubuntu.
https://bugs.launchpad.net/bugs/1963948
Title:
Fix flow table lookup after ct clear or switching zones
Status in linux-bluefield package in Ubuntu:
New
Bug description:
* Explain the bug
Flow table lookup is skipped if packet either went through ct clear action
(which set the IP_CT_UNTRACKED flag on the packet),
or while switching zones and there is already a connection associated with
the packet. This will result in no SW offload of the connection,
and the and connection not being removed from flow table with TCP teardown
(fin/rst packet).
* How to test
Create OVS bridge with 2 veth pairs, put each veth peer device in a different
namespace - ns0, ns1, and add
the other side veth devices (named ns[01]_veth below) to OVS bridge.
Configure the namespace devices with
an ip, and bring all devices up.
Enable HW offload in ovs and configure connection tracking OpenFlow rules
that pass via two zones (but drop the FIN packets on the reply side
or they will still teardown the connection in second zone from the reply side
as it happens first):
ovs-ofctl add-flow br-ovs "arp actions=NORMAL"
ovs-ofctl add-flow br-ovs "ct_state=-trk,ip,in_port=ns0_veth
actions=ct(table=5,zone=5)"
ovs-ofctl add-flow br-ovs "ct_state=-trk,tcp,in_port=ns1_veth,tcp_flags=-fin
actions=ct(table=8,zone=7)"
ovs-ofctl add-flow br-ovs "ct_state=+new+trk,ip,in_port=ns0_veth
actions=ct(commit,zone=5),ct(table=7,zone=7)"
ovs-ofctl add-flow br-ovs "ct_state=+est+trk,ip,in_port=ns0_veth
actions=ct(table=7,zone=7)"
ovs-ofctl add-flow br-ovs "ct_state=+new+trk,ip,in_port=ns0_veth
actions=ct(commit,zone=7),output:ns1_veth"
ovs-ofctl add-flow br-ovs "ct_state=+est+trk,ip,in_port=ns0_veth
actions=output:ns1_veth"
ovs-ofctl add-flow br-ovs "ct_state=+est+trk,tcp,in_port=ns1_veth
actions=ct(table=9,zone=5)"
ovs-ofctl add-flow br-ovs "ct_state=+est+trk,tcp,in_port=ns1_veth
actions=output:ns0_veth"
Run TCP iperf from ns0 namespace to an iperf server on ns1 namepsace
with the given ip.
After traffic ends, check
cat /proc/net/nf_conntrack | grep -i offload
If bug occurs, connections will remain offloaded till timeout, otherwise,
they will be in
teardown state.
* What it could break.
NA
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/1963948/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
