Bug 2057426

Summary: Allow conntrack for router ports
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Nadia Pinaeva <npinaeva>
Component: OVNAssignee: OVN Team <ovnteam>
Status: NEW --- QA Contact: Jianlin Shi <jishi>
Severity: low Docs Contact:
Priority: low    
Version: RHEL 8.0CC: ctrautma, dceara, jiji, mmichels
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nadia Pinaeva 2022-02-23 11:48:01 UTC 
Description of problem:
Conntrack is disabled for router ports by default which results in dropped reply packets.
Would be nice to add an option for LSP to enable conntrack on that port (not connected to distributed router).
Comment 1 Dumitru Ceara 2022-02-25 13:50:17 UTC 
Just a bit more context:

Since https://github.com/ovn-org/ovn/commit/9653a4ec597779bf0fb8352437e7faa04f9f4111, for switches that have load balancers or stateful ACLs applied, traffic that is sent/received to/from a router port bypasses conntrack (it was already the case for switches with stateful ACLs since https://github.com/ovn-org/ovn/commit/fcdbb261a651d5a0882f25f463aa7fd3f7bb714a).

In specific cases, e.g., on the LSP connecting the join switch to the GW router in ovn-k8s, the CMS might wish to disable this functionality and use conntrack.  This BZ requests a new LSP config option to selectively do that.
Comment 2 Dumitru Ceara 2022-05-23 13:29:28 UTC 
As discussed on Slack, this is not really required for ovn-kubernetes anymore, lowering priority and severity.