Bug 2228037
| Summary: | OvS is not able to clear SCTP CT entries based on source/destination port | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux Fast Datapath | Reporter: | ying xu <yinxu> |
| Component: | openvswitch3.1 | Assignee: | Ales Musil <amusil> |
| Status: | ASSIGNED --- | QA Contact: | Hekai Wang <hewang> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | FDP 23.F | CC: | amusil, ctrautma, jhsiao, jiji, ralongi |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
It looks like an OvS issue I can see in ovs-vswitchd.log: 2023-08-01T12:55:00.164Z|00053|netlink_conntrack|WARN|Unsupported L4 protocol: 132. 2023-08-01T12:55:00.170Z|00054|netlink_conntrack|WARN|Unsupported L4 protocol: 132. We are allowing to match on ports only for UDP and TCP: https://github.com/openvswitch/ovs/blob/master/lib/netlink-conntrack.c#L566 I'll move that to OvS for now. |
Description of problem: ovn-controller should clear conntrack entries as part of SCTP load balancer cleanup Version-Release number of selected component (if applicable): ovn23.03-23.03.0-86.el9fdp.x86_64 How reproducible: always Steps to Reproduce: script: ovs-vsctl add-br br-nat ovs-vsctl set open . external_ids:ovn-bridge-mappings=nattest:br-nat ip link set br-nat up ovn-nbctl lr-add R1 ovn-nbctl lr-add R2 ovn-nbctl set logical_router R2 options:chassis=hv1 ovn-nbctl ls-add foo ovn-nbctl ls-add bar ovn-nbctl ls-add alice ovn-nbctl ls-add join ovn-nbctl lrp-add R1 foo 00:00:01:01:02:03 192.168.1.1/24 2001::1/64 ovn-nbctl lsp-add foo rp-foo -- set logical_switch_port rp-foo \ type=router options:router-port=foo addresses="00:00:01:01:02:03" ovn-nbctl lrp-add R1 bar 00:00:01:01:02:04 192.168.2.1/24 2002::1/64 ovn-nbctl lsp-add bar rp-bar -- set Logical_Switch_Port rp-bar \ type=router options:router-port=bar addresses="00:00:01:01:02:04" ovn-nbctl lrp-add R2 alice 00:00:02:01:02:03 172.16.1.1/24 3001::1/64 ovn-nbctl lsp-add alice rp-alice -- set Logical_Switch_Port rp-alice \ type=router options:router-port=alice addresses="00:00:02:01:02:03" ovn-nbctl lsp-add alice alice_ln ovn-nbctl lsp-set-options alice_ln network_name=nattest ovn-nbctl lsp-set-addresses alice_ln unknown ovn-nbctl lsp-set-type alice_ln localnet ovn-nbctl lrp-add R1 R1_join 00:00:04:01:02:03 20.0.0.1/24 4000::1/64 ovn-nbctl lsp-add join r1-join -- set Logical_Switch_Port r1-join \ type=router options:router-port=R1_join addresses="00:00:04:01:02:03" ovn-nbctl lrp-add R2 R2_join 00:00:04:01:02:04 20.0.0.2/24 4000::2/64 ovn-nbctl lsp-add join r2-join -- set Logical_Switch_Port r2-join \ type=router options:router-port=R2_join addresses="00:00:04:01:02:04" ovn-nbctl --policy="src-ip" lr-route-add R1 192.168.1.0/24 20.0.0.2 ovn-nbctl --policy="src-ip" lr-route-add R1 192.168.2.0/24 20.0.0.3 ovn-nbctl --policy="src-ip" lr-route-add R1 2001::/64 4000::2 ovn-nbctl --policy="src-ip" lr-route-add R1 2002::/64 4000::3 ovn-nbctl lr-route-add R1 172.16.1.0/24 20.0.0.2 ovn-nbctl lr-route-add R1 3001::/64 4000::2 ovn-nbctl lr-route-add R2 192.168.0.0/16 20.0.0.1 ovn-nbctl lr-route-add R2 2001::/64 4000::1 ovn-nbctl lr-route-add R2 2002::/64 4000::1 ovn-nbctl show ip netns add foo1 ovs-vsctl add-port br-int foo1 -- set interface foo1 type=internal ip link set foo1 netns foo1 ip netns exec foo1 ip link set foo1 address f0:00:00:01:02:03 ip netns exec foo1 ip link set foo1 up ip netns exec foo1 ip addr add 192.168.1.2/24 dev foo1 ip netns exec foo1 ip -6 addr add 2001::2/64 dev foo1 ip netns exec foo1 ip route add default via 192.168.1.1 dev foo1 ip netns exec foo1 ip -6 route add default via 2001::1 dev foo1 ovs-vsctl set interface foo1 external_ids:iface-id=foo1 ovn-nbctl lsp-add foo foo1 -- lsp-set-addresses foo1 "f0:00:00:01:02:03 192.168.1.2 2001::2" ip netns add bar1 ip link add bar1 netns bar1 type veth peer name bar1_br ip netns exec bar1 ip link set bar1 address f0:00:00:01:02:05 ip netns exec bar1 ip link set bar1 up ip netns exec bar1 ip addr add 192.168.2.2/24 dev bar1 ip netns exec bar1 ip -6 addr add 2002::2/64 dev bar1 ip netns exec bar1 ip route add default via 192.168.2.1 dev bar1 ip netns exec bar1 ip -6 route add default via 2002::1 dev bar1 ip link set bar1_br up ovs-vsctl add-port br-int bar1_br ovs-vsctl set interface bar1_br external_ids:iface-id=bar1 ovn-nbctl lsp-add bar bar1 -- lsp-set-addresses bar1 "f0:00:00:01:02:05 192.168.2.2 2002::2" ip netns add bar2 ip link add bar2 netns bar2 type veth peer name bar2_br ip netns exec bar2 ip link set bar2 address f0:00:00:01:03:05 ip netns exec bar2 ip link set bar2 up ip netns exec bar2 ip addr add 192.168.2.3/24 dev bar2 ip netns exec bar2 ip -6 addr add 2002::3/64 dev bar2 ip netns exec bar2 ip route add default via 192.168.2.1 dev bar2 ip netns exec bar2 ip -6 route add default via 2002::1 dev bar2 ip link set bar2_br up ovs-vsctl add-port br-int bar2_br ovs-vsctl set interface bar2_br external_ids:iface-id=bar2 ovn-nbctl lsp-add bar bar2 -- lsp-set-addresses bar2 "f0:00:00:01:03:05 192.168.2.3 2002::3" ip netns add alice1 ovs-vsctl add-port br-nat alice1 -- set interface alice1 type=internal ip link set alice1 netns alice1 ip netns exec alice1 ip link set alice1 address f0:00:00:01:02:04 ip netns exec alice1 ip link set alice1 up ip netns exec alice1 ip addr add 172.16.1.3/24 dev alice1 ip netns exec alice1 ip -6 addr add 3001::3/64 dev alice1 ip netns exec alice1 ip route add default via 172.16.1.1 dev alice1 ip netns exec alice1 ip -6 route add default via 3001::1 dev alice #SCTP-LOAD_BALANCER #add LB with ct_flush=true ovn-nbctl lb-add lb2 192.168.2.100:8080 192.168.2.2:80,192.168.2.3:80 sctp -- set load_balancer lb2 options:ct_flush='true' ovn-nbctl lb-add lb22 [2002::100]:8080 [2002::3]:80,[2002::2]:80 sctp -- set load_balancer lb22 options:ct_flush='true' #add lb to Ls ovn-nbctl ls-lb-add foo lb2 ovn-nbctl ls-lb-add foo lb22 for i in `seq 10`;do ip netns exec foo1 ncat --sctp 192.168.2.100 8080 <<< h ip netns exec foo1 ncat --sctp 2002::100 8080 <<< h done then, remove a backend from the LB ovn-nbctl --wait=hv set load_balancer lb2 vips="192.168.2.100:8080"="192.168.2.2:80" ovn-nbctl --wait=hv set load_balancer lb22 vips="[2002::100]:8080"="[2002::2]:80" check the conntrack: all entries about 192.168.2.3 should be clear,but not. #ovs-appctl dpctl/dump-conntrack|grep sctp.*192.168.2.100|grep 192.168.2.3" sctp,orig=(src=192.168.1.2,dst=192.168.2.100,sport=60809,dport=8080),reply=(src=192.168.2.3,dst=192.168.1.2,sport=80,dport=60809),zone=18,mark=2,protoinfo=(state=CLOSED,vtag_orig=3952343259,vtag_reply=1120783016) sctp,orig=(src=192.168.1.2,dst=192.168.2.100,sport=49846,dport=8080),reply=(src=192.168.2.3,dst=192.168.1.2,sport=80,dport=49846),zone=18,mark=2,protoinfo=(state=CLOSED,vtag_orig=3846649941,vtag_reply=2233580054) sctp,orig=(src=192.168.1.2,dst=192.168.2.100,sport=48116,dport=8080),reply=(src=192.168.2.3,dst=192.168.1.2,sport=80,dport=48116),zone=18,mark=2,protoinfo=(state=CLOSED,vtag_orig=1780338216,vtag_reply=2092330428) sctp,orig=(src=192.168.1.2,dst=192.168.2.100,sport=36946,dport=8080),reply=(src=192.168.2.3,dst=192.168.1.2,sport=80,dport=36946),zone=18,mark=2,protoinfo=(state=CLOSED,vtag_orig=3384084027,vtag_reply=3651159180) sctp,orig=(src=192.168.1.2,dst=192.168.2.100,sport=46845,dport=8080),reply=(src=192.168.2.3,dst=192.168.1.2,sport=80,dport=46845),zone=18,mark=2,protoinfo=(state=CLOSED,vtag_orig=676938126,vtag_reply=882787984) sctp,orig=(src=192.168.1.2,dst=192.168.2.100,sport=53065,dport=8080),reply=(src=192.168.2.3,dst=192.168.1.2,sport=80,dport=53065),zone=18,mark=2,protoinfo=(state=CLOSED,vtag_orig=3415426990,vtag_reply=1022567001) then delet the LB,all about 192.168.2.100 should be clear, but not. Actual results: when remove sctp load balancer backends or delete LB, conntrack entries wasn't clear Expected results: when remove sctp load balancer backends or delete LB, conntrack entries should be clear Additional info: it works for TCP and UDP LB.