1497768 – [3.5] Conntrack table entry is not removed when UDP service is added after single pod was removed and added back

Bug 1497768 - [3.5] Conntrack table entry is not removed when UDP service is added after single pod was removed and added back

Summary: [3.5] Conntrack table entry is not removed when UDP service is added after si...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	3.5.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Target Release:	3.5.z
Assignee:	Dan Winship
QA Contact:	Meng Bo
Docs Contact:
URL:
Whiteboard:
Depends On:	1487438
Blocks:
TreeView+	depends on / blocked

Reported:	2017-10-02 15:43 UTC by Dan Winship
Modified:	2017-11-24 05:43 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: Conntrack entries for UDP traffic were not cleared when an endpoint was added for a service that previously had no endpoints. Consequence: The system could end up incorrectly caching a rule that would cause traffic to that service to be dropped rather than being sent to the new endpoint. Fix: The relevant conntrack entries are now deleted at the right time. Result: UDP services work correctly when endpoints are added and removed.
Clone Of:	1487438
Environment:
Last Closed:	2017-10-25 13:08:02 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	3153091	0	None	None	None	2017-10-02 15:43:32 UTC
Red Hat Product Errata	RHBA-2017:3049	0	normal	SHIPPED_LIVE	OpenShift Container Platform 3.6, 3.5, and 3.4 bug fix and enhancement update	2017-10-25 15:57:15 UTC

Comment 1 Dan Winship 2017-10-02 17:05:01 UTC

https://github.com/openshift/ose/pull/881

Comment 3 Meng Bo 2017-10-12 07:56:28 UTC

Tested on ocp build v3.5.5.31.34 with steps:

1. Create pod
2. Expose the pod with udp port
$ oc expose pod udp-pod --protocol="UDP"
3. Acess the service via udp port
4. Check the conntrack table on the node
# conntrack -L -D $svc_IP
5. Delete the pod created in step 1
6. Check the conntrack table on node again

The conntrack entry about the udp connection will be deleted immediately once the pod deleted.

Comment 5 errata-xmlrpc 2017-10-25 13:08:02 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:3049

Note You need to log in before you can comment on or make changes to this bug.