Bug 2057426 - Allow conntrack for router ports
Summary: Allow conntrack for router ports
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux Fast Datapath
Classification: Red Hat
Component: OVN
Version: RHEL 8.0
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: ---
Assignee: OVN Team
QA Contact: Jianlin Shi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-02-23 11:48 UTC by Nadia Pinaeva
Modified: 2023-07-13 07:25 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FD-1789 0 None None None 2022-02-23 11:53:55 UTC

Description Nadia Pinaeva 2022-02-23 11:48:01 UTC 
Description of problem:
Conntrack is disabled for router ports by default which results in dropped reply packets.
Would be nice to add an option for LSP to enable conntrack on that port (not connected to distributed router).
Comment 1 Dumitru Ceara 2022-02-25 13:50:17 UTC 
Just a bit more context:

Since https://github.com/ovn-org/ovn/commit/9653a4ec597779bf0fb8352437e7faa04f9f4111, for switches that have load balancers or stateful ACLs applied, traffic that is sent/received to/from a router port bypasses conntrack (it was already the case for switches with stateful ACLs since https://github.com/ovn-org/ovn/commit/fcdbb261a651d5a0882f25f463aa7fd3f7bb714a).

In specific cases, e.g., on the LSP connecting the join switch to the GW router in ovn-k8s, the CMS might wish to disable this functionality and use conntrack.  This BZ requests a new LSP config option to selectively do that.
Comment 2 Dumitru Ceara 2022-05-23 13:29:28 UTC 
As discussed on Slack, this is not really required for ovn-kubernetes anymore, lowering priority and severity.
Note You need to log in before you can comment on or make changes to this bug.