The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.
Bug 2215137 - stateless traffic is sent to conntrack when LB is present
Summary: stateless traffic is sent to conntrack when LB is present
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux Fast Datapath
Classification: Red Hat
Component: ovn22.12
Version: FDP 22.L
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Dumitru Ceara
QA Contact: ying xu
URL:
Whiteboard:
Depends On:
Blocks: 2214303
TreeView+ depends on / blocked
 
Reported: 2023-06-14 21:08 UTC by Ihar Hrachyshka
Modified: 2023-07-06 20:05 UTC (History)
4 users (show)

Fixed In Version: ovn22.12-22.12.0-94.el8fdp
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-07-06 20:05:32 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FD-2951 0 None None None 2023-06-14 21:08:49 UTC
Red Hat Product Errata RHBA-2023:3992 0 None None None 2023-07-06 20:05:42 UTC

Comment 2 Ihar Hrachyshka 2023-06-20 16:29:57 UTC 
FYI the backport landed in 22.12 upstream 4 days ago: https://github.com/ovn-org/ovn/commit/6be84b57732d1756f5970e267581e691543be936
Comment 3 Ihar Hrachyshka 2023-06-20 16:31:13 UTC 
There's already a build for this in brew.
Comment 4 OVN Bot 2023-06-20 19:49:45 UTC 
ovn22.12 fast-datapath-rhel-9 clone created at https://bugzilla.redhat.com/show_bug.cgi?id=2216315
Comment 7 ying xu 2023-06-28 08:48:10 UTC 
use this topo and config to test this bug:
# Logical network:
# One LR R1 with switches foo (192.168.1.0/24), bar (192.168.2.0/24),
#
#    foo -- R1 -- bar

# ovn-nbctl show
switch 9f9d8463-f970-47e4-a232-8688e1b3a438 (foo)
    port foo1
        addresses: ["f0:00:00:01:02:03 192.168.1.2"]
    port rp-foo
        type: router
        router-port: foo
switch ca7616b3-b116-4ae4-a7e9-ac24ea3db536 (bar)
    port rp-bar
        type: router
        router-port: bar
    port bar1
        addresses: ["f0:00:00:01:02:04 192.168.2.2"]
router 8502a562-b934-43e5-8b79-b53bafb886d0 (R1)
    port bar
        mac: "00:00:01:01:02:04"
        networks: ["192.168.2.1/24"]
    port foo
        mac: "00:00:01:01:02:03"
        networks: ["192.168.1.1/24"]
[root@dell-per740-54 load_balance]# ovn-nbctl list load_balancer
_uuid               : 30199a7b-1f3b-426a-8d58-b4c270eb8dce
external_ids        : {}
health_check        : []
ip_port_mappings    : {}
name                : lb1
options             : {}
protocol            : tcp
selection_fields    : []
vips                : {"30.30.30.30:80"="192.168.2.2:80"}
[root@dell-per740-54 load_balance]# ovn-nbctl list acl
_uuid               : 8c9a48ac-87ae-43c4-a2e8-ec90a61349a5
action              : allow-stateless
direction           : from-lport
external_ids        : {}
label               : 0
log                 : false
match               : "1"
meter               : []
name                : []
options             : {}
priority            : 1
severity            : []

_uuid               : 6af28809-8b49-470b-a078-473fd5c0e1c3
action              : allow-stateless
direction           : to-lport
external_ids        : {}
label               : 0
log                 : false
match               : "1"
meter               : []
name                : []
options             : {}
priority            : 1
severity            : []


on old version: traffic sent to server and get conntrack entry 
:: [ 04:28:20 ] :: [  BEGIN   ] :: Running 'ip netns exec foo1 ncat  30.30.30.30 80 <<< d'
:: [ 04:28:21 ] :: [   FAIL   ] :: Command 'ip netns exec foo1 ncat  30.30.30.30 80 <<< d' (Expected 1, got 0)
:: [ 04:28:21 ] :: [  BEGIN   ] :: Running 'ovs-appctl dpctl/dump-conntrack zone=7|grep 30.30.30.30'
tcp,orig=(src=192.168.1.2,dst=30.30.30.30,sport=46782,dport=80),reply=(src=192.168.2.2,dst=192.168.1.2,sport=80,dport=46782),zone=7,mark=2,protoinfo=(state=TIME_WAIT)
:: [ 04:28:21 ] :: [   FAIL   ] :: Command 'ovs-appctl dpctl/dump-conntrack zone=7|grep 30.30.30.30' (Expected 1, got 0)


on fixed version: traffic fail ,and no conntrack .
# rpm -qa|grep ovn22
ovn22.12-22.12.0-94.el8fdp.x86_64
ovn22.12-central-22.12.0-94.el8fdp.x86_64
ovn22.12-host-22.12.0-94.el8fdp.x86_64

:: [ 04:28:20 ] :: [  BEGIN   ] :: Running 'ip netns exec foo1 ncat  30.30.30.30 80 <<< d'
Ncat: Connection timed out.
:: [ 04:28:30 ] :: [   PASS   ] :: Command 'ip netns exec foo1 ncat  30.30.30.30 80 <<< d' (Expected 1, got 1)
:: [ 04:28:30 ] :: [  BEGIN   ] :: Running 'ovs-appctl dpctl/dump-conntrack zone=7|grep 30.30.30.30'
:: [ 04:28:30 ] :: [   PASS   ] :: Command 'ovs-appctl dpctl/dump-conntrack zone=7|grep 30.30.30.30' (Expected 1, got 1)


set verified.
Comment 9 errata-xmlrpc 2023-07-06 20:05:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ovn22.12 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:3992
Note You need to log in before you can comment on or make changes to this bug.