Bug 2228037
| Summary: | OvS is not able to clear SCTP CT entries based on source/destination port | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux Fast Datapath | Reporter: | ying xu <yinxu> |
| Component: | openvswitch3.1 | Assignee: | Ales Musil <amusil> |
| Status: | CLOSED ERRATA | QA Contact: | Hekai Wang <hewang> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | FDP 23.F | CC: | amusil, ctrautma, jhsiao, jiji, ralongi |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openvswitch3.1-3.1.0-54.el9fdp | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-10-18 00:27:10 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
It looks like an OvS issue I can see in ovs-vswitchd.log: 2023-08-01T12:55:00.164Z|00053|netlink_conntrack|WARN|Unsupported L4 protocol: 132. 2023-08-01T12:55:00.170Z|00054|netlink_conntrack|WARN|Unsupported L4 protocol: 132. We are allowing to match on ports only for UDP and TCP: https://github.com/openvswitch/ovs/blob/master/lib/netlink-conntrack.c#L566 I'll move that to OvS for now. Patch posted: https://patchwork.ozlabs.org/project/openvswitch/patch/20230802094010.111208-1-amusil@redhat.com/ * Sat Sep 09 2023 Open vSwitch CI <ovs-ci> - 3.1.0-54
- Merging upstream branch-3.1 [RH git: 31ed7bcbea]
Commit list:
8e8131eff7 netlink-conntrack: Fix partial match of entries with SCTP. (#2228037)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (openvswitch3.1 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:5818 |
Description of problem: ovn-controller should clear conntrack entries as part of SCTP load balancer cleanup Version-Release number of selected component (if applicable): ovn23.03-23.03.0-86.el9fdp.x86_64 How reproducible: always Steps to Reproduce: script: ovs-vsctl add-br br-nat ovs-vsctl set open . external_ids:ovn-bridge-mappings=nattest:br-nat ip link set br-nat up ovn-nbctl lr-add R1 ovn-nbctl lr-add R2 ovn-nbctl set logical_router R2 options:chassis=hv1 ovn-nbctl ls-add foo ovn-nbctl ls-add bar ovn-nbctl ls-add alice ovn-nbctl ls-add join ovn-nbctl lrp-add R1 foo 00:00:01:01:02:03 192.168.1.1/24 2001::1/64 ovn-nbctl lsp-add foo rp-foo -- set logical_switch_port rp-foo \ type=router options:router-port=foo addresses="00:00:01:01:02:03" ovn-nbctl lrp-add R1 bar 00:00:01:01:02:04 192.168.2.1/24 2002::1/64 ovn-nbctl lsp-add bar rp-bar -- set Logical_Switch_Port rp-bar \ type=router options:router-port=bar addresses="00:00:01:01:02:04" ovn-nbctl lrp-add R2 alice 00:00:02:01:02:03 172.16.1.1/24 3001::1/64 ovn-nbctl lsp-add alice rp-alice -- set Logical_Switch_Port rp-alice \ type=router options:router-port=alice addresses="00:00:02:01:02:03" ovn-nbctl lsp-add alice alice_ln ovn-nbctl lsp-set-options alice_ln network_name=nattest ovn-nbctl lsp-set-addresses alice_ln unknown ovn-nbctl lsp-set-type alice_ln localnet ovn-nbctl lrp-add R1 R1_join 00:00:04:01:02:03 20.0.0.1/24 4000::1/64 ovn-nbctl lsp-add join r1-join -- set Logical_Switch_Port r1-join \ type=router options:router-port=R1_join addresses="00:00:04:01:02:03" ovn-nbctl lrp-add R2 R2_join 00:00:04:01:02:04 20.0.0.2/24 4000::2/64 ovn-nbctl lsp-add join r2-join -- set Logical_Switch_Port r2-join \ type=router options:router-port=R2_join addresses="00:00:04:01:02:04" ovn-nbctl --policy="src-ip" lr-route-add R1 192.168.1.0/24 20.0.0.2 ovn-nbctl --policy="src-ip" lr-route-add R1 192.168.2.0/24 20.0.0.3 ovn-nbctl --policy="src-ip" lr-route-add R1 2001::/64 4000::2 ovn-nbctl --policy="src-ip" lr-route-add R1 2002::/64 4000::3 ovn-nbctl lr-route-add R1 172.16.1.0/24 20.0.0.2 ovn-nbctl lr-route-add R1 3001::/64 4000::2 ovn-nbctl lr-route-add R2 192.168.0.0/16 20.0.0.1 ovn-nbctl lr-route-add R2 2001::/64 4000::1 ovn-nbctl lr-route-add R2 2002::/64 4000::1 ovn-nbctl show ip netns add foo1 ovs-vsctl add-port br-int foo1 -- set interface foo1 type=internal ip link set foo1 netns foo1 ip netns exec foo1 ip link set foo1 address f0:00:00:01:02:03 ip netns exec foo1 ip link set foo1 up ip netns exec foo1 ip addr add 192.168.1.2/24 dev foo1 ip netns exec foo1 ip -6 addr add 2001::2/64 dev foo1 ip netns exec foo1 ip route add default via 192.168.1.1 dev foo1 ip netns exec foo1 ip -6 route add default via 2001::1 dev foo1 ovs-vsctl set interface foo1 external_ids:iface-id=foo1 ovn-nbctl lsp-add foo foo1 -- lsp-set-addresses foo1 "f0:00:00:01:02:03 192.168.1.2 2001::2" ip netns add bar1 ip link add bar1 netns bar1 type veth peer name bar1_br ip netns exec bar1 ip link set bar1 address f0:00:00:01:02:05 ip netns exec bar1 ip link set bar1 up ip netns exec bar1 ip addr add 192.168.2.2/24 dev bar1 ip netns exec bar1 ip -6 addr add 2002::2/64 dev bar1 ip netns exec bar1 ip route add default via 192.168.2.1 dev bar1 ip netns exec bar1 ip -6 route add default via 2002::1 dev bar1 ip link set bar1_br up ovs-vsctl add-port br-int bar1_br ovs-vsctl set interface bar1_br external_ids:iface-id=bar1 ovn-nbctl lsp-add bar bar1 -- lsp-set-addresses bar1 "f0:00:00:01:02:05 192.168.2.2 2002::2" ip netns add bar2 ip link add bar2 netns bar2 type veth peer name bar2_br ip netns exec bar2 ip link set bar2 address f0:00:00:01:03:05 ip netns exec bar2 ip link set bar2 up ip netns exec bar2 ip addr add 192.168.2.3/24 dev bar2 ip netns exec bar2 ip -6 addr add 2002::3/64 dev bar2 ip netns exec bar2 ip route add default via 192.168.2.1 dev bar2 ip netns exec bar2 ip -6 route add default via 2002::1 dev bar2 ip link set bar2_br up ovs-vsctl add-port br-int bar2_br ovs-vsctl set interface bar2_br external_ids:iface-id=bar2 ovn-nbctl lsp-add bar bar2 -- lsp-set-addresses bar2 "f0:00:00:01:03:05 192.168.2.3 2002::3" ip netns add alice1 ovs-vsctl add-port br-nat alice1 -- set interface alice1 type=internal ip link set alice1 netns alice1 ip netns exec alice1 ip link set alice1 address f0:00:00:01:02:04 ip netns exec alice1 ip link set alice1 up ip netns exec alice1 ip addr add 172.16.1.3/24 dev alice1 ip netns exec alice1 ip -6 addr add 3001::3/64 dev alice1 ip netns exec alice1 ip route add default via 172.16.1.1 dev alice1 ip netns exec alice1 ip -6 route add default via 3001::1 dev alice #SCTP-LOAD_BALANCER #add LB with ct_flush=true ovn-nbctl lb-add lb2 192.168.2.100:8080 192.168.2.2:80,192.168.2.3:80 sctp -- set load_balancer lb2 options:ct_flush='true' ovn-nbctl lb-add lb22 [2002::100]:8080 [2002::3]:80,[2002::2]:80 sctp -- set load_balancer lb22 options:ct_flush='true' #add lb to Ls ovn-nbctl ls-lb-add foo lb2 ovn-nbctl ls-lb-add foo lb22 for i in `seq 10`;do ip netns exec foo1 ncat --sctp 192.168.2.100 8080 <<< h ip netns exec foo1 ncat --sctp 2002::100 8080 <<< h done then, remove a backend from the LB ovn-nbctl --wait=hv set load_balancer lb2 vips="192.168.2.100:8080"="192.168.2.2:80" ovn-nbctl --wait=hv set load_balancer lb22 vips="[2002::100]:8080"="[2002::2]:80" check the conntrack: all entries about 192.168.2.3 should be clear,but not. #ovs-appctl dpctl/dump-conntrack|grep sctp.*192.168.2.100|grep 192.168.2.3" sctp,orig=(src=192.168.1.2,dst=192.168.2.100,sport=60809,dport=8080),reply=(src=192.168.2.3,dst=192.168.1.2,sport=80,dport=60809),zone=18,mark=2,protoinfo=(state=CLOSED,vtag_orig=3952343259,vtag_reply=1120783016) sctp,orig=(src=192.168.1.2,dst=192.168.2.100,sport=49846,dport=8080),reply=(src=192.168.2.3,dst=192.168.1.2,sport=80,dport=49846),zone=18,mark=2,protoinfo=(state=CLOSED,vtag_orig=3846649941,vtag_reply=2233580054) sctp,orig=(src=192.168.1.2,dst=192.168.2.100,sport=48116,dport=8080),reply=(src=192.168.2.3,dst=192.168.1.2,sport=80,dport=48116),zone=18,mark=2,protoinfo=(state=CLOSED,vtag_orig=1780338216,vtag_reply=2092330428) sctp,orig=(src=192.168.1.2,dst=192.168.2.100,sport=36946,dport=8080),reply=(src=192.168.2.3,dst=192.168.1.2,sport=80,dport=36946),zone=18,mark=2,protoinfo=(state=CLOSED,vtag_orig=3384084027,vtag_reply=3651159180) sctp,orig=(src=192.168.1.2,dst=192.168.2.100,sport=46845,dport=8080),reply=(src=192.168.2.3,dst=192.168.1.2,sport=80,dport=46845),zone=18,mark=2,protoinfo=(state=CLOSED,vtag_orig=676938126,vtag_reply=882787984) sctp,orig=(src=192.168.1.2,dst=192.168.2.100,sport=53065,dport=8080),reply=(src=192.168.2.3,dst=192.168.1.2,sport=80,dport=53065),zone=18,mark=2,protoinfo=(state=CLOSED,vtag_orig=3415426990,vtag_reply=1022567001) then delet the LB,all about 192.168.2.100 should be clear, but not. Actual results: when remove sctp load balancer backends or delete LB, conntrack entries wasn't clear Expected results: when remove sctp load balancer backends or delete LB, conntrack entries should be clear Additional info: it works for TCP and UDP LB.