Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 2238111

Summary: OvS is not able to clear SCTP CT entries based on source/destination port
Product: Red Hat Enterprise Linux Fast Datapath Reporter: ovs-bugzilla <ovs-bugzilla>
Component: openvswitch3.1Assignee: Ales Musil <amusil>
Status: CLOSED ERRATA QA Contact: Hekai Wang <hewang>
Severity: medium Docs Contact:
Priority: medium    
Version: FDP 23.FCC: ctrautma, jhsiao, ralongi
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openvswitch3.1-3.1.0-61.el8fdp Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-10-18 00:14:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description ovs-bugzilla 2023-09-09 02:48:55 UTC 
+++ This bug was initially created as a clone of Bug #2228037 +++

Description of problem:
ovn-controller should clear conntrack entries as part of SCTP load balancer cleanup

Version-Release number of selected component (if applicable):
ovn23.03-23.03.0-86.el9fdp.x86_64

How reproducible:
always

Steps to Reproduce:
script:
	ovs-vsctl add-br br-nat
	ovs-vsctl set open . external_ids:ovn-bridge-mappings=nattest:br-nat
	ip link set br-nat up

	ovn-nbctl lr-add R1
	ovn-nbctl lr-add R2

	ovn-nbctl set logical_router R2 options:chassis=hv1

	ovn-nbctl ls-add foo
	ovn-nbctl ls-add bar
	ovn-nbctl ls-add alice
	ovn-nbctl ls-add join

	ovn-nbctl lrp-add R1 foo 00:00:01:01:02:03 192.168.1.1/24 2001::1/64
	ovn-nbctl lsp-add foo rp-foo -- set logical_switch_port rp-foo \
		        type=router options:router-port=foo addresses="00:00:01:01:02:03"

	ovn-nbctl lrp-add R1 bar 00:00:01:01:02:04 192.168.2.1/24 2002::1/64
	ovn-nbctl lsp-add bar rp-bar -- set Logical_Switch_Port rp-bar \
		        type=router options:router-port=bar addresses="00:00:01:01:02:04"

	ovn-nbctl lrp-add R2 alice 00:00:02:01:02:03 172.16.1.1/24 3001::1/64
	ovn-nbctl lsp-add alice rp-alice -- set Logical_Switch_Port rp-alice \
		        type=router options:router-port=alice addresses="00:00:02:01:02:03"

	ovn-nbctl lsp-add alice alice_ln
	ovn-nbctl lsp-set-options alice_ln network_name=nattest
	ovn-nbctl lsp-set-addresses alice_ln unknown
	ovn-nbctl lsp-set-type alice_ln localnet


	ovn-nbctl lrp-add R1 R1_join 00:00:04:01:02:03 20.0.0.1/24 4000::1/64
	ovn-nbctl lsp-add join r1-join -- set Logical_Switch_Port r1-join \
		        type=router options:router-port=R1_join addresses="00:00:04:01:02:03"
	ovn-nbctl lrp-add R2 R2_join 00:00:04:01:02:04 20.0.0.2/24 4000::2/64
	ovn-nbctl lsp-add join r2-join -- set Logical_Switch_Port r2-join \
		        type=router options:router-port=R2_join addresses="00:00:04:01:02:04"
	ovn-nbctl --policy="src-ip" lr-route-add R1 192.168.1.0/24 20.0.0.2
	ovn-nbctl --policy="src-ip" lr-route-add R1 192.168.2.0/24 20.0.0.3
	ovn-nbctl --policy="src-ip" lr-route-add R1 2001::/64 4000::2
	ovn-nbctl --policy="src-ip" lr-route-add R1 2002::/64 4000::3
	ovn-nbctl lr-route-add R1 172.16.1.0/24 20.0.0.2
	ovn-nbctl lr-route-add R1 3001::/64 4000::2


	ovn-nbctl lr-route-add R2 192.168.0.0/16 20.0.0.1
	ovn-nbctl lr-route-add R2 2001::/64 4000::1
	ovn-nbctl lr-route-add R2 2002::/64 4000::1

	ovn-nbctl show

	ip netns add foo1
	ovs-vsctl add-port br-int foo1 -- set interface foo1 type=internal
	ip link set foo1 netns foo1
	ip netns exec foo1 ip link set foo1 address f0:00:00:01:02:03
	ip netns exec foo1 ip link set foo1 up
	ip netns exec foo1 ip addr add 192.168.1.2/24 dev foo1
	ip netns exec foo1 ip -6 addr add 2001::2/64 dev foo1
	ip netns exec foo1 ip route add default via  192.168.1.1 dev foo1
	ip netns exec foo1 ip -6 route add default via 2001::1 dev foo1
	ovs-vsctl set interface foo1 external_ids:iface-id=foo1
	ovn-nbctl lsp-add foo foo1 -- lsp-set-addresses foo1 "f0:00:00:01:02:03 192.168.1.2 2001::2"

	ip netns add bar1
	ip link add bar1 netns bar1 type veth peer name bar1_br
	ip netns exec bar1 ip link set bar1 address f0:00:00:01:02:05
	ip netns exec bar1 ip link set bar1 up
	ip netns exec bar1 ip addr add 192.168.2.2/24 dev bar1
	ip netns exec bar1 ip -6 addr add 2002::2/64 dev bar1
	ip netns exec bar1 ip route add default via 192.168.2.1 dev bar1
	ip netns exec bar1 ip -6 route add default via 2002::1 dev bar1
	ip link set bar1_br up
	ovs-vsctl add-port br-int bar1_br
	ovs-vsctl set interface bar1_br external_ids:iface-id=bar1
	ovn-nbctl lsp-add bar bar1 -- lsp-set-addresses bar1 "f0:00:00:01:02:05 192.168.2.2 2002::2"

	ip netns add bar2
        ip link add bar2 netns bar2 type veth peer name bar2_br
        ip netns exec bar2 ip link set bar2 address f0:00:00:01:03:05
        ip netns exec bar2 ip link set bar2 up
        ip netns exec bar2 ip addr add 192.168.2.3/24 dev bar2
        ip netns exec bar2 ip -6 addr add 2002::3/64 dev bar2
        ip netns exec bar2 ip route add default via 192.168.2.1 dev bar2
        ip netns exec bar2 ip -6 route add default via 2002::1 dev bar2
        ip link set bar2_br up
        ovs-vsctl add-port br-int bar2_br
        ovs-vsctl set interface bar2_br external_ids:iface-id=bar2
        ovn-nbctl lsp-add bar bar2 -- lsp-set-addresses bar2 "f0:00:00:01:03:05 192.168.2.3 2002::3"

	ip netns add alice1
	ovs-vsctl add-port br-nat alice1 -- set interface alice1 type=internal
	ip link set alice1 netns alice1
	ip netns exec alice1 ip link set alice1 address f0:00:00:01:02:04
	ip netns exec alice1 ip link set alice1 up
	ip netns exec alice1 ip addr add 172.16.1.3/24 dev alice1
	ip netns exec alice1 ip -6 addr add 3001::3/64 dev alice1
	ip netns exec alice1 ip route add default via 172.16.1.1 dev alice1
	ip netns exec alice1 ip -6 route add default via 3001::1 dev alice

	#SCTP-LOAD_BALANCER

	#add LB with ct_flush=true
        ovn-nbctl lb-add lb2 192.168.2.100:8080 192.168.2.2:80,192.168.2.3:80 sctp  -- set load_balancer lb2 options:ct_flush='true'
        ovn-nbctl lb-add lb22 [2002::100]:8080 [2002::3]:80,[2002::2]:80 sctp -- set load_balancer lb22 options:ct_flush='true'
        #add lb to Ls
        ovn-nbctl ls-lb-add foo lb2
        ovn-nbctl ls-lb-add foo lb22
	for i in `seq 10`;do
                ip netns exec foo1 ncat --sctp 192.168.2.100 8080 <<< h
                ip netns exec foo1 ncat --sctp 2002::100 8080 <<< h
        done

then, remove a backend from the LB
ovn-nbctl --wait=hv set load_balancer lb2 vips="192.168.2.100:8080"="192.168.2.2:80"
	ovn-nbctl --wait=hv set load_balancer lb22 vips="[2002::100]:8080"="[2002::2]:80"

check the conntrack: all entries about 192.168.2.3 should be clear,but not. 
#ovs-appctl dpctl/dump-conntrack|grep sctp.*192.168.2.100|grep 192.168.2.3"
sctp,orig=(src=192.168.1.2,dst=192.168.2.100,sport=60809,dport=8080),reply=(src=192.168.2.3,dst=192.168.1.2,sport=80,dport=60809),zone=18,mark=2,protoinfo=(state=CLOSED,vtag_orig=3952343259,vtag_reply=1120783016)
sctp,orig=(src=192.168.1.2,dst=192.168.2.100,sport=49846,dport=8080),reply=(src=192.168.2.3,dst=192.168.1.2,sport=80,dport=49846),zone=18,mark=2,protoinfo=(state=CLOSED,vtag_orig=3846649941,vtag_reply=2233580054)
sctp,orig=(src=192.168.1.2,dst=192.168.2.100,sport=48116,dport=8080),reply=(src=192.168.2.3,dst=192.168.1.2,sport=80,dport=48116),zone=18,mark=2,protoinfo=(state=CLOSED,vtag_orig=1780338216,vtag_reply=2092330428)
sctp,orig=(src=192.168.1.2,dst=192.168.2.100,sport=36946,dport=8080),reply=(src=192.168.2.3,dst=192.168.1.2,sport=80,dport=36946),zone=18,mark=2,protoinfo=(state=CLOSED,vtag_orig=3384084027,vtag_reply=3651159180)
sctp,orig=(src=192.168.1.2,dst=192.168.2.100,sport=46845,dport=8080),reply=(src=192.168.2.3,dst=192.168.1.2,sport=80,dport=46845),zone=18,mark=2,protoinfo=(state=CLOSED,vtag_orig=676938126,vtag_reply=882787984)
sctp,orig=(src=192.168.1.2,dst=192.168.2.100,sport=53065,dport=8080),reply=(src=192.168.2.3,dst=192.168.1.2,sport=80,dport=53065),zone=18,mark=2,protoinfo=(state=CLOSED,vtag_orig=3415426990,vtag_reply=1022567001)

then delet the LB,all about 192.168.2.100 should be clear, but not.


Actual results:
when remove sctp load balancer backends or delete LB, conntrack entries wasn't clear

Expected results:
when remove sctp load balancer backends or delete LB, conntrack entries should be clear

Additional info:
it works for TCP and UDP LB.
Comment 1 ovs-bugzilla 2023-09-09 02:48:59 UTC 
* Sat Sep 09 2023 Open vSwitch CI <ovs-ci> - 3.1.0-61
- Merging upstream branch-3.1 [RH git: 926dad1f04]
    Commit list:
    8e8131eff7 netlink-conntrack: Fix partial match of entries with SCTP. (#2228037)
Comment 7 errata-xmlrpc 2023-10-18 00:14:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openvswitch3.1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:5815