On Fri, Jun 17, 2022 at 05:56:49PM +0200, Ilya Maximets wrote: > commit 2061ecfdf2350994e5b61c43e50e98a7a70e95ee upstream > > [Backport to 5.10: minor rebase in ovs_ct_clear function. > This version also applicable to and tested on 5.4 and 4.19.] > > If packet headers changed, the cached nfct is no longer relevant > for the packet and attempt to re-use it leads to the incorrect packet > classification. > > This issue is causing broken connectivity in OpenStack deployments > with OVS/OVN due to hairpin traffic being unexpectedly dropped. > > The setup has datapath flows with several conntrack actions and tuple > changes between them: > > actions:ct(commit,zone=8,mark=0/0x1,nat(src)), > set(eth(src=00:00:00:00:00:01,dst=00:00:00:00:00:06)), > set(ipv4(src=172.18.2.10,dst=192.168.100.6,ttl=62)), > ct(zone=8),recirc(0x4) > > After the first ct() action the packet headers are almost fully > re-written. The next ct() tries to re-use the existing nfct entry > and marks the packet as invalid, so it gets dropped later in the > pipeline. > > Clearing the cached conntrack entry whenever packet tuple is changed > to avoid the issue. > > The flow key should not be cleared though, because we should still > be able to match on the ct_state if the recirculation happens after > the tuple change but before the next ct() action. > > Cc: stable@xxxxxxxxxxxxxxx > Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action") > Reported-by: Frode Nordahl <frode.nordahl@xxxxxxxxxxxxx> > Link: https://mail.openvswitch.org/pipermail/ovs-discuss/2022-May/051829.html > Link: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1967856 > Signed-off-by: Ilya Maximets <i.maximets@xxxxxxx> > Link: https://lore.kernel.org/r/20220606221140.488984-1-i.maximets@xxxxxxx > Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx> > --- > > The patch was already backported down to 5.15. > This version was adjusted to work on 5.10, 5.4 and 4.19. Now queued up, thanks! greg k-h