On Fri, Jun 17, 2022 at 05:56:49PM +0200, Ilya Maximets wrote:
> commit 2061ecfdf2350994e5b61c43e50e98a7a70e95ee upstream
>
> [Backport to 5.10: minor rebase in ovs_ct_clear function.
> This version also applicable to and tested on 5.4 and 4.19.]
>
> If packet headers changed, the cached nfct is no longer relevant
> for the packet and attempt to re-use it leads to the incorrect packet
> classification.
>
> This issue is causing broken connectivity in OpenStack deployments
> with OVS/OVN due to hairpin traffic being unexpectedly dropped.
>
> The setup has datapath flows with several conntrack actions and tuple
> changes between them:
>
> actions:ct(commit,zone=8,mark=0/0x1,nat(src)),
> set(eth(src=00:00:00:00:00:01,dst=00:00:00:00:00:06)),
> set(ipv4(src=172.18.2.10,dst=192.168.100.6,ttl=62)),
> ct(zone=8),recirc(0x4)
>
> After the first ct() action the packet headers are almost fully
> re-written. The next ct() tries to re-use the existing nfct entry
> and marks the packet as invalid, so it gets dropped later in the
> pipeline.
>
> Clearing the cached conntrack entry whenever packet tuple is changed
> to avoid the issue.
>
> The flow key should not be cleared though, because we should still
> be able to match on the ct_state if the recirculation happens after
> the tuple change but before the next ct() action.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action")
> Reported-by: Frode Nordahl <frode.nordahl@xxxxxxxxxxxxx>
> Link: https://mail.openvswitch.org/pipermail/ovs-discuss/2022-May/051829.html
> Link: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1967856
> Signed-off-by: Ilya Maximets <i.maximets@xxxxxxx>
> Link: https://lore.kernel.org/r/20220606221140.488984-1-i.maximets@xxxxxxx
> Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
> ---
>
> The patch was already backported down to 5.15.
> This version was adjusted to work on 5.10, 5.4 and 4.19.
Now queued up, thanks!
greg k-h
