[ovs-dev] Several conntrack problems, including some critical bugs.

Darrell Ball dball at vmware.com
Tue Aug 28 08:08:54 UTC 2018


Thank you for the testing/reports

On 8/27/18, 10:47 PM, "ovs-dev-bounces at openvswitch.org on behalf of Zang MingJie" <ovs-dev-bounces at openvswitch.org on behalf of zealot0630 at gmail.com> wrote:

    While developing application using ovs userspace conntrack, we found
    some bugs worth mention here.
    
    1. conntrack_clean may causes ovs crash.
    
    conntrack_clean function iterators through all buckets, and free
    entries in the bucket with bucket lock, but when releasing a NAT
    connection, inside nat_clean function, the bucket lock is temporarily
    released, if other PMD acquires the lock and modifies the bucket,
    further loop may causing invalid memory access inside sweep_bucket
    function.

There is a silly bug here; I hit it once myself while doing something else; I’ll send a patch.
    
    2. occasionally incorrectly DNAT to 1024 port, despite whatever port specified.
    
    We found 2 scenarios, both leads to this result.
    
    First, consider there are two virtual server share the same backend,
    which are implemented by DNAT, both V1 and V2 are DNAT to R. While
    there is already a connection C->V1 which is DNAT as C->R, if there is
    another incoming connection C->V2, will also DNAT as C->R, causing
    conntrack table conflict, but instead of dropping the packet, the
    connection is DNAT to port 1024. Because the NAT function search
    through port 1024 - 65535 when conflict occurred.
    
    Second, if a conntrack entry is expired but not yet released, mostly
    in TIMEWAIT state, the client may reuse the same port to establish a
    new connection, when this condition is met, will also cause a
    conflict, the connection will DNAT to port 1024 if DNAT is used.

Yep; there is a testing gap here; I’ll roll a patch.
    
    There are also some other problems under investigation, and I'll post
    them when we find the cause.
    _______________________________________________
    dev mailing list
    dev at openvswitch.org
    https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmail.openvswitch.org%2Fmailman%2Flistinfo%2Fovs-dev&amp;data=02%7C01%7Cdball%40vmware.com%7C4b02e49629a54d74831408d60ca9c1c8%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C1%7C0%7C636710320586041230&amp;sdata=gCPVJyHkRJ6crDBSTRjpfOYLQYNO5wMWXQe2muQ%2BBBI%3D&amp;reserved=0
    



More information about the dev mailing list