[ovs-dev] Several conntrack problems, including some critical bugs.
Darrell Ball
dball at vmware.com
Tue Aug 28 08:08:54 UTC 2018
Thank you for the testing/reports
On 8/27/18, 10:47 PM, "ovs-dev-bounces at openvswitch.org on behalf of Zang MingJie" <ovs-dev-bounces at openvswitch.org on behalf of zealot0630 at gmail.com> wrote:
While developing application using ovs userspace conntrack, we found
some bugs worth mention here.
1. conntrack_clean may causes ovs crash.
conntrack_clean function iterators through all buckets, and free
entries in the bucket with bucket lock, but when releasing a NAT
connection, inside nat_clean function, the bucket lock is temporarily
released, if other PMD acquires the lock and modifies the bucket,
further loop may causing invalid memory access inside sweep_bucket
function.
There is a silly bug here; I hit it once myself while doing something else; I’ll send a patch.
2. occasionally incorrectly DNAT to 1024 port, despite whatever port specified.
We found 2 scenarios, both leads to this result.
First, consider there are two virtual server share the same backend,
which are implemented by DNAT, both V1 and V2 are DNAT to R. While
there is already a connection C->V1 which is DNAT as C->R, if there is
another incoming connection C->V2, will also DNAT as C->R, causing
conntrack table conflict, but instead of dropping the packet, the
connection is DNAT to port 1024. Because the NAT function search
through port 1024 - 65535 when conflict occurred.
Second, if a conntrack entry is expired but not yet released, mostly
in TIMEWAIT state, the client may reuse the same port to establish a
new connection, when this condition is met, will also cause a
conflict, the connection will DNAT to port 1024 if DNAT is used.
Yep; there is a testing gap here; I’ll roll a patch.
There are also some other problems under investigation, and I'll post
them when we find the cause.
_______________________________________________
dev mailing list
dev at openvswitch.org
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmail.openvswitch.org%2Fmailman%2Flistinfo%2Fovs-dev&data=02%7C01%7Cdball%40vmware.com%7C4b02e49629a54d74831408d60ca9c1c8%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C1%7C0%7C636710320586041230&sdata=gCPVJyHkRJ6crDBSTRjpfOYLQYNO5wMWXQe2muQ%2BBBI%3D&reserved=0
More information about the dev
mailing list