[ovs-dev] [PATCH ovn] ovn-controller: Avoid infinite replying for TCP/ICMP connection reset messages

Mark Gray mark.d.gray at redhat.com
Thu Oct 7 13:30:14 UTC 2021

On 06/10/2021 16:28, mheib at redhat.com wrote:
> From: Mohammad Heib <mheib at redhat.com>
> When the ovn controller receives an ip packet that targets a lport that has ACL
> rule to reject ip packets, the controller will reply with TCP_RST or icmp4/6 unreachable packet
> to notify the sender that the destination is not available.
> In turn, the receiver host will receive the notification packet and handle it as a normal IP packet
> and if the receiver host is part of the same logical-switch/port-group or has IP reject ACL rule
> it will send TCP_RST or icmp4/6 unreachable packet replying to the TCP_RST or icmp4/6 unreachable
> packet we received and here we will enter to an infinity loop of replying about replying which
> will consume high CPU.
> To avoid such scenarios this patch proposes to drop/ignore TCP_RST or icmp4/6 unreachable packets
> that received on lport that has  IP reject ACL rules.
> Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1934011
> Fixes: 64f8c9e9f ("actions: Add a new OVN action - reject {}.")
> Signed-off-by: Mohammad Heib <mheib at redhat.com>

Looks good. Could you add a test?

More information about the dev mailing list