[ovs-discuss] ovs-conntrack kernel panic

Joe Stringer joestringer at nicira.com
Mon Mar 23 18:27:43 UTC 2015

Hi John,

I strongly suspect in this case, conntrack has been unable to identify
the connection. There's two parts to this: Perhaps you need to load
nf_conntrack_ipv4? if that module is not loaded, then conntrack cannot
identify any IP traffic. Separately, to address the crash, the line
with the nf_ct_is_confirmed() call likely needs to check if ct is
non-NULL first.

One useful datapoint is what kernel version/distro are you running?
I've been testing on the latest net-next, although I should expect it
work on anything back to linux-3.10. Perhaps earlier depending on the
particular features required, YMMV.

Apologies, there's a few bugs like this which I have found in local
testing but I have not pushed the changes yet. This is in part because
the ongoing development is against the linux tree, so I haven't
backported the current development code to build inside the OVS tree.

Without the commit, the nf_conntrack tables will not be populated.

On 23 March 2015 at 09:49, John Hurley <john.hurley at netronome.com> wrote:
> Hi,
> I am interested in using Conntrack within OVS and have installed the latest
> version from the banch (https://github.com/justinpettit/ovs/tree/conntrack).
> When I run an example mentioned in the tests:
> ovs-ofctl del-flows br0
> ovs-ofctl add-flow br0 \
>     "in_port=1,conn_state=-trk,tcp,action=ct(commit,zone=9),2"
> ovs-ofctl add-flow br0 \
>     "in_port=2,conn_state=-trk,tcp,action=ct(recirc,zone=9)"
> ovs-ofctl add-flow br0 "in_port=2,conn_state=+trk+est-new,tcp,action=1"
> ovs-ofctl add-flow br0 "in_port=2,conn_state=+trk-est+new,tcp,action=drop"
> ovs-ofctl add-flow br0 priority=10,action=normal
> I am seeing a kernel panic for the 'commit' action.
> I have traced this to the nf_ct_is_confirmed(ct) call on the nf_conntrack
> module.
> If I edit the code to avoid this check I avoid the panic but am getting an
> error response from calls such as 'nf_ct_get(skb, &ctinfo)'.
> It appears that ovs-conntrack is not populating the nf_conntrack tables for
> me.
> Is there any information on installing/running the ovs-conntrack branch
> specifically or is there anything else that should be done on top of the
> standard OVS installation.
> Doing an lsmod I can see both openvswitch and nf_conntrack modules running.
> Thanks,
> John
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> http://openvswitch.org/mailman/listinfo/discuss

More information about the discuss mailing list