[ovs-discuss] ovs-conntrack kernel panic

John Hurley john.hurley at netronome.com
Tue Mar 24 16:03:27 UTC 2015


Hi Joe,


Following on from my earlier message, I have tested a few more scenarios.
It seems that Conntrack works fine for UDP and ICMP packet flows.
Earlier I had been testing with TCP traffic.
This is still not working.
Any ideas on why TCP would be failing on the conntrack commit?

I have also noticed that if I replay UDP packets shorter than 64 bytes into
OVS they are rejected by conntract and can cause the kernel panic issue.
The NULL check on the nf_ct_is_confirmed() you mentioned earlier is
required to prevent this from happening.

John


On Tue, Mar 24, 2015 at 9:56 AM, John Hurley <john.hurley at netronome.com>
wrote:

> Hi Joe,
>
> Thanks for the response.
> I have ensured the nf_conntrack_ipv4 module is loaded but still cannot get
> the commit to work.
>
> I am running Ubuntu 14.04
> Kernel version: 3.16.0-30-generic
>
> John
>
> On Mon, Mar 23, 2015 at 6:27 PM, Joe Stringer <joestringer at nicira.com>
> wrote:
>
>> Hi John,
>>
>> I strongly suspect in this case, conntrack has been unable to identify
>> the connection. There's two parts to this: Perhaps you need to load
>> nf_conntrack_ipv4? if that module is not loaded, then conntrack cannot
>> identify any IP traffic. Separately, to address the crash, the line
>> with the nf_ct_is_confirmed() call likely needs to check if ct is
>> non-NULL first.
>>
>> One useful datapoint is what kernel version/distro are you running?
>> I've been testing on the latest net-next, although I should expect it
>> work on anything back to linux-3.10. Perhaps earlier depending on the
>> particular features required, YMMV.
>>
>> Apologies, there's a few bugs like this which I have found in local
>> testing but I have not pushed the changes yet. This is in part because
>> the ongoing development is against the linux tree, so I haven't
>> backported the current development code to build inside the OVS tree.
>>
>> Without the commit, the nf_conntrack tables will not be populated.
>>
>> On 23 March 2015 at 09:49, John Hurley <john.hurley at netronome.com> wrote:
>> > Hi,
>> > I am interested in using Conntrack within OVS and have installed the
>> latest
>> > version from the banch (
>> https://github.com/justinpettit/ovs/tree/conntrack).
>> >
>> > When I run an example mentioned in the tests:
>> >
>> > ovs-ofctl del-flows br0
>> > ovs-ofctl add-flow br0 \
>> >     "in_port=1,conn_state=-trk,tcp,action=ct(commit,zone=9),2"
>> > ovs-ofctl add-flow br0 \
>> >     "in_port=2,conn_state=-trk,tcp,action=ct(recirc,zone=9)"
>> > ovs-ofctl add-flow br0 "in_port=2,conn_state=+trk+est-new,tcp,action=1"
>> > ovs-ofctl add-flow br0
>> "in_port=2,conn_state=+trk-est+new,tcp,action=drop"
>> > ovs-ofctl add-flow br0 priority=10,action=normal
>> >
>> > I am seeing a kernel panic for the 'commit' action.
>> > I have traced this to the nf_ct_is_confirmed(ct) call on the
>> nf_conntrack
>> > module.
>> > If I edit the code to avoid this check I avoid the panic but am getting
>> an
>> > error response from calls such as 'nf_ct_get(skb, &ctinfo)'.
>> >
>> > It appears that ovs-conntrack is not populating the nf_conntrack tables
>> for
>> > me.
>> > Is there any information on installing/running the ovs-conntrack branch
>> > specifically or is there anything else that should be done on top of the
>> > standard OVS installation.
>> > Doing an lsmod I can see both openvswitch and nf_conntrack modules
>> running.
>> >
>> > Thanks,
>> >
>> > John
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > discuss mailing list
>> > discuss at openvswitch.org
>> > http://openvswitch.org/mailman/listinfo/discuss
>> >
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20150324/d1bebd28/attachment-0002.html>


More information about the discuss mailing list