[ovs-discuss] Issue with connection tracking for packets modified in pipeline

Aswin S aswinsuryan at gmail.com
Thu Jun 1 12:23:39 UTC 2017


Hi,
When SG is implemented using conntrack rules , TCP connection via FIP
between vms in the same compute is failing

In my topology I have two vm on the same compute both having floating ip
associated with it and the fip translation is done using openflow rules.

When using vm internal network ip it is working fine and I can ssh to the
other vm.

The conntrack event logs are as follows (Src ip 10.100.5.5 Dest Ip
10.100.5.12
   [NEW] tcp      6 120 SYN_SENT src=10.100.5.5 dst=10.100.5.12 sport=43724
dport=22 [UNREPLIED] src=10.100.5.12 dst=10.100.5.5 sport=22 dport=43724
zone=5001
 [UPDATE] tcp      6 60 SYN_RECV src=10.100.5.5 dst=10.100.5.12 sport=43724
dport=22 src=10.100.5.12 dst=10.100.5.5 sport=22 dport=43724 zone=5001
 [UPDATE] tcp      6 432000 ESTABLISHED src=10.100.5.5 dst=10.100.5.12
sport=43724 dport=22 src=10.100.5.12 dst=10.100.5.5 sport=22 dport=43724
[ASSURED] zone=5001


But when I use FIP(the TCP packets are marked as Invalid and dropped.

The SYN reaches the second vm which sends back the SYN ack and the status
of conntrack entry is updated at the destination. Though the SYN-ACK
reaches vm1 the conntrack state still remain UNREPLIED and the ack packet
send to vm2 is marked as invalid and dropped. In the pipeline the packet is
submitted to the conntrack both at egress and ingress side. The packet is
submitted to conntrack after the fip modification.

The conntrack event logs (Vm1 10.100.5.5, 192.168.56.29, Vm2 10.100.5.12,
192.168.56.23)

     [NEW] tcp      6 120 SYN_SENT src=10.100.5.12 dst=192.168.56.29
sport=58218 dport=22 [UNREPLIED] src=192.168.56.29 dst=10.100.5.12 sport=22
dport=58218 zone=5001
    [NEW] tcp      6 120 SYN_SENT src=192.168.56.23 dst=10.100.5.5
sport=58218 dport=22 [UNREPLIED] src=10.100.5.5 dst=192.168.56.23 sport=22
dport=58218 zone=5001
 [UPDATE] tcp      6 60 SYN_RECV src=192.168.56.23 dst=10.100.5.5
sport=58218 dport=22 src=10.100.5.5 dst=192.168.56.23 sport=22 dport=58218
zone=5001


The issue is not limited to TCP, if try with ICMP with FIP, the ping packet
from vm1 to vm2 will be always new state in the connection tracker. This
works(both TCP and ICMP) fine if the vm are two compute nodes. So is this
an issue when a modified packet in the pipeline is  submitted to connection
tracker? Does netfilter/ovs conntrack check for any other field than src
ip/ port dest ip/port for marking a packet as reply pakcet?

I am using ovs 2.7.0. I have reported an issue a while ago[1] which still
exsits and this seems to be related

[1]
https://mail.openvswitch.org/pipermail/ovs-discuss/2016-December/043228.html


Thanks
Aswin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20170601/67a22f85/attachment.html>


More information about the discuss mailing list