[ovs-git] [ovn-org/ovn] 64cc06: northd: Add lflows to send all pkts to conntrack i...

numansiddique noreply at github.com
Fri Sep 11 15:15:16 UTC 2020

  Branch: refs/heads/master
  Home:   https://github.com/ovn-org/ovn
  Commit: 64cc065e2c59c0696edeef738180989d993ceceb
  Author: Numan Siddique <numans at ovn.org>
  Date:   2020-09-11 (Fri, 11 Sep 2020)

  Changed paths:
    M northd/ovn-northd.8.xml
    M northd/ovn-northd.c

  Log Message:
  northd: Add lflows to send all pkts to conntrack if LB is configured on a lswitch.

Prior to this patch, if a load balancer is configured on a logical switch but with no
ACLs with allow-related configured, then in the ingress pipeline only the packets
with ip.dst = VIP will be sent to conntrack using the zone id of the source logical port.

If the backend of the load balancer, sends an invalid packet (for example invalid tcp
sequence number), then such packets will be delivered to the source logical port VIF
without unDNATting. This causes the source to reset the connection.

This patch fixes this issue by sending all the packets to conntrack if a load balancer
is configured on the logical switch. Because of this, any invalid (ct.inv) packets will
be dropped in the ingress pipeline itself.

Unfortunately this impacts the performance as now there will be extra recirculations
because of ct and ct_commit (for new connections) actions.

Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1870359
Reported-by: Tim Rozet (trozet at redhat.com)
Acked-by: Dumitru Ceara <dceara at redhat.com>
Acked-by: Mark Michelson <mmichels at redhat.com>
Signed-off-by: Numan Siddique <numans at ovn.org>

More information about the git mailing list