[Kernel-packages] [Bug 1963948] Re: Fix flow table lookup after ct clear or switching zones

Wed, 16 Mar 2022 09:41:01 -0700 

** Also affects: linux-bluefield (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Changed in: linux-bluefield (Ubuntu Focal)
       Status: New => In Progress

** Changed in: linux-bluefield (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-bluefield in Ubuntu.
https://bugs.launchpad.net/bugs/1963948

Title:
  Fix flow table lookup after ct clear or switching zones

Status in linux-bluefield package in Ubuntu:
  Invalid
Status in linux-bluefield source package in Focal:
  In Progress

Bug description:
  * Explain the bug
   
  Flow table lookup is skipped if packet either went through ct clear action 
(which set the IP_CT_UNTRACKED flag on the packet),
  or while switching zones and there is already a connection associated with 
the packet. This will result in no SW offload of the connection,
  and the and connection not being removed from flow table with TCP teardown 
(fin/rst packet).
   
  * How to test
   
  Create OVS bridge with 2 veth pairs, put each veth peer device in a different 
namespace - ns0, ns1, and add
  the other side veth devices (named ns[01]_veth below) to OVS bridge. 
Configure the namespace devices with
  an ip, and bring all devices up.

  Enable HW offload in ovs and configure connection tracking OpenFlow rules 
that pass via two zones (but drop the FIN packets on the reply side
  or they will still teardown the connection in second zone from the reply side 
as it happens first):

   ovs-ofctl add-flow br-ovs "arp actions=NORMAL"
   ovs-ofctl add-flow br-ovs "ct_state=-trk,ip,in_port=ns0_veth 
actions=ct(table=5,zone=5)"
   ovs-ofctl add-flow br-ovs "ct_state=-trk,tcp,in_port=ns1_veth,tcp_flags=-fin 
actions=ct(table=8,zone=7)"
   ovs-ofctl add-flow br-ovs "ct_state=+new+trk,ip,in_port=ns0_veth 
actions=ct(commit,zone=5),ct(table=7,zone=7)"
   ovs-ofctl add-flow br-ovs "ct_state=+est+trk,ip,in_port=ns0_veth 
actions=ct(table=7,zone=7)"
   ovs-ofctl add-flow br-ovs "ct_state=+new+trk,ip,in_port=ns0_veth 
actions=ct(commit,zone=7),output:ns1_veth"
   ovs-ofctl add-flow br-ovs "ct_state=+est+trk,ip,in_port=ns0_veth 
actions=output:ns1_veth"
   ovs-ofctl add-flow br-ovs "ct_state=+est+trk,tcp,in_port=ns1_veth 
actions=ct(table=9,zone=5)"
   ovs-ofctl add-flow br-ovs "ct_state=+est+trk,tcp,in_port=ns1_veth 
actions=output:ns0_veth"

   Run TCP iperf from ns0 namespace to an iperf server on ns1 namepsace
  with the given ip.

  After traffic ends, check
  cat /proc/net/nf_conntrack | grep -i offload
  If bug occurs, connections will remain offloaded till timeout, otherwise, 
they will be in
  teardown state.

  * What it could break.
   
  NA

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/1963948/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to