Thanks for the backport from upstream! May I request backport patch [1] and this patch down to supported branches?
Thanks. 1: https://github.com/openvswitch/ovs/commit/6a101a6c8372570a30e0f8edb558c8a69cc80e7d Regards, Vladislav Odintsov On 12 Oct 2021, at 22:30, Ilya Maximets <i.maxim...@ovn.org<mailto:i.maxim...@ovn.org>> wrote: On 9/9/21 21:59, Paolo Valerio wrote: Dumitru Ceara <dce...@redhat.com<mailto:dce...@redhat.com>> writes: Upstream commit: commit 8aa7b526dc0b5dbf40c1b834d76a667ad672a410 Author: Dumitru Ceara <dce...@redhat.com<mailto:dce...@redhat.com>> Date: Wed Oct 7 17:48:03 2020 +0200 openvswitch: handle DNAT tuple collision With multiple DNAT rules it's possible that after destination translation the resulting tuples collide. For example, two openvswitch flows: nw_dst=10.0.0.10,tp_dst=10, actions=ct(commit,table=2,nat(dst=20.0.0.1:20)) nw_dst=10.0.0.20,tp_dst=10, actions=ct(commit,table=2,nat(dst=20.0.0.1:20)) Assuming two TCP clients initiating the following connections: 10.0.0.10:5000->10.0.0.10:10 10.0.0.10:5000->10.0.0.20:10 Both tuples would translate to 10.0.0.10:5000->20.0.0.1:20 causing nf_conntrack_confirm() to fail because of tuple collision. Netfilter handles this case by allocating a null binding for SNAT at egress by default. Perform the same operation in openvswitch for DNAT if no explicit SNAT is requested by the user and allocate a null binding for SNAT for packets in the "original" direction. Reported-at: https://bugzilla.redhat.com/1877128 Suggested-by: Florian Westphal <f...@strlen.de<mailto:f...@strlen.de>> Fixes: 05752523e565 ("openvswitch: Interface with NAT.") Signed-off-by: Dumitru Ceara <dce...@redhat.com<mailto:dce...@redhat.com>> Signed-off-by: Jakub Kicinski <k...@kernel.org<mailto:k...@kernel.org>> Fixes: f8f97cdce9ad ("datapath: Interface with NAT.") Signed-off-by: Dumitru Ceara <dce...@redhat.com<mailto:dce...@redhat.com>> --- Acked-by: Paolo Valerio <pvale...@redhat.com<mailto:pvale...@redhat.com>> Thanks! Applied. Best regards, Ilya Maximets. _______________________________________________ dev mailing list d...@openvswitch.org<mailto:d...@openvswitch.org> https://mail.openvswitch.org/mailman/listinfo/ovs-dev _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
