Fixed by linux 6.5.0-27.28 ** Changed in: linux (Ubuntu) Status: New => Fix Released
-- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2048942 Title: Openvswitch matching broken for nat packets in the related state Status in linux package in Ubuntu: Fix Released Bug description: Linux kernel commit ebddb1404900 ("net: move the nat function to nf_nat_ovs for ovs and tc") introduced a regression into the kernel openvswitch datapath which prevented the match key from being updated when nat was undone for packets in the related conntrack state. This issue caused these packets (usually ICMP/ICMPv6 error packets) to match the wrong openflow rule when processed by openvswitch. This commit is present in Ubuntu kernel versions v6.2 and v6.5. This issue was fixed in upstream linux kernel commit e6345d2824a3 ("netfilter: nf_nat: fix action not being set for all ct states"). Which is included in upstream linux kernel versions v6.7 and v6.6.11. This commit can be found in the kernel stable tree: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e6345d2824a3f58aab82428d11645e0da861ac13 Discussion for this patch can be found on this netdev mailing list thread: https://lore.kernel.org/netdev/20231221224311.130319-1-b...@faucet.nz/T/ Test cases to reproduce the bug with both the openvswitch test suite and linux kernel self-tests can be found on the ovs-dev mailing list: https://mail.openvswitch.org/pipermail/ovs- dev/2024-January/410476.html Can commit e6345d2824a3 be considered for SRU in jammy-hwe, lunar and mantic? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2048942/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp