Public bug reported:
OVN 25.09.1+ produces duplicate/malformed ICMP fragmentation-needed replies on
distributed routers with SNAT. The regression was introduced by commit
d702b0ed1 ("northd: Avoid committing DNAT traffic to SNAT zone"). Two logical
flows at S_ROUTER_OUT_SNAT overlap — one matching (!ct.trk || !ct.rpl) &&
flags.unsnat_new == 1 and another matching ct.new — both execute for
SNAT-originated ICMP errors, causing a double ct_commit_to_zone(snat).
Failing autopkgtests:
- LR with SNAT fragmentation needed for external server
- DNAT and SNAT on distributed router - N/S - IPv6
- Traffic to router port via LLA
Fix: Add flags.unsnat_new == 0 guard to the second flow so the two are mutually
exclusive.
** Affects: ovn (Ubuntu)
Importance: Undecided
Assignee: mj (crypticcoder)
Status: New
** Changed in: ovn (Ubuntu)
Assignee: (unassigned) => mj (crypticcoder)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2154492
Title:
25.09: Duplicate ICMPv6 fragmentation-needed packets with SNAT on
distributed router
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/2154492/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
