[Bug 1957807] [NEW] Fix ct_state nat matching and nat action not being executed

Bodong Wang Thu, 13 Jan 2022 07:00:57 -0800

Public bug reported:

* Explain the bug
 
Netfilter conntrack maintains NAT flags per connection indicating 
whether NAT was configured for the connection. Openvswitch maintains
NAT flags on the per packet flow key ct_state field, indicating
whether NAT was actually executed on the packet.


When a packet misses from tc to ovs the conntrack NAT flags are set.
However, NAT was not necessarily executed on the packet because the
connection's state might still be in NEW state. As such, openvswitch
wrongly assumes that NAT was executed and sets an incorrect flow key
NAT flags.
   
This can lead to incorrect matching on ct_state nat flags, and nat not being 
executed
by ovs.
 
* How to test
 
Create OVS bridge (br-ovs below) with 2 devices $dev1, $dev2 (can be any 
devices), with hw offload enabled.
Configure NAT connection tracking OpenFlow rules which would only be partially 
offloaded to tc/hw
because of dp_hash/hash (groups in openflow) not being offloaded, so we would 
have misses from tc to ovs:

    ovs-ofctl del-flows br-ovs
    ovs-ofctl add-flow br-ovs arp,actions=normal
    ovs-ofctl -O OpenFlow12 add-group ovs-br \
         
'group_id=2,type=select,bucket=ct(table=4,zone=5,nat(src=1.1.1.128),commit)'

    #rules
    ovs-ofctl del-flows ovs-br

    ovs-ofctl add-flow ovs-br "table=0, arp, action=normal"
    ovs-ofctl add-flow ovs-br "table=0, ip, nw_src=1.1.1.1 
actions=ct(zone=5,table=1,nat)"

    ovs-ofctl add-flow ovs-br "table=1, in_port=1, actions=group:2"

    ovs-ofctl add-flow ovs-br "table=4, ip, nw_src=1.1.1.128 actions=2" #good 
flow
    ovs-ofctl add-flow ovs-br "table=4, ip, nw_src=1.1.1.1 actions=drop" #bad 
flow


Run single sided UDP traffic from $dev1 to $dev2, and observe source nat not 
being done, 
and hit of drop rule in table=4.

With the fix, the src nat will be done, and table=4 rule which matches
new ip (128) will be hit.

* What it could break.
 
NA

** Affects: linux-bluefield (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1957807

Title:
  Fix ct_state nat matching and nat action not being executed

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/1957807/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1957807] [NEW] Fix ct_state nat matching and nat action not being executed

Reply via email to