-
Notifications
You must be signed in to change notification settings - Fork 237
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix conntrack entry leaks because of TCP RST packets not sent to conn…
…track. The commit [1] - 28097d5("Fix tcp_reset action handling") fixed an issue with tcp_reset OVN action. In order to fix that issue, this commit added logical flows to skip all the TCP RST packets from conntrack. Ideally it should have skipped only the TCP RST packets generated by ovn-controller from conntrack. Since all the TCP RST packets are skipped from conntrack, the connections in conntrack remain in ESTABLISHED state even if the client/server sends TCP RST to close the connection. And these entries live for a long time and this is causing performance issues as reported in the BZ. This patch reverts the logical flows added in [1] and modifies the inner actions of tcp_reset in the ingress logical switch pipeline from - "tcp_reset { outport <-> inport; output; }" to "tcp_reset { output <-> inport; next(pipeline=egress,table=5); }". This causes the packet to resubmit to the egress table ls_out_qos_mark skipping the egress ACL stage. Prior to this packet, next action was not allowing a resubmit from ingress to egress pipeline. This patch relaxes this limitation. For the tcp_reset action in the egress logical switch pipeline, this patch modifies the inner action from - "tcp_reset { outport <-> inport; next(pipeline=ingress,table=0); }" to - "tcp_reset { outport <-> inport; next(pipeline=ingress,table=19); }". This causes the packet to enter the ingress table ls_in_l2_lkup. We don't see similar conntrack leaks with UDP. Although there is an issue with the acl reject action for UDP packets. When ovn-controller generates icmp destination unreachable packet, it doesn't get delivered. And the IP checksum is incorrect in this packet. A follow up patch will fix these issues. [1] - 28097d5("Fix tcp_reset action handling") Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1819785 Co-Authored-by: Tim Rozet <trozet@redhat.com> Signed-off-by: Tim Rozet <trozet@redhat.com> Acked-by: Dumitru Ceara <dceara@redhat.com> Acked-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> Signed-off-by: Numan Siddique <numans@ovn.org>
- Loading branch information
1 parent
feb5d6e
commit b4b6817
Showing
9 changed files
with
217 additions
and
38 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
#!/usr/bin/env python3 | ||
# Copyright (c) 2020 Red Hat, Inc. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at: | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
# Simple python script which connects to tcp server and then | ||
# resets the connection. | ||
import argparse | ||
import socket | ||
import sys | ||
import struct | ||
import time | ||
|
||
parser = argparse.ArgumentParser(description='') | ||
parser.add_argument("--src-port", type=int, default=11337, help="source port to use") | ||
parser.add_argument("--dst-port", type=int, help="dst port to use") | ||
parser.add_argument("--dst-ip", help="server ip to use") | ||
args = parser.parse_args() | ||
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | ||
server_address = (args.dst_ip, args.dst_port) | ||
sock.bind(('0.0.0.0', args.src_port)) | ||
sock.connect(server_address) | ||
l_onoff = 1 | ||
l_linger = 0 | ||
time.sleep(1) | ||
sock.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', l_onoff, l_linger)) | ||
sock.close() |