Openvswitch matching broken for nat packets in the related state
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
Linux kernel commit ebddb1404900 ("net: move the nat function to
nf_nat_ovs for ovs and tc") introduced a regression into the kernel
openvswitch datapath which prevented the match key from being updated
when nat was undone for packets in the related conntrack state. This
issue caused these packets (usually ICMP/ICMPv6 error packets) to
match the wrong openflow rule when processed by openvswitch.
This commit is present in Ubuntu kernel versions v6.2 and v6.5.
This issue was fixed in upstream linux kernel commit e6345d2824a3 ("netfilter:
nf_nat: fix action not being set for all ct states"). Which is included
in upstream linux kernel versions v6.7 and v6.6.11. This commit can be found
in the kernel stable tree:
Discussion for this patch can be found on this netdev mailing list thread:
https://<email address hidden>/T/
Test cases to reproduce the bug with both the openvswitch test suite
and linux kernel self-tests can be found on the ovs-dev mailing list:
https:/
Can commit e6345d2824a3 be considered for SRU in jammy-hwe, lunar and mantic?
| Brad Cowie (bradcowie) wrote | #1 |
| Changed in linux (Ubuntu): | |
| status: | New → Fix Released |
Fixed by linux 6.5.0-27.28