CT: check offload bit on table dump
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux-bluefield (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
SRU Justification:
possible race cleaning ct conns too early.
* Explain the bug(s)
There is a possible race between updating established conn timeout
and initial timeout expiring.
* brief explanation of fixes
in normal flow, established conns gets thier timeout extended to a day and
the GC keeps extending them if timeout is below half a day.
but it looks like there is a possible race that the intial timeout expired
before that timeout was extended.
this is a temporary fix and still being investigated how to avoid this
potential race on the timeout.
* How to test
huge amount of traffic, we used ixia traffic generator. during traffic can dump conntrack
using "conntrack -L" or "cat /proc/net/
after conns offloaded stop the traffic and wait few seconds. now check if all conntrack conns
still offloaded. we noticed sometimes few conns are missing.
* What it could break.
ct conns expiring too soon. so sometimes idle sessions starting traffic again would have some
first packets not offloaded and conntrack would reoffload the ct conn.
CVE References
Changed in linux-bluefield (Ubuntu): | |
status: | New → Invalid |
Changed in linux-bluefield (Ubuntu Focal): | |
status: | New → In Progress |
Changed in linux-bluefield (Ubuntu Focal): | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done-focal removed: verification-needed-focal |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification- needed- focal' to 'verification- done-focal' . If the problem still exists, change the tag 'verification- needed- focal' to 'verification- failed- focal'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation how to enable and use -proposed. Thank you!