Ubuntu
ovn package

Traffic sent to LRP port recirculate until TTL=0

  1. Jammy (22.04)
  2. Bug #1967718
Bug #1967718 reported by Frode Nordahl
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Cloud Archive
Status tracked in Caracal
Antelope
New
Undecided
Unassigned
Bobcat
New
Undecided
Unassigned
Caracal
New
Undecided
Unassigned
Ovn-22.03
New
Undecided
Unassigned
Yoga
New
Undecided
Unassigned
Zed
New
Undecided
Unassigned
ovn (Ubuntu)
Fix Released
Undecided
Unassigned
Jammy
New
Undecided
Unassigned
Mantic
New
Undecided
Unassigned
Noble
Fix Released
Undecided
Unassigned

Bug Description

When TCP/UDP traffic is sent to the address of an LRP port and at the same time is not part of any SNAT/DNAT conversation, it will keep recirculating in the OVS data plane until TTL is 0.

When the packet eventually drops, you might get this message logged:

[ 58.586597] openvswitch: ovs-system: deferred action limit reached, drop recirc action

This behavior is problematic because it wastes resources and could also trigger other potential problems in the data plane quite quickly [0]. For any internet connected system it is also highly likely to occur.

As mentioned above the LRP address is used for both SNAT return traffic and DNAT forwarding, so we would need to allow that traffic to pass and at the same time install flows to prevent this from happening.

0: https://mail.openvswitch.org/pipermail/ovs-discuss/2022-March/051780.html

Revision history for this message
Frode Nordahl (fnordahl) wrote :

https://mail.openvswitch.org/pipermail/ovs-dev/2022-December/400564.html

Revision history for this message
nikhil kshirsagar (nkshirsagar) wrote (last edit ):

A possibly relevant commit is https://github.com/ovn-org/ovn/commit/8c341b9d704cdf002126699527308203319954f0 which has gone into main and v23.06.0, v23.03.0 and backported to 22.12 through 481f25b784896eec07fedc77631992a009bcdada

Revision history for this message
Frode Nordahl (fnordahl) wrote :

Indeed, the commit on master is https://github.com/ovn-org/ovn/commit/481f25b784896eec07fedc77631992a009bcdada

I believe the author stopped at 22.12 because it did not backport cleanly farther.

Do you have a desire for it farther back?

Changed in ovn (Ubuntu):
status: New → Fix Released
Revision history for this message
nikhil kshirsagar (nkshirsagar) wrote (last edit ):

I tried backporting the 481f25b784896eec07fedc77631992a009bcdada patch to 22.03, which needed 27a92cc272 and a42c808f30, and then some other commits too like 4dc4bc7fdb and ee20c48c2f5ce9d512adfcbea3ee300f8bb09625 for 22.03.

Unfortunately I encountered a lot of build failures on 22.03. I was able to build on 22.09.1 with the order of 481f25b784896eec07fed + 27a92cc272, a42c808f30 , but ended up with a lot of failing unit tests, so that wasn't entirely successful either.

My attempts are detailed at https://pastebin.ubuntu.com/p/zf85J63RxY/ and https://pastebin.ubuntu.com/p/m2qvwKwMGR/ and this email communication to the ovn mailing list https://mail.openvswitch.org/pipermail/ovs-dev/2023-August/406940.html

Revision history for this message
Edward Hope-Morley (hopem) wrote :

This has been successfully backported upstream down to 22.03 (its in the 22.03.5 point release). So we can either SRU to 22.03.3 (current version in the archives) or SRU the point release.

affects: charm-ovn-central → cloud-archive
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.