This line is the only one incrementing (watch -n1 -d):
cookie=0x46c2e1bc88f3da56, duration=273.104s, table=72, n_packets=3723, n_bytes=359585, priority=50,ct_state=+inv+trk actions=resubmit(,93)
Seems like conntrack marks reply as invalid. This can be checked:
$ ip netns exec qrouter-9984c9f6-cf31-4fb4-9463-82db3c51f0ae conntrack -E
Issue persists after upgrade to kernel 5.9.6
Running only one instance on the compute node allowed to identify following:
$ ovs-ofctl -O OpenFlow14 dump-flows br-int --color --names --rsort=priority table=72
This line is the only one incrementing (watch -n1 -d): 0x46c2e1bc88f3d a56, duration=273.104s, table=72, n_packets=3723, n_bytes=359585, priority= 50,ct_state= +inv+trk actions= resubmit( ,93)
cookie=
Seems like conntrack marks reply as invalid. This can be checked:
$ ip netns exec qrouter- 9984c9f6- cf31-4fb4- 9463-82db3c51f0 ae conntrack -E
[NEW] tcp 6 120 SYN_SENT src=10.153.0.245 dst=X.X.X.X sport=51266 dport=22 [UNREPLIED] src=192.168.9.78 dst=10.153.0.245 sport=22 dport=51266
Same problem with icmp. Security group allows IPv4 from and to anywhere. Conntrack is by far not full. iptables_hybrid works...