Comment 6 for bug 1864963

Revision history for this message
Pavel Szalbot (pavel-szalbot) wrote :

Issue persists after upgrade to kernel 5.9.6

Running only one instance on the compute node allowed to identify following:

$ ovs-ofctl -O OpenFlow14 dump-flows br-int --color --names --rsort=priority table=72

This line is the only one incrementing (watch -n1 -d):
cookie=0x46c2e1bc88f3da56, duration=273.104s, table=72, n_packets=3723, n_bytes=359585, priority=50,ct_state=+inv+trk actions=resubmit(,93)

Seems like conntrack marks reply as invalid. This can be checked:

$ ip netns exec qrouter-9984c9f6-cf31-4fb4-9463-82db3c51f0ae conntrack -E

[NEW] tcp 6 120 SYN_SENT src=10.153.0.245 dst=X.X.X.X sport=51266 dport=22 [UNREPLIED] src=192.168.9.78 dst=10.153.0.245 sport=22 dport=51266

Same problem with icmp. Security group allows IPv4 from and to anywhere. Conntrack is by far not full. iptables_hybrid works...