Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp1683999rdb; Sat, 23 Dec 2023 18:49:21 -0800 (PST) X-Google-Smtp-Source: AGHT+IHGrQKmKXl94e6pqZuZkrPKdqgPDkgi0xFpgictn2Nk04onsRCHA9S02BM3acHKcqehNs+A X-Received: by 2002:ad4:4f88:0:b0:67f:aa48:97fd with SMTP id em8-20020ad44f88000000b0067faa4897fdmr3363556qvb.125.1703386161613; Sat, 23 Dec 2023 18:49:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1703386161; cv=none; d=google.com; s=arc-20160816; b=BynxNX+ZWfeauP0YWS0fT46E6fGOq6g98CvDmjUb4ccHMD/6io5Kv3h/ETiNOKBpqm HivLQ8LtYyKmfWx0U1AEZwlQCEbJlOLkWifv6kj2CC2S1/vFUrs5ygQyjHEfoCXpiOaW ftemsDk33p5BlsCjDR4CDDSdHoKKirUQEl7WaoGOAZdJJeXWFpWia2tnCOL1Oc5ruroD S6/Nis7ryEE2d4zC8bzIeNUXrYIKqY/IXxTKWgtZ8NA2sbq17v8loaGMkT25U3KXWLzy wppEf1YvLm6wqk55I2i7fluLC/hQTyPfnK1msGe9PcQ4SsRDM2sP2vmwLErNFKiLvlMf HpIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=F8jSH+IjG8VuuDuvNGsnUR0Q70IsR9+kyvZL2HMi7f0=; fh=NffBn5WF1uMeG4MRgQLWydPmdwgTTmz2SCVLsGuFS8Q=; b=iG0tppScWxA+PJ2MefJr69GgJ4erADdo7vX/xl99QFJb4zgZhebKRMH/G9MyqVchQB xl64XZ0WT/ny45+p35TRyVi6uxf7lodoI34WVu2AqBZ5Ya6Js4MWYTLQ0UKUWoiy3xQU I1Yhvqns8hZlBJpxP4RVwzAv2+3ikb1QY8VC90aY2gAF0cxEviuYSEBBMRKzjc3bBOYP 513YR1L7AGYAAEXEwkicnALaHvMbewwmgJKMgs7n5Zie/Tl+renH+WpSwaNSMwtOEdYL Mm12dL3gCZyyR9oitwAl9ghTGeewv8TESGkxa7efZOvyQH1lQFsGgCqjKCtUaQ7aG2PK M5lw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@faucet.nz header.s=fe-4ed8c67516 header.b=wInof650; spf=pass (google.com: domain of linux-kernel+bounces-10627-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-10627-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=faucet.nz Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id n14-20020a0ce48e000000b0067fa0a44a82si3742573qvl.497.2023.12.23.18.49.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 23 Dec 2023 18:49:21 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-10627-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@faucet.nz header.s=fe-4ed8c67516 header.b=wInof650; spf=pass (google.com: domain of linux-kernel+bounces-10627-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-10627-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=faucet.nz Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 4D4D21C21415 for ; Sun, 24 Dec 2023 02:49:21 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 24DFBEC0; Sun, 24 Dec 2023 02:49:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=faucet.nz header.i=@faucet.nz header.b="wInof650" X-Original-To: linux-kernel@vger.kernel.org Received: from smtp.forwardemail.net (smtp.forwardemail.net [149.28.215.223]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6F09E809; Sun, 24 Dec 2023 02:49:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=faucet.nz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=fe-bounces.faucet.nz DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=faucet.nz; h=Content-Transfer-Encoding: MIME-Version: References: In-Reply-To: Message-Id: Date: Subject: Cc: To: From; q=dns/txt; s=fe-4ed8c67516; t=1703386128; bh=F8jSH+IjG8VuuDuvNGsnUR0Q70IsR9+kyvZL2HMi7f0=; b=wInof650V9xQy4r9+GiKQaGua1nHUoYFNZ0j1A7IpkM8wAQxnd6A8FGIiqmmYTNueb2U+wxwF zxCxxVS3QhoIEqPA5cTeSDmYTUB5cjiwv4gYZmnjxh7V1VxXYqbiVIadaNaxV9XQCA+IGl8KTQb iH/g8q/IOzowSvqn2aYW4lc= From: Brad Cowie To: horms@kernel.org Cc: aconole@redhat.com, brad@faucet.nz, coreteam@netfilter.org, davem@davemloft.net, dev@openvswitch.org, edumazet@google.com, fw@strlen.de, kadlec@netfilter.org, kuba@kernel.org, linux-kernel@vger.kernel.org, lucien.xin@gmail.com, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, pabeni@redhat.com, pablo@netfilter.org Subject: Re: [PATCH net] netfilter: nf_nat: fix action not being set for all ct states Date: Sun, 24 Dec 2023 15:47:25 +1300 Message-Id: <20231224024725.80516-1-brad@faucet.nz> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231223211306.GA215659@kernel.org> References: <20231223211306.GA215659@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Report-Abuse-To: abuse@forwardemail.net X-Report-Abuse: abuse@forwardemail.net X-Complaints-To: abuse@forwardemail.net X-ForwardEmail-Version: 0.4.40 X-ForwardEmail-Sender: rfc822; brad@faucet.nz, smtp.forwardemail.net, 149.28.215.223 X-ForwardEmail-ID: 65879c1085a9bad88417ac0b On Sun, 24 Dec 2023 at 10:13, Simon Horman wrote: > Thanks Brad, > > I agree with your analysis and that the problem appears to > have been introduced by the cited commit. Thanks for the review Simon. > I am curious to know what use case triggers this / > why it when unnoticed for a year. We encountered this issue while upgrading some routers from linux 5.15 to 6.2. The dataplane on these routers is provided by an openvswitch bridge which is controlled via openflow by faucet. These routers are also performing SNAT on all traffic to/from the wan interface via openvswitch conntrack openflow rules. We noticed that after upgrading the linux kernel, traceroute/mtr no longer worked when run from clients behind the router. We eventually discovered the reason for this is that the ICMP time exceeded messages elicited by traceroute were matching openflow rules with the incorrect destination ip, despite there being an openflow rule to undo the nat. Other packets in the established or new state matched the expected openflow rules. A git bisect between 5.15 and 6.2 showed that this change in behaviour was introduced by commit ebddb1404900. After the above patch is applied our routers perform nat correctly again for traceroute/mtr.