Ubuntu
linux-bluefield package

netfilter: ctnetlink: Support offloaded conntrack entry deletion

Bug #2015293 reported by William Tu
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux-bluefield (Ubuntu)
Invalid
Undecided
Unassigned
Focal
Fix Released
Medium
Unassigned
Jammy
Fix Committed
Medium
Unassigned

Bug Description

* Explain the bug(s)

conntrack -D or conntrack -F doesn't delete offloaded tuples.

* brief explanation of fixes

Add support for to delete offloaded tuples via netlink interface and
userspace conntrack utility.

* How to test

Create OVS bridge with 2 devices mlx5 rep devices.

Enable HW offload and configure regular connection tracking OpenFlow rules:

e.g:

    ovs-ofctl del-flows br-ovs

    ovs-ofctl add-flow br-ovs arp,actions=normal

    ovs-ofctl add-flow br-ovs "table=0, ip,ct_state=-trk actions=ct(table=1)"

    ovs-ofctl add-flow br-ovs "table=1, ip,ct_state=+trk+new actions=ct(commit),normal"

    ovs-ofctl add-flow br-ovs "table=1, ip,ct_state=+trk+est, actions=normal"

Run a UDP connection, e.g:
on mlx5 VF1 iperf -s -u
on mlx5 VF2 iperf -c <ip> -u -t 10

Optional: In different terminal, while traffic is running, check for offload:

tcpdump -nnepi <RELEVANT_MLX5_REP> udp
and see no iperf udp packets.

Dump conntrack with relevant ip:

cat /proc/net/nf_conntrack | grep -i <ip>

See tuples were offloaded:
ipv4 2 udp 17 src=1.1.1.2 dst=1.1.1.3 sport=56394 dport=5001 packets=2 bytes=112 src=1.1.1.3 dst=1.1.1.2 sport=5001 dport=56394 packets=1777 bytes=665340 [HW_OFFLOAD] mark=0 zone=0 use=3

Flush the tuples:
conntrack -F

Verify tuples are deleted:
cat /proc/net/nf_conntrack | grep -i <ip>

Before fix, the above tuple shows again,

after fix, it's deleted, and shows nothing.

* What it could break.

Conntrack -F / -D not working on offloaded tuples.

CVE References

Stefan Bader (smb)
Changed in linux-bluefield (Ubuntu Focal):
importance: Undecided → Medium
Changed in linux-bluefield (Ubuntu):
status: New → Invalid
Bartlomiej Zolnierkiewicz (bzolnier)
Changed in linux-bluefield (Ubuntu Focal):
status: New → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-bluefield/5.4.0-1061.67 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-focal-linux-bluefield verification-needed-focal
Revision history for this message
Bartlomiej Zolnierkiewicz (bzolnier) wrote :

This bug is awaiting verification that the linux-bluefield/5.4.0-1062.68 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Revision history for this message
Feysel Mohammed (feyselm) wrote :

Hello,

Using 5.4.0-1062-bluefield, conntrack -F properly flushes the tuples.

Thanks,

tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-bluefield - 5.4.0-1062.68

---------------
linux-bluefield (5.4.0-1062.68) focal; urgency=medium

  * focal/linux-bluefield: 5.4.0-1062.68 -proposed tracker (LP: #2016751)

  * CVE-2023-1829
    - [Config] bluefield: Make sure CONFIG_NET_CLS_TCINDEX is not available

  * net/sched: cls_api: Support hardware miss to tc action (LP: #2012571)
    - Revert "net/sched: flower: fix fl_change() error recovery path"
    - Revert "net/sched: flower: Support hardware miss to tc action"
    - Revert "net/sched: flower: Move filter handle initialization earlier"
    - Revert "net/sched: cls_api: Support hardware miss to tc action"
    - Revert "UBUNTU: SAUCE: net/sched: Provide act to offload action"

  [ Ubuntu: 5.4.0-148.165 ]

  * focal/linux: 5.4.0-148.165 -proposed tracker (LP: #2016777)
  * CVE-2023-1829
    - net/sched: Retire tcindex classifier
    - [Config]: Make sure CONFIG_NET_CLS_TCINDEX is not available

 -- Bartlomiej Zolnierkiewicz <email address hidden> Thu, 27 Apr 2023 16:48:23 +0200

Changed in linux-bluefield (Ubuntu Focal):
status: Fix Committed → Fix Released
Stefan Bader (smb)
Changed in linux-bluefield (Ubuntu Jammy):
importance: Undecided → Medium
status: New → In Progress
Bartlomiej Zolnierkiewicz (bzolnier)
Changed in linux-bluefield (Ubuntu Jammy):
status: In Progress → Fix Committed
Revision history for this message
Bartlomiej Zolnierkiewicz (bzolnier) wrote :

This bug is awaiting verification that the linux-bluefield/5.15.0-1019.21 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-jammy
Revision history for this message
Feysel Mohammed (feyselm) wrote :

Hello,

Using 5.15.0-1019-bluefield, conntrack -F properly flushes the tuples.

Thanks,

tags: added: verification-done-jammy
removed: verification-needed-jammy
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.