File 0001-Enable-liberal-TCP-connection-tracking-for... of Package openstack-neutron-doc

Overview Repositories Revisions Requests Users Attributes Meta

File 0001-Enable-liberal-TCP-connection-tracking-for-SNAT-name.patch of Package openstack-neutron-doc

From 0b3512d43f77706bb12b6ac2e491e87029b251dd Mon Sep 17 00:00:00 2001
From: Dirk Mueller <dirk@dmllr.de>
Date: Thu, 15 Nov 2018 17:19:35 +0100
Subject: [PATCH] Enable liberal TCP connection tracking for SNAT namespaces

This can avoid connections rarely hanging due to tcp window
scaling not correctly being observed by the TCP connection
tracking. this seems to happen when retransmits are occurring
occassionally.
Setting this parameter turns off validating the window scaling
checks for the purpose of matching whether a packet matches
an existing connection tracked flow, which avoids the SNAT
namespace from interfering and letting the connection peers
recover the connection via retransmits/Selective ACKs instead
of the SNAT terminating one side of the connection and letting
it stall permanently.

Closes-Bug: #1804327
Change-Id: I5e58bb2850bfa8e974e62215af0b4d7bc0592c13
(cherry picked from commit 13f4ac25dd67a7bb2ee21a4fc8e1b9e19c418d12)
---
 neutron/agent/l3/dvr_snat_ns.py                 | 5 ++++-
 neutron/tests/unit/agent/l3/test_dvr_snat_ns.py | 3 ++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/neutron/agent/l3/dvr_snat_ns.py b/neutron/agent/l3/dvr_snat_ns.py
index d769de7a99..3b9718d2ef 100644
--- a/neutron/agent/l3/dvr_snat_ns.py
+++ b/neutron/agent/l3/dvr_snat_ns.py
@@ -36,8 +36,11 @@ class SnatNamespace(namespaces.Namespace):
         ip_lib.set_ip_nonlocal_bind_for_namespace(self.name)
         # Set nf_conntrack_tcp_loose to 0 to ensure mid-stream
         # TCP conversations aren't taken over by SNAT
+        # Be liberal in the state tracking to avoid
+        # issues with TCP window scaling
         ip_lib.IPWrapper(namespace=self.name).netns.execute(
-            ['sysctl', '-w', 'net.netfilter.nf_conntrack_tcp_loose=0'])
+            ['sysctl', '-w', 'net.netfilter.nf_conntrack_tcp_loose=0',
+             'net.netfilter.nf_conntrack_tcp_be_liberal=1'])
 
     @classmethod
     def get_snat_ns_name(cls, router_id):
diff --git a/neutron/tests/unit/agent/l3/test_dvr_snat_ns.py b/neutron/tests/unit/agent/l3/test_dvr_snat_ns.py
index 2185d5344b..844ca88a7a 100644
--- a/neutron/tests/unit/agent/l3/test_dvr_snat_ns.py
+++ b/neutron/tests/unit/agent/l3/test_dvr_snat_ns.py
@@ -41,7 +41,8 @@ class TestDvrSnatNs(base.BaseTestCase):
         self.snat_ns.create()
 
         netns_cmd = ['ip', 'netns', 'exec', self.snat_ns.name]
-        loose_cmd = ['sysctl', '-w', 'net.netfilter.nf_conntrack_tcp_loose=0']
+        loose_cmd = ['sysctl', '-w', 'net.netfilter.nf_conntrack_tcp_loose=0',
+                     'net.netfilter.nf_conntrack_tcp_be_liberal=1']
         expected = [mock.call(netns_cmd + loose_cmd,
                               check_exit_code=True, extra_ok_codes=None,
                               log_fail_as_error=True, run_as_root=True)]
-- 
2.19.1

Places

File 0001-Enable-liberal-TCP-connection-tracking-for-SNAT-name.patch of Package openstack-neutron-doc

Places