net: openvswitch: fix misuse of the cached connection on tuple changes

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2104139
Upstream Status: commit 2061ecfdf235

commit 2061ecfdf2350994e5b61c43e50e98a7a70e95ee
Author: Ilya Maximets i.maximets@ovn.org
Date: Tue Jun 7 00:11:40 2022 +0200

net: openvswitch: fix misuse of the cached connection on tuple changes  

If packet headers changed, the cached nfct is no longer relevant  
for the packet and attempt to re-use it leads to the incorrect packet  
classification.  

This issue is causing broken connectivity in OpenStack deployments  
with OVS/OVN due to hairpin traffic being unexpectedly dropped.  

The setup has datapath flows with several conntrack actions and tuple  
changes between them:  

  actions:ct(commit,zone=8,mark=0/0x1,nat(src)),  
          set(eth(src=00:00:00:00:00:01,dst=00:00:00:00:00:06)),  
          set(ipv4(src=172.18.2.10,dst=192.168.100.6,ttl=62)),  
          ct(zone=8),recirc(0x4)  

After the first ct() action the packet headers are almost fully  
re-written.  The next ct() tries to re-use the existing nfct entry  
and marks the packet as invalid, so it gets dropped later in the  
pipeline.  

Clearing the cached conntrack entry whenever packet tuple is changed  
to avoid the issue.  

The flow key should not be cleared though, because we should still  
be able to match on the ct_state if the recirculation happens after  
the tuple change but before the next ct() action.  

Cc: stable@vger.kernel.org  
Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action")  
Reported-by: Frode Nordahl <frode.nordahl@canonical.com>  
Link: https://mail.openvswitch.org/pipermail/ovs-discuss/2022-May/051829.html  
Link: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1967856  
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>  
Link: https://lore.kernel.org/r/20220606221140.488984-1-i.maximets@ovn.org  
Signed-off-by: Jakub Kicinski <kuba@kernel.org>  

Signed-off-by: Timothy Redaelli tredaelli@redhat.com