On some busy cloud deployments, it has been reported that the nodes
hosting the neutron-openvswitch are getting their nf-conntrack tables
full and starting to drop connections. The reason is that GRE/VXLAN
use source port randomization, and the number of "unique" flows is high
from the nf-conntrack's perspective. This is no surprise since flows
are usually identified with their 5-tuple (srcip/[srcport]/dstip/
dstport/tproto) by network elements, and GRE/VXLAN are leveraging this
fact to have an even distribution in load-balancing systems in between
[1][2]. The randomization causes the nf_conntrack table to be filled
with many GRE/VXLAN-related flows, eventually leading to connection
drops in a busy environment. As there is no particular reason and
benefit to track these flows at the moment, the solution is to exclude
GRE/VXLAN traffic from nf-conntrack tracking. This can be done by
putting rules with `-j NOTRACK` jump into relevant iptables chains,
which many people already use as a solution to this problem.
This change incorporates the relevant rules to the charm code, so the
rules become present by default.
[1] https://www.rfc-editor.org/rfc/rfc8086.html#section-3.2
[2] https://www.rfc-editor.org/rfc/rfc7348.html#section-5
Closes-bug: #1978806
Change-Id: I9f6c7ca5207a3d587cc9cc2995d9938921ad88f1
Signed-off-by: Marcin Wilk <marcin.wilk@canonical.com>
d6d6570973