From b3f59eeb73289306dd5fd2e9d664903911dc614c Mon Sep 17 00:00:00 2001
From: Gregory Thiemonge <gthiemon@redhat.com>
Date: Tue, 15 Jun 2021 09:00:52 +0200
Subject: [PATCH] Disable conntrack for TCP flows in the amphora

conntrack is used in the amphora for LVS-based listeners (UDP and
SCTP) and it's enabled by default.
Add nft/iptable rules to disable conntrack for TCP flows, it reduces
memory usage and prevents getting "nf_conntrack: table full, dropping
packet" messages.

Story: 2008979
Task: 42623

Change-Id: Ia15a110c6c5a9b83a29bab56538fa425d994d477
---
 .../static/usr/local/bin/lvs-masquerade.sh    | 27 +++++++++++++++++++
 ...le-conntrack-for-tcp-01ef6948d99353c2.yaml |  6 +++++
 2 files changed, 33 insertions(+)
 create mode 100644 releasenotes/notes/disable-conntrack-for-tcp-01ef6948d99353c2.yaml

diff --git a/elements/amphora-agent/static/usr/local/bin/lvs-masquerade.sh b/elements/amphora-agent/static/usr/local/bin/lvs-masquerade.sh
index 0c65fcbb30..99a0cf4564 100755
--- a/elements/amphora-agent/static/usr/local/bin/lvs-masquerade.sh
+++ b/elements/amphora-agent/static/usr/local/bin/lvs-masquerade.sh
@@ -38,12 +38,21 @@ if [ "$1" == "add" ]; then
             nft add rule ip octavia-ipv4 ip-udp-masq oifname "$3" meta l4proto udp masquerade
             nft add chain ip octavia-ipv4 ip-sctp-masq { type nat hook postrouting priority 100\;}
             nft add rule ip octavia-ipv4 ip-sctp-masq oifname "$3" meta l4proto sctp masquerade
+            nft add chain ip octavia-ipv4 prerouting { type filter hook prerouting priority -300 \; }
+            nft add rule ip octavia-ipv4 prerouting iifname "$3" meta l4proto tcp notrack
+            nft add chain ip octavia-ipv4 output { type filter hook output priority -300 \; }
+            nft add rule ip octavia-ipv4 output oifname "$3" meta l4proto tcp notrack
+
         elif [ "$2" == "ipv6" ]; then
             nft add table ip6 octavia-ipv6
             nft add chain ip6 octavia-ipv6 ip6-udp-masq { type nat hook postrouting priority 100\;}
             nft add rule ip6 octavia-ipv6 ip6-udp-masq oifname "$3" meta l4proto udp masquerade
             nft add chain ip6 octavia-ipv6 ip6-sctp-masq { type nat hook postrouting priority 100\;}
             nft add rule ip6 octavia-ipv6 ip6-sctp-masq oifname "$3" meta l4proto sctp masquerade
+            nft add chain ip6 octavia-ipv6 prerouting { type filter hook prerouting priority -300 \; }
+            nft add rule ip6 octavia-ipv6 prerouting iifname "$3" meta l4proto tcp notrack
+            nft add chain ip6 octavia-ipv6 output { type filter hook output priority -300 \; }
+            nft add rule ip6 octavia-ipv6 output oifname "$3" meta l4proto tcp notrack
         else
             usage
         fi
@@ -52,9 +61,15 @@ if [ "$1" == "add" ]; then
         if [ "$2" == "ipv4" ]; then
             /sbin/iptables -t nat -A POSTROUTING -p udp -o $3 -j MASQUERADE
             /sbin/iptables -t nat -A POSTROUTING -p sctp -o $3 -j MASQUERADE
+
+            /sbin/iptables -t raw -A PREROUTING -p tcp -i $3 -j NOTRACK
+            /sbin/iptables -t raw -A OUTPUT -p tcp -o $3 -j NOTRACK
         elif [ "$2" == "ipv6" ]; then
             /sbin/ip6tables -t nat -A POSTROUTING -p udp -o $3 -j MASQUERADE
             /sbin/ip6tables -t nat -A POSTROUTING -p sctp -o $3 -j MASQUERADE
+
+            /sbin/ip6tables -t raw -A PREROUTING -p tcp -i $3 -j NOTRACK
+            /sbin/ip6tables -t raw -A OUTPUT -p tcp -o $3 -j NOTRACK
         else
             usage
         fi
@@ -68,11 +83,19 @@ elif [ "$1" == "delete" ]; then
             nft delete chain ip octavia-ipv4 ip-udp-masq
             nft flush chain ip octavia-ipv4 ip-sctp-masq
             nft delete chain ip octavia-ipv4 ip-sctp-masq
+            nft flush chain ip octavia-ipv4 prerouting
+            nft delete chain ip octavia-ipv4 prerouting
+            nft flush chain ip octavia-ipv4 output
+            nft delete chain ip octavia-ipv4 output
         elif [ "$2" == "ipv6" ]; then
             nft flush chain ip6 octavia-ipv6 ip-udp-masq
             nft delete chain ip6 octavia-ipv6 ip-udp-masq
             nft flush chain ip6 octavia-ipv6 ip-sctp-masq
             nft delete chain ip6 octavia-ipv6 ip-sctp-masq
+            nft flush chain ip6 octavia-ipv6 prerouting
+            nft delete chain ip6 octavia-ipv6 prerouting
+            nft flush chain ip6 octavia-ipv6 output
+            nft delete chain ip6 octavia-ipv6 output
         else
             usage
         fi
@@ -81,9 +104,13 @@ elif [ "$1" == "delete" ]; then
         if [ "$2" == "ipv4" ]; then
             /sbin/iptables -t nat -D POSTROUTING -p udp -o $3 -j MASQUERADE
             /sbin/iptables -t nat -D POSTROUTING -p sctp -o $3 -j MASQUERADE
+            /sbin/iptables -t raw -D PREROUTING -p tcp -i $3 -j NOTRACK
+            /sbin/iptables -t raw -D OUTPUT -p tcp -o $3 -j NOTRACK
         elif [ "$2" == "ipv6" ]; then
             /sbin/ip6tables -t nat -D POSTROUTING -p udp -o $3 -j MASQUERADE
             /sbin/ip6tables -t nat -D POSTROUTING -p sctp -o $3 -j MASQUERADE
+            /sbin/ip6tables -t raw -D PREROUTING -p tcp -i $3 -j NOTRACK
+            /sbin/ip6tables -t raw -D OUTPUT -p tcp -o $3 -j NOTRACK
         else
             usage
         fi
diff --git a/releasenotes/notes/disable-conntrack-for-tcp-01ef6948d99353c2.yaml b/releasenotes/notes/disable-conntrack-for-tcp-01ef6948d99353c2.yaml
new file mode 100644
index 0000000000..2313fac9ec
--- /dev/null
+++ b/releasenotes/notes/disable-conntrack-for-tcp-01ef6948d99353c2.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Disable conntrack for TCP flows in the Amphora, it reduces memory usage for
+    HAProxy-based listeners and prevents some kernel warnings about dropped
+    packets.