[Bug 2154492] [NEW] 25.09: Duplicate ICMPv6 fragmentation-needed packets with SNAT on distributed router

mj 2154492 at bugs.launchpad.net
Thu May 28 16:10:15 UTC 2026 

Public bug reported:

OVN 25.09.1+ produces duplicate/malformed ICMP fragmentation-needed replies on distributed routers with SNAT. The regression was introduced by commit d702b0ed1 ("northd: Avoid committing DNAT traffic to SNAT zone"). Two logical flows at S_ROUTER_OUT_SNAT overlap — one matching (!ct.trk || !ct.rpl) && flags.unsnat_new == 1 and another matching ct.new — both execute for SNAT-originated ICMP errors, causing a double ct_commit_to_zone(snat).
Failing autopkgtests:
- LR with SNAT fragmentation needed for external server
- DNAT and SNAT on distributed router - N/S - IPv6
- Traffic to router port via LLA
Fix: Add flags.unsnat_new == 0 guard to the second flow so the two are mutually exclusive.

** Affects: ovn (Ubuntu)
     Importance: Undecided
     Assignee: mj (crypticcoder)
         Status: New

** Changed in: ovn (Ubuntu)
     Assignee: (unassigned) => mj (crypticcoder)

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ovn in Ubuntu.
https://bugs.launchpad.net/bugs/2154492

Title:
  25.09: Duplicate ICMPv6 fragmentation-needed packets with SNAT on
  distributed router

Status in ovn package in Ubuntu:
  New

Bug description:
  OVN 25.09.1+ produces duplicate/malformed ICMP fragmentation-needed replies on distributed routers with SNAT. The regression was introduced by commit d702b0ed1 ("northd: Avoid committing DNAT traffic to SNAT zone"). Two logical flows at S_ROUTER_OUT_SNAT overlap — one matching (!ct.trk || !ct.rpl) && flags.unsnat_new == 1 and another matching ct.new — both execute for SNAT-originated ICMP errors, causing a double ct_commit_to_zone(snat).
  Failing autopkgtests:
  - LR with SNAT fragmentation needed for external server
  - DNAT and SNAT on distributed router - N/S - IPv6
  - Traffic to router port via LLA
  Fix: Add flags.unsnat_new == 0 guard to the second flow so the two are mutually exclusive.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/2154492/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list