[{"id":1798860,"web_url":"http://patchwork.ozlabs.org/comment/1798860/","msgid":"<20171103194935.GH9424@breakpoint.cc>","list_archive_url":null,"date":"2017-11-03T19:49:35","subject":"Re: [PATCH RFC,\n\tWIP 3/5] netfilter: nf_flow_offload: integration with conntrack","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/people/1025/","name":"Florian Westphal","email":"fw@strlen.de"},"content":"Pablo Neira Ayuso <pablo@netfilter.org> wrote:\n> This patch adds the IPS_OFFLOAD status bit, this new bit tells us that\n> the conntrack entry is owned by the flow offload infrastructure. The\n> timer of such conntrack entries is stopped - the conntrack garbage\n> collector skips them - and they display no internal state in the case of\n> TCP flows.\n>\n> Conntrack entries that have been offloaded to the flow table\n> infrastructure cannot be deleted/flushed via ctnetlink. The flow table\n> infrastructure is also responsible for releasing this conntrack entry.\n> \n> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n> ---\n> Instead of nf_flow_release_ct(), I'd rather keep a pointer reference to\n> the conntrack object from the flow_offload entry, so we can skip the\n> conntrack look up.\n\nI agree, this would make sense.\n\n> diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h\n> index 8f3bd30511de..9af4bb0c2f46 100644\n> --- a/include/net/netfilter/nf_conntrack.h\n> +++ b/include/net/netfilter/nf_conntrack.h\n> @@ -272,7 +272,8 @@ static inline unsigned long nf_ct_expires(const struct nf_conn *ct)\n>  \n>  static inline bool nf_ct_is_expired(const struct nf_conn *ct)\n>  {\n> -\treturn (__s32)(ct->timeout - nfct_time_stamp) <= 0;\n> +\treturn (__s32)(ct->timeout - nfct_time_stamp) <= 0 &&\n> +\t       !test_bit(IPS_OFFLOAD_BIT, &ct->status);\n\nAn alternative would be to not touch nf_ct_is_expired() and instead ...\n>  }\n>  \n> @@ -1011,12 +1014,14 @@ static void gc_worker(struct work_struct *work)\n>  \t\t\ttmp = nf_ct_tuplehash_to_ctrack(h);\n>  \n>  \t\t\tscanned++;\n> +\t\t\tif (test_bit(IPS_OFFLOAD_BIT, &tmp->status))\n> +\t\t\t\tcontinue;\n \n... advance/refresh ct->timeout from gc worker, i.e.\n\n if (test_bit(IPS_OFFLOAD_BIT, &tmp->status)) {\n     ct->timeout = nfct_time_stamp + (1 DAY);\n     continue;\n }\n\nWould prevent normal path to ever see offloaded entry\nas 'timed out', without having to check for the flag in lookup path\n(OTOH the check should not be an issue either because lookup path\n has to access ct->status anyway).","headers":{"Return-Path":"<netdev-owner@vger.kernel.org>","X-Original-To":"patchwork-incoming@ozlabs.org","Delivered-To":"patchwork-incoming@ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)","Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3yTCGs1Plkz9s81\n\tfor <patchwork-incoming@ozlabs.org>;\n\tSat,  4 Nov 2017 06:50:13 +1100 (AEDT)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1752659AbdKCTuG (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tFri, 3 Nov 2017 15:50:06 -0400","from Chamillionaire.breakpoint.cc ([146.0.238.67]:37492 \"EHLO\n\tChamillionaire.breakpoint.cc\" rhost-flags-OK-OK-OK-OK)\n\tby vger.kernel.org with ESMTP id S1751536AbdKCTuF (ORCPT\n\t<rfc822;netdev@vger.kernel.org>); Fri, 3 Nov 2017 15:50:05 -0400","from fw by Chamillionaire.breakpoint.cc with local (Exim 4.84_2)\n\t(envelope-from <fw@strlen.de>)\n\tid 1eAhyB-0007sI-H5; Fri, 03 Nov 2017 20:49:35 +0100"],"Date":"Fri, 3 Nov 2017 20:49:35 +0100","From":"Florian Westphal <fw@strlen.de>","To":"Pablo Neira Ayuso <pablo@netfilter.org>","Cc":"netfilter-devel@vger.kernel.org, netdev@vger.kernel.org","Subject":"Re: [PATCH RFC,\n\tWIP 3/5] netfilter: nf_flow_offload: integration with conntrack","Message-ID":"<20171103194935.GH9424@breakpoint.cc>","References":"<20171103152636.9967-1-pablo@netfilter.org>\n\t<20171103152636.9967-4-pablo@netfilter.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<20171103152636.9967-4-pablo@netfilter.org>","User-Agent":"Mutt/1.5.23 (2014-03-12)","Sender":"netdev-owner@vger.kernel.org","Precedence":"bulk","List-ID":"<netdev.vger.kernel.org>","X-Mailing-List":"netdev@vger.kernel.org"}}]