Message ID | 1625670778-30586-1-git-send-email-bodong@nvidia.com |
---|---|
Headers | show |
Series | Control nf flow table timeouts | expand |
Acked-by: Tim Gardner <tim.gardner@canonical.com> On 7/7/21 9:12 AM, Bodong Wang wrote: > TCP and UDP connections may be offloaded from nf conntrack to nf flow table. > Offloaded connections are aged after 30 seconds of inactivity. > Once aged, ownership is returned to conntrack with a hard coded tcp/udp > pickup time of 120/30 seconds, after which the connection may be deleted. > > The current hard-coded pickup intervals may introduce a very aggressive > aging policy. For example, offloaded tcp connections in established state > will timeout from nf conntrack after just 150 seconds of inactivity, > instead of 5 days. In addition, the hard-coded 30 second offload timeout > period can significantly increase the hardware insertion rate requirements > in some use cases. > > This patchset provides the user with the ability to configure protocol > specific offload timeout and pickup intervals via sysctl. > > The first and second patches revert the existing non-upstream solution. > The next two patches introduce the sysctl configuration for tcp and udp > protocols. > The last patch modifies nf flow table aging mechanisms to use the configured > time intervals. > > v2: add linux-next to cherry pick branch > > Oz Shlomo (5): > Revert "UBUNTU: SAUCE: net/sched: Add module parameter to set CT age > out time" > Revert "UBUNTU: SAUCE: netfilter: flowtable: Control flow timeout > interval" > (upstream) netfilter: conntrack: Introduce tcp offload timeout > configuration > (upstream) netfilter: conntrack: Introduce udp offload timeout > configuration > (upstream) netfilter: flowtable: Set offload timeouts according to > proto values > > include/net/netfilter/nf_flow_table.h | 10 ++----- > include/net/netns/conntrack.h | 8 +++++ > net/netfilter/nf_conntrack_proto_tcp.c | 5 ++++ > net/netfilter/nf_conntrack_proto_udp.c | 5 ++++ > net/netfilter/nf_conntrack_standalone.c | 46 ++++++++++++++++++++++++++++ > net/netfilter/nf_flow_table_core.c | 53 +++++++++++++++++++++++---------- > net/netfilter/nf_flow_table_offload.c | 5 ++-- > net/sched/act_ct.c | 5 ---- > 8 files changed, 106 insertions(+), 31 deletions(-) >
On 07.07.21 17:12, Bodong Wang wrote: > TCP and UDP connections may be offloaded from nf conntrack to nf flow table. > Offloaded connections are aged after 30 seconds of inactivity. > Once aged, ownership is returned to conntrack with a hard coded tcp/udp > pickup time of 120/30 seconds, after which the connection may be deleted. > > The current hard-coded pickup intervals may introduce a very aggressive > aging policy. For example, offloaded tcp connections in established state > will timeout from nf conntrack after just 150 seconds of inactivity, > instead of 5 days. In addition, the hard-coded 30 second offload timeout > period can significantly increase the hardware insertion rate requirements > in some use cases. > > This patchset provides the user with the ability to configure protocol > specific offload timeout and pickup intervals via sysctl. > > The first and second patches revert the existing non-upstream solution. > The next two patches introduce the sysctl configuration for tcp and udp > protocols. > The last patch modifies nf flow table aging mechanisms to use the configured > time intervals. > > v2: add linux-next to cherry pick branch > > Oz Shlomo (5): > Revert "UBUNTU: SAUCE: net/sched: Add module parameter to set CT age > out time" > Revert "UBUNTU: SAUCE: netfilter: flowtable: Control flow timeout > interval" > (upstream) netfilter: conntrack: Introduce tcp offload timeout > configuration > (upstream) netfilter: conntrack: Introduce udp offload timeout > configuration > (upstream) netfilter: flowtable: Set offload timeouts according to > proto values > > include/net/netfilter/nf_flow_table.h | 10 ++----- > include/net/netns/conntrack.h | 8 +++++ > net/netfilter/nf_conntrack_proto_tcp.c | 5 ++++ > net/netfilter/nf_conntrack_proto_udp.c | 5 ++++ > net/netfilter/nf_conntrack_standalone.c | 46 ++++++++++++++++++++++++++++ > net/netfilter/nf_flow_table_core.c | 53 +++++++++++++++++++++++---------- > net/netfilter/nf_flow_table_offload.c | 5 ++-- > net/sched/act_ct.c | 5 ---- > 8 files changed, 106 insertions(+), 31 deletions(-) > Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Thanks
On 07.07.21 17:12, Bodong Wang wrote: > TCP and UDP connections may be offloaded from nf conntrack to nf flow table. > Offloaded connections are aged after 30 seconds of inactivity. > Once aged, ownership is returned to conntrack with a hard coded tcp/udp > pickup time of 120/30 seconds, after which the connection may be deleted. > > The current hard-coded pickup intervals may introduce a very aggressive > aging policy. For example, offloaded tcp connections in established state > will timeout from nf conntrack after just 150 seconds of inactivity, > instead of 5 days. In addition, the hard-coded 30 second offload timeout > period can significantly increase the hardware insertion rate requirements > in some use cases. > > This patchset provides the user with the ability to configure protocol > specific offload timeout and pickup intervals via sysctl. > > The first and second patches revert the existing non-upstream solution. > The next two patches introduce the sysctl configuration for tcp and udp > protocols. > The last patch modifies nf flow table aging mechanisms to use the configured > time intervals. > > v2: add linux-next to cherry pick branch > > Oz Shlomo (5): > Revert "UBUNTU: SAUCE: net/sched: Add module parameter to set CT age > out time" > Revert "UBUNTU: SAUCE: netfilter: flowtable: Control flow timeout > interval" > (upstream) netfilter: conntrack: Introduce tcp offload timeout > configuration > (upstream) netfilter: conntrack: Introduce udp offload timeout > configuration > (upstream) netfilter: flowtable: Set offload timeouts according to > proto values > > include/net/netfilter/nf_flow_table.h | 10 ++----- > include/net/netns/conntrack.h | 8 +++++ > net/netfilter/nf_conntrack_proto_tcp.c | 5 ++++ > net/netfilter/nf_conntrack_proto_udp.c | 5 ++++ > net/netfilter/nf_conntrack_standalone.c | 46 ++++++++++++++++++++++++++++ > net/netfilter/nf_flow_table_core.c | 53 +++++++++++++++++++++++---------- > net/netfilter/nf_flow_table_offload.c | 5 ++-- > net/sched/act_ct.c | 5 ---- > 8 files changed, 106 insertions(+), 31 deletions(-) > Applied to focal:linux-bluefield/master-next. Thanks. -Stefan