[net,v2,0/2] netfilter: conntrack: Fix CT offload timeout on heavily loaded systems

Message ID	20200803073305.702079-1-roid@mellanox.com
Headers	show Return-Path: <netdev-owner@vger.kernel.org> From: Roi Dayan <roid@mellanox.com> To: netdev@vger.kernel.org Cc: pablo@netfilter.org, Paul Blakey <paulb@mellanox.com>, Oz Shlomo <ozsh@mellanox.com>, Roi Dayan <roid@mellanox.com>, Marcelo Ricardo Leitner <mleitner@redhat.com> Subject: [PATCH net v2 0/2] netfilter: conntrack: Fix CT offload timeout on heavily loaded systems Date: Mon, 3 Aug 2020 10:33:03 +0300 Message-Id: <20200803073305.702079-1-roid@mellanox.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk
Series	netfilter: conntrack: Fix CT offload timeout on heavily loaded systems \| expand [net,v2,0/2] netfilter: conntrack: Fix CT offload timeout on heavily loaded systems [net,v2,1/2] netfilter: conntrack: Move nf_ct_offload_timeout to header file [net,v2,2/2] netfilter: flowtable: Set offload timeout when adding flow

Message ID

20200803073305.702079-1-roid@mellanox.com

Headers

From: Roi Dayan <roid@mellanox.com>
To: netdev@vger.kernel.org
Cc: pablo@netfilter.org, Paul Blakey <paulb@mellanox.com>,
        Oz Shlomo <ozsh@mellanox.com>, Roi Dayan <roid@mellanox.com>,
        Marcelo Ricardo Leitner <mleitner@redhat.com>
Subject: [PATCH net v2 0/2] netfilter: conntrack: Fix CT offload timeout on
 heavily loaded systems
Date: Mon,  3 Aug 2020 10:33:03 +0300
Message-Id: <20200803073305.702079-1-roid@mellanox.com>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Series

netfilter: conntrack: Fix CT offload timeout on heavily loaded systems | expand

Message

Roi Dayan Aug. 3, 2020, 7:33 a.m. UTC

On heavily loaded systems the GC can take time to go over all existing
conns and reset their timeout. At that time other calls like from
nf_conntrack_in() can call of nf_ct_is_expired() and see the conn as
expired. To fix this when we set the offload bit we should also reset
the timeout instead of counting on GC to finish first iteration over
all conns before the initial timeout.

First commit is to expose the function that updates the timeout.
Second commit is to use it from flow_offload_add().

Roi Dayan (2):
  netfilter: conntrack: Move nf_ct_offload_timeout to header file
  netfilter: flowtable: Set offload timeout when adding flow

 include/net/netfilter/nf_conntrack.h | 12 ++++++++++++
 net/netfilter/nf_conntrack_core.c    | 12 ------------
 net/netfilter/nf_flow_table_core.c   |  2 ++
 3 files changed, 14 insertions(+), 12 deletions(-)

Comments

Pablo Neira Ayuso Aug. 3, 2020, 10:33 a.m. UTC | #1

On Mon, Aug 03, 2020 at 10:33:03AM +0300, Roi Dayan wrote:
> On heavily loaded systems the GC can take time to go over all existing
> conns and reset their timeout. At that time other calls like from
> nf_conntrack_in() can call of nf_ct_is_expired() and see the conn as
> expired. To fix this when we set the offload bit we should also reset
> the timeout instead of counting on GC to finish first iteration over
> all conns before the initial timeout.
> 
> First commit is to expose the function that updates the timeout.
> Second commit is to use it from flow_offload_add().

Series applied to nf.git, thanks.