[ovs-dev,00/11] conntrack zone limitation

Message ID	1533163580-27989-1-git-send-email-yihung.wei@gmail.com
Headers	show Return-Path: <ovs-dev-bounces@openvswitch.org> From: Yi-Hung Wei <yihung.wei@gmail.com> To: dev@openvswitch.org Date: Wed, 1 Aug 2018 15:46:09 -0700 Message-Id: <1533163580-27989-1-git-send-email-yihung.wei@gmail.com> Subject: [ovs-dev] [PATCH 00/11] conntrack zone limitation Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org
Series	conntrack zone limitation \| expand [ovs-dev,00/11] conntrack zone limitation [ovs-dev,01/11] compat: Backport nf_ct_netns_{get,put}() [ovs-dev,02/11] datapath: compat: Backports nf_conncount [ovs-dev,03/11] datapath: compat: Introduce static key support [ovs-dev,04/11] datapath: Add conntrack limit netlink definition [ovs-dev,05/11] datapath: conntrack: Support conntrack zone limit [ovs-dev,06/11] dpif: Support conntrack zone limit. [ovs-dev,07/11] ct-dpif: Helper functions for conntrack zone limit [ovs-dev,08/11] dpif-netlink: Implement conntrack zone limiit [ovs-dev,09/11] dpctl: Refactor opt_dpif_open(). [ovs-dev,10/11] dpctl: Implement dpctl commands for conntrack per zone limit [ovs-dev,11/11] system-traffic: Add conntrack per zoen limit test case

Message ID

1533163580-27989-1-git-send-email-yihung.wei@gmail.com

Headers

From: Yi-Hung Wei <yihung.wei@gmail.com>
To: dev@openvswitch.org
Date: Wed,  1 Aug 2018 15:46:09 -0700
Message-Id: <1533163580-27989-1-git-send-email-yihung.wei@gmail.com>
Subject: [ovs-dev] [PATCH 00/11] conntrack zone limitation
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org

Series

conntrack zone limitation | expand

Message

Yi-Hung Wei Aug. 1, 2018, 10:46 p.m. UTC

This patch series implements connection tracking zone limitation to
limit the maximum number of conntrack entries in the conntrack table
for every zone.  This feature aims to resolve a problem that if one
of the VM/container under attack that abuses the usage the conntrack
entries, it may block the others from committing valid conntrack
entries into the conntrack table.  

To address this issue, this patch series proposes to have a
fine-grained mechanism that could limit the # of conntrack entries
per-zone.  For example, we can designate different zone to different VM,
and set conntrack limit to each zone.  By providing this isolation, a
mis-behaved VM only consumes the conntrack entries in its own zone, and
it will not influence other well-behaved VMs.  Moreover, the users can
set various conntrack limit to different zone based on their preference.

This patch series consist of dpif layer support, kernel backports to
support this features in dpif-netlinkt, dpif-netlink implementation,
dpctl commands, and a system traffic test to verify this feature.


Yi-Hung Wei (11):
  compat: Backport nf_ct_netns_{get,put}()
  datapath: compat: Backports nf_conncount
  datapath: compat: Introduce static key support
  datapath: Add conntrack limit netlink definition
  datapath: conntrack: Support conntrack zone limit
  dpif: Support conntrack zone limit.
  ct-dpif: Helper functions for conntrack zone limit
  dpif-netlink: Implement conntrack zone limiit
  dpctl: Refactor opt_dpif_open().
  dpctl: Implement dpctl commands for conntrack per zone limit
  system-traffic: Add conntrack per zoen limit test case

 NEWS                                               |   3 +
 acinclude.m4                                       |   9 +
 datapath/compat.h                                  |   8 +
 datapath/conntrack.c                               | 551 +++++++++++++++++-
 datapath/conntrack.h                               |   9 +-
 datapath/datapath.c                                |   7 +-
 datapath/datapath.h                                |   3 +
 datapath/linux/Modules.mk                          |   7 +-
 datapath/linux/compat/include/linux/openvswitch.h  |  28 +
 datapath/linux/compat/include/linux/static_key.h   |  70 +++
 .../compat/include/net/netfilter/nf_conntrack.h    |   8 +
 .../include/net/netfilter/nf_conntrack_count.h     |  61 ++
 .../linux/compat/include/uapi/linux/netfilter.h    |  14 +
 datapath/linux/compat/nf_conncount.c               | 637 +++++++++++++++++++++
 datapath/linux/compat/nf_conntrack_proto.c         | 112 ++++
 lib/ct-dpif.c                                      | 129 +++++
 lib/ct-dpif.h                                      |  20 +
 lib/dpctl.c                                        | 252 ++++++--
 lib/dpctl.man                                      |  18 +
 lib/dpif-netdev.c                                  |   3 +
 lib/dpif-netlink.c                                 | 198 +++++++
 lib/dpif-provider.h                                |  26 +
 tests/system-traffic.at                            |  75 +++
 23 files changed, 2201 insertions(+), 47 deletions(-)
 create mode 100644 datapath/linux/compat/include/linux/static_key.h
 create mode 100644 datapath/linux/compat/include/net/netfilter/nf_conntrack_count.h
 create mode 100644 datapath/linux/compat/include/uapi/linux/netfilter.h
 create mode 100644 datapath/linux/compat/nf_conncount.c
 create mode 100644 datapath/linux/compat/nf_conntrack_proto.c