From patchwork Thu Jul 25 23:24:02 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yi-Hung Wei X-Patchwork-Id: 1137158 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="Vc2kkfm3"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 45vpFr2qtNz9s4Y for ; Fri, 26 Jul 2019 09:24:31 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id C68FBC5C; Thu, 25 Jul 2019 23:24:28 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 0DCA18D7 for ; Thu, 25 Jul 2019 23:24:27 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pg1-f195.google.com (mail-pg1-f195.google.com [209.85.215.195]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 6F32CB0 for ; Thu, 25 Jul 2019 23:24:26 +0000 (UTC) Received: by mail-pg1-f195.google.com with SMTP id i18so23781482pgl.11 for ; Thu, 25 Jul 2019 16:24:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=1KZcYyJr7eaTrwk+710eCdr8m93XC1nCtOxwTBSoyGc=; b=Vc2kkfm3x7bREpOqX/8fLFM30J0wD7rd4KUfpIZTkm7twhArWQ31hS85EFTRcmwFSP LYwRLJLv4ZSY+ufVfe46Lck9axvj/EEJh7IWdfUqRLxeNCe8JFuY1vDPDBDGnukM/r15 sGifXXwXPOaQSRiZoMnB80tyJllipvBt4C/FZEQv2Pqqy7kJuUTmaGB3dlQEa+2cLd4r X6fPPf4LhrNzaJJKygUPL83cYS86Utnv9GR7yEVpBCd/3aQpGEra3U6CrSTK5fGLoBYh yhpqiGY0lYfdj+eAH8jUmwSZOKdpRidoOCHa6wWjJKRqa7nOp8caF22SHI9U1Jm3NwMd qBWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=1KZcYyJr7eaTrwk+710eCdr8m93XC1nCtOxwTBSoyGc=; b=YWFrCt5r9CzCtF+oz/2BoPNDSHWXQJ812LaZRCLLfR4S2W76bnWrgtOn4GcNFTrG8I 99XFzmDIq01n4ZAaafIEBo4QCOryDcUcgDPSL/bMif2Xamnqo7d7/C06oPY3ZABs9mGO jAPxdd9PTXXDvEOvoDKfnasuXkmKpZzUz4R619yW0PtSOkWBz9WoiVcs4Opr9Na1WqvT ZtZC+8pXX8OKtWJxR/O/TXJKde3yqI1gAWM6gNM1c247wBDLFQ/dMI+4f271FwQkNwtf HAZQnAh12DNmvgetcLLMNtlgrAM0S/DcCCj3LyNLV0cycFcRnYFGni5DOAt7IcBs7ExR nTHA== X-Gm-Message-State: APjAAAUW6q+t+RKnbxgZeU1r2K+V5bwg5TPzEB25tSPu6e6pfu+b/RPA /ZeguNxqbdqayM5szXO+S7sr9n71 X-Google-Smtp-Source: APXvYqw6bqMesK6EXpTvDecsO1rLDuAmNPGeh9+B23yu6E6c7qcTonVNXn8RdHL7b4718cQNx2HGZw== X-Received: by 2002:a65:64c5:: with SMTP id t5mr14004104pgv.168.1564097065305; Thu, 25 Jul 2019 16:24:25 -0700 (PDT) Received: from vm-main.eng.vmware.com ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id x9sm28189940pgp.75.2019.07.25.16.24.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 25 Jul 2019 16:24:24 -0700 (PDT) From: Yi-Hung Wei To: dev@openvswitch.org, blp@ovn.org Date: Thu, 25 Jul 2019 16:24:02 -0700 Message-Id: <1564097054-72663-1-git-send-email-yihung.wei@gmail.com> X-Mailer: git-send-email 2.7.4 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH 00/12] Support zone-based conntrack timeout policy X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org This patch series enables zone-based conntrack timeout policy support in OVS. Timeout policy is a set of timeout attributes that can be associated with a connection when it is committed. Then, the connection tracking system will expire a connection based on its connection state. For example, one use case would be to extend the timeout of TCP connection in the established state to avoid re-connect overhead. Or use case is to shorten the connection timeout so that the system can reclaim resources faster. The idea of zone-based conntrack timeout policy is to group connections with similar characteristics in a conntrack zone, and assign timeout policy to the conntrack zone. Therefore, all the connections in that zone will share the same timeout policy. For zone-based timeout policy configuration, the association of conntrack zone and conntrack timeout policy is defined per datapath in vswitch ovsdb schema. User can program the database through ovs-vsctl or using ovsdb protocol directly. Once the zone-based timeout policy configuration is in the database, vswitchd will read those configuration and orgaznie it in internal datapath strcture, and push the timeout policy into datapath. Currenlty, only the kernel datapath supports customized timeout policy. When a packet is committed to connection tracking system, during flow translation in ofproto-dpif-xlate, vsiwtchd will lookup the internal data structure to figure out which timeout policy to associate with the connection. If timeout policy is not specified to the committed zone, it defaults to the timeout policy in the default zone (zone 0). If the timeout policy is not specified in the default zone, it defaults to the system default timeouts. Here are some more details about each patch * p01, p04, p06: Some utility functions. * p02: Introduce ovsdb schema for ct timeout policy. * p03: ovs-vsctl commands to configure zone-based ct timeout policy. * p05: dpif interface to support ct timeout policy. * p07: dpif-netlink implementation to support ct timeout policy. * p08: Consume ct timeout policy configuration from ovsdb server, keep it in interal data structure, and push configuration to datapath. * p09-10: Kernel datapath support for the new ct action attribute. * p11: Translate timeout policy in ofproto-dpif-xlate * p12: System traffic test Travis CI: * https://travis-ci.org/YiHungWei/ovs/builds/563768546 Appveyor CI: * https://ci.appveyor.com/project/YiHungWei/ovs/builds/26250549 Ben Pfaff (1): simap: Add utility function to help compare two simaps. Justin Pettit (1): vswitchd: Add datapath, CT_Zone, and CT_Timeout_Policy tables. William Tu (1): ovs-vsctl: Add datapath and CT zone commands. Yi-Hung Wei (9): ct-dpif: Export ct_dpif_format_ipproto() ct-dpif: Add conntrack timeout policy support in dpif layer ct-dpif: Add timeout policy related utility functions. dpif-netlink: Add conntrack timeout policy support datapath-config: Consume datapath, CT_Zone, and CT_Timeout_Policy tables datapath: compat: Backport nf_conntrack_timeout support datapath: Add support for conntrack timeout policy ofproto-dpif-xlate: Translate timeout policy in ct action system-traffic: Add zone-based conntrack timeout policy test acinclude.m4 | 7 + datapath-windows/include/OvsDpInterfaceCtExt.h | 114 ++++++ datapath-windows/ovsext/Netlink/NetlinkProto.h | 1 + datapath/conntrack.c | 30 +- datapath/linux/Modules.mk | 2 + datapath/linux/compat/include/linux/openvswitch.h | 4 + .../include/net/netfilter/nf_conntrack_timeout.h | 34 ++ datapath/linux/compat/nf_conntrack_timeout.c | 102 +++++ include/windows/automake.mk | 1 + .../windows/linux/netfilter/nfnetlink_cttimeout.h | 0 lib/automake.mk | 2 + lib/ct-dpif.c | 117 +++++- lib/ct-dpif.h | 60 +++ lib/datapath-config.c | 409 +++++++++++++++++++ lib/datapath-config.h | 27 ++ lib/dpif-netdev.c | 11 + lib/dpif-netlink.c | 436 +++++++++++++++++++++ lib/dpif-netlink.h | 2 +- lib/dpif-provider.h | 48 +++ lib/netlink-conntrack.c | 363 +++++++++++++++++ lib/netlink-conntrack.h | 29 ++ lib/netlink-protocol.h | 1 + lib/odp-util.c | 29 +- lib/simap.c | 15 +- lib/simap.h | 1 + ofproto/ofproto-dpif-xlate.c | 23 ++ tests/odp.at | 1 + tests/ovs-vsctl.at | 20 +- tests/system-kmod-macros.at | 9 + tests/system-traffic.at | 65 +++ tests/system-userspace-macros.at | 10 + utilities/ovs-vsctl.8.in | 29 ++ utilities/ovs-vsctl.c | 245 ++++++++++++ vswitchd/bridge.c | 3 + vswitchd/vswitch.ovsschema | 44 ++- vswitchd/vswitch.xml | 254 +++++++++--- 36 files changed, 2488 insertions(+), 60 deletions(-) create mode 100644 datapath/linux/compat/include/net/netfilter/nf_conntrack_timeout.h create mode 100644 datapath/linux/compat/nf_conntrack_timeout.c create mode 100644 include/windows/linux/netfilter/nfnetlink_cttimeout.h create mode 100644 lib/datapath-config.c create mode 100644 lib/datapath-config.h