mbox series

[SRU,F:linux-bluefield,0/3] Pass originating device to drivers offloading ct connection

Message ID 1644542246-6801-1-git-send-email-bodong@nvidia.com
Headers show
Series Pass originating device to drivers offloading ct connection | expand

Message

Bodong Wang Feb. 11, 2022, 1:17 a.m. UTC 
Currently, drivers register to a ct zone that can be shared by multiple
devices. This can be inefficient for the driver to offload, as it
needs to handle all the cases where the tuple can come from,
instead of where it's most likely will arive from.

For example, consider the following tc rules:
tc filter add dev dev1 ... flower action ct commit zone 5 \
action mirred egress redirect dev dev2

tc filter add dev dev2 ... flower action ct zone 5 \
action goto chain chain 2
tc filter add dev dev2 ... flower ct_state +trk+est ... \
action mirred egress redirect dev dev1

Both dev2 and dev1 register to the zone 5 flow table (created
by act_ct). A tuple originating on dev1, going to dev2, will
be offloaded to both devices, and both will need to offload
both directions, resulting in 4 total rules. The traffic
will only hit originiating tuple on dev1, and reply tuple
on dev2.

By passing the originating device that created the connection
with the tuple, dev1 can choose to offload only the originating
tuple, and dev2 only the reply tuple. Resulting in a more
efficient offload.

The 1st patch is needed for libreal tcp conntrack for efficiency.

The 2nd patch adds an act_ct nf conntrack extension, to
temporarily store the originiating device from the skb before
offloading the connection once the connection is established.
Once sent to offload, it fills the tuple originating device.

The 3rd patch get this information from tuples
which pass in openvswitch.

Numan Siddique (1):
  net: openvswitch: Be liberal in tcp conntrack.

Paul Blakey (2):
  net/sched: act_ct: Fill offloading tuple iifidx
  net: openvswitch: Fill act ct extension

 include/net/netfilter/nf_conntrack_act_ct.h  | 50 ++++++++++++++++++++++++++++
 include/net/netfilter/nf_conntrack_extend.h  |  4 +++
 include/net/netfilter/nf_conntrack_l4proto.h | 14 ++++++++
 net/netfilter/nf_conntrack_core.c            |  6 +++-
 net/netfilter/nf_conntrack_proto_tcp.c       |  6 ----
 net/openvswitch/conntrack.c                  | 14 ++++++++
 net/sched/act_ct.c                           | 27 +++++++++++++++
 7 files changed, 114 insertions(+), 7 deletions(-)
 create mode 100644 include/net/netfilter/nf_conntrack_act_ct.h

Comments

Tim Gardner Feb. 11, 2022, 12:54 p.m. UTC | #1 
Missing BugLink in patch 3. Patches 2-3 have also been merged upstream.

On 2/10/22 6:17 PM, Bodong Wang wrote:
> Currently, drivers register to a ct zone that can be shared by multiple
> devices. This can be inefficient for the driver to offload, as it
> needs to handle all the cases where the tuple can come from,
> instead of where it's most likely will arive from.
> 
> For example, consider the following tc rules:
> tc filter add dev dev1 ... flower action ct commit zone 5 \
> action mirred egress redirect dev dev2
> 
> tc filter add dev dev2 ... flower action ct zone 5 \
> action goto chain chain 2
> tc filter add dev dev2 ... flower ct_state +trk+est ... \
> action mirred egress redirect dev dev1
> 
> Both dev2 and dev1 register to the zone 5 flow table (created
> by act_ct). A tuple originating on dev1, going to dev2, will
> be offloaded to both devices, and both will need to offload
> both directions, resulting in 4 total rules. The traffic
> will only hit originiating tuple on dev1, and reply tuple
> on dev2.
> 
> By passing the originating device that created the connection
> with the tuple, dev1 can choose to offload only the originating
> tuple, and dev2 only the reply tuple. Resulting in a more
> efficient offload.
> 
> The 1st patch is needed for libreal tcp conntrack for efficiency.
> 
> The 2nd patch adds an act_ct nf conntrack extension, to
> temporarily store the originiating device from the skb before
> offloading the connection once the connection is established.
> Once sent to offload, it fills the tuple originating device.
> 
> The 3rd patch get this information from tuples
> which pass in openvswitch.
> 
> Numan Siddique (1):
>    net: openvswitch: Be liberal in tcp conntrack.
> 
> Paul Blakey (2):
>    net/sched: act_ct: Fill offloading tuple iifidx
>    net: openvswitch: Fill act ct extension
> 
>   include/net/netfilter/nf_conntrack_act_ct.h  | 50 ++++++++++++++++++++++++++++
>   include/net/netfilter/nf_conntrack_extend.h  |  4 +++
>   include/net/netfilter/nf_conntrack_l4proto.h | 14 ++++++++
>   net/netfilter/nf_conntrack_core.c            |  6 +++-
>   net/netfilter/nf_conntrack_proto_tcp.c       |  6 ----
>   net/openvswitch/conntrack.c                  | 14 ++++++++
>   net/sched/act_ct.c                           | 27 +++++++++++++++
>   7 files changed, 114 insertions(+), 7 deletions(-)
>   create mode 100644 include/net/netfilter/nf_conntrack_act_ct.h
>