Message ID | 1645230928-32185-1-git-send-email-bodong@nvidia.com |
---|---|
Headers | show |
Series | Pass originating device to drivers offloading ct connection | expand |
Acked-by: Tim Gardner <tim.gardner@canonical.com> On 2/18/22 17:35, Bodong Wang wrote: > Currently, drivers register to a ct zone that can be shared by multiple > devices. This can be inefficient for the driver to offload, as it > needs to handle all the cases where the tuple can come from, > instead of where it's most likely will arive from. > > For example, consider the following tc rules: > tc filter add dev dev1 ... flower action ct commit zone 5 \ > action mirred egress redirect dev dev2 > > tc filter add dev dev2 ... flower action ct zone 5 \ > action goto chain chain 2 > tc filter add dev dev2 ... flower ct_state +trk+est ... \ > action mirred egress redirect dev dev1 > > Both dev2 and dev1 register to the zone 5 flow table (created > by act_ct). A tuple originating on dev1, going to dev2, will > be offloaded to both devices, and both will need to offload > both directions, resulting in 4 total rules. The traffic > will only hit originiating tuple on dev1, and reply tuple > on dev2. > > By passing the originating device that created the connection > with the tuple, dev1 can choose to offload only the originating > tuple, and dev2 only the reply tuple. Resulting in a more > efficient offload. > > The 1st patch is needed for libreal tcp conntrack for efficiency. > > The 2nd patch adds an act_ct nf conntrack extension, to > temporarily store the originiating device from the skb before > offloading the connection once the connection is established. > Once sent to offload, it fills the tuple originating device. > > The 3rd patch get this information from tuples > which pass in openvswitch. > > V0->V1: > 1. Add missing buglink for patch 3 > 2. Remove linux-next for patch 2 and 3, they're merged > > V1->V2: > 1. Fix signoff order of patch 1 > 2. Add David signoff for patch 2 and 3 > > Numan Siddique (1): > net: openvswitch: Be liberal in tcp conntrack. > > Paul Blakey (2): > net/sched: act_ct: Fill offloading tuple iifidx > net: openvswitch: Fill act ct extension > > include/net/netfilter/nf_conntrack_act_ct.h | 50 ++++++++++++++++++++++++++++ > include/net/netfilter/nf_conntrack_extend.h | 4 +++ > include/net/netfilter/nf_conntrack_l4proto.h | 14 ++++++++ > net/netfilter/nf_conntrack_core.c | 6 +++- > net/netfilter/nf_conntrack_proto_tcp.c | 6 ---- > net/openvswitch/conntrack.c | 14 ++++++++ > net/sched/act_ct.c | 27 +++++++++++++++ > 7 files changed, 114 insertions(+), 7 deletions(-) > create mode 100644 include/net/netfilter/nf_conntrack_act_ct.h >
On 19.02.22 01:35, Bodong Wang wrote: > Currently, drivers register to a ct zone that can be shared by multiple > devices. This can be inefficient for the driver to offload, as it > needs to handle all the cases where the tuple can come from, > instead of where it's most likely will arive from. > > For example, consider the following tc rules: > tc filter add dev dev1 ... flower action ct commit zone 5 \ > action mirred egress redirect dev dev2 > > tc filter add dev dev2 ... flower action ct zone 5 \ > action goto chain chain 2 > tc filter add dev dev2 ... flower ct_state +trk+est ... \ > action mirred egress redirect dev dev1 > > Both dev2 and dev1 register to the zone 5 flow table (created > by act_ct). A tuple originating on dev1, going to dev2, will > be offloaded to both devices, and both will need to offload > both directions, resulting in 4 total rules. The traffic > will only hit originiating tuple on dev1, and reply tuple > on dev2. > > By passing the originating device that created the connection > with the tuple, dev1 can choose to offload only the originating > tuple, and dev2 only the reply tuple. Resulting in a more > efficient offload. > > The 1st patch is needed for libreal tcp conntrack for efficiency. > > The 2nd patch adds an act_ct nf conntrack extension, to > temporarily store the originiating device from the skb before > offloading the connection once the connection is established. > Once sent to offload, it fills the tuple originating device. > > The 3rd patch get this information from tuples > which pass in openvswitch. > > V0->V1: > 1. Add missing buglink for patch 3 > 2. Remove linux-next for patch 2 and 3, they're merged > > V1->V2: > 1. Fix signoff order of patch 1 > 2. Add David signoff for patch 2 and 3 > > Numan Siddique (1): > net: openvswitch: Be liberal in tcp conntrack. > > Paul Blakey (2): > net/sched: act_ct: Fill offloading tuple iifidx > net: openvswitch: Fill act ct extension > > include/net/netfilter/nf_conntrack_act_ct.h | 50 ++++++++++++++++++++++++++++ > include/net/netfilter/nf_conntrack_extend.h | 4 +++ > include/net/netfilter/nf_conntrack_l4proto.h | 14 ++++++++ > net/netfilter/nf_conntrack_core.c | 6 +++- > net/netfilter/nf_conntrack_proto_tcp.c | 6 ---- > net/openvswitch/conntrack.c | 14 ++++++++ > net/sched/act_ct.c | 27 +++++++++++++++ > 7 files changed, 114 insertions(+), 7 deletions(-) > create mode 100644 include/net/netfilter/nf_conntrack_act_ct.h > Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Thanks
Applied to focal/linux-bluefield:master-next. Thanks. -rtg On 2/18/22 17:35, Bodong Wang wrote: > Currently, drivers register to a ct zone that can be shared by multiple > devices. This can be inefficient for the driver to offload, as it > needs to handle all the cases where the tuple can come from, > instead of where it's most likely will arive from. > > For example, consider the following tc rules: > tc filter add dev dev1 ... flower action ct commit zone 5 \ > action mirred egress redirect dev dev2 > > tc filter add dev dev2 ... flower action ct zone 5 \ > action goto chain chain 2 > tc filter add dev dev2 ... flower ct_state +trk+est ... \ > action mirred egress redirect dev dev1 > > Both dev2 and dev1 register to the zone 5 flow table (created > by act_ct). A tuple originating on dev1, going to dev2, will > be offloaded to both devices, and both will need to offload > both directions, resulting in 4 total rules. The traffic > will only hit originiating tuple on dev1, and reply tuple > on dev2. > > By passing the originating device that created the connection > with the tuple, dev1 can choose to offload only the originating > tuple, and dev2 only the reply tuple. Resulting in a more > efficient offload. > > The 1st patch is needed for libreal tcp conntrack for efficiency. > > The 2nd patch adds an act_ct nf conntrack extension, to > temporarily store the originiating device from the skb before > offloading the connection once the connection is established. > Once sent to offload, it fills the tuple originating device. > > The 3rd patch get this information from tuples > which pass in openvswitch. > > V0->V1: > 1. Add missing buglink for patch 3 > 2. Remove linux-next for patch 2 and 3, they're merged > > V1->V2: > 1. Fix signoff order of patch 1 > 2. Add David signoff for patch 2 and 3 > > Numan Siddique (1): > net: openvswitch: Be liberal in tcp conntrack. > > Paul Blakey (2): > net/sched: act_ct: Fill offloading tuple iifidx > net: openvswitch: Fill act ct extension > > include/net/netfilter/nf_conntrack_act_ct.h | 50 ++++++++++++++++++++++++++++ > include/net/netfilter/nf_conntrack_extend.h | 4 +++ > include/net/netfilter/nf_conntrack_l4proto.h | 14 ++++++++ > net/netfilter/nf_conntrack_core.c | 6 +++- > net/netfilter/nf_conntrack_proto_tcp.c | 6 ---- > net/openvswitch/conntrack.c | 14 ++++++++ > net/sched/act_ct.c | 27 +++++++++++++++ > 7 files changed, 114 insertions(+), 7 deletions(-) > create mode 100644 include/net/netfilter/nf_conntrack_act_ct.h >