From patchwork Fri Jan 27 18:38:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 1733021 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=Nvidia.com header.i=@Nvidia.com header.a=rsa-sha256 header.s=selector2 header.b=pQ8DBLyF; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4P3RFD11V8z23ht for ; Sat, 28 Jan 2023 05:39:28 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235085AbjA0SjY (ORCPT ); Fri, 27 Jan 2023 13:39:24 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46524 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235078AbjA0SjW (ORCPT ); Fri, 27 Jan 2023 13:39:22 -0500 Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10on2073.outbound.protection.outlook.com [40.107.94.73]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6A24655A0; Fri, 27 Jan 2023 10:39:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=V55jzXPuRdDoXlr7878pnX5Ho8WBvkBkEIDwEJ2Iv6k3UKMej6xYx45/ACWVi1DxKHZ2/CAM7mfMsjCOZhtFbzpj3R+rWit9qZ5YUrZUmF1TZhrZS7CX9WHmzU5HKdqmchwES2pfnqkhxPOMmHcTDnlRirBFt3UgBcE8B1JOOvmqnwS7Ezp0xS4TemIycF4wiRGMKFXDw17EbmcwDn6EL5KWSbxnPaof25VF7Ovu7Idhs1Kkl0ocv5ohl5erha0aLPqz9H+dmE5lJ0sC2dwV0k9V1nBk8ra500xpsvYY8spfAaEanqsVDeizyjFx1pLud+ypcHrbmZjG8bUEW347yw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5yCSI090vdvvgrXiokyByxwXHMggpZF2LwKEnNUtykU=; b=DYP/6EmZdYcH1c8NK44i/UTwwz8ouS+9FBDz7xHv4tF28A1fPXgl3L7En1d57ewmcAQszpnQjgoC96FMO0Vh3b9FyrYLOEZIzJ43ZseLMKx5xTDEX1L0D020KWtBE02FSPSu/ByOn2rU/C1USz2hfFWZ12AHiMFsDsKe/LO62ucOP2BrpuqC7vAOOfabLA7+4ZBocMaOJU754xnnrLvFAhEUKlkYVVim90sGKMbLhtZmgpDSKZZuPhHwN3+qEEzW7RrM4TXKsNVr5RHV0g44yYfKjCEKMz0scvLFLWAfJ8XK2LjgEMRA9mO5pbIKSKHWTqBaPBuuLVjSVMTGDh5Pgw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.161) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5yCSI090vdvvgrXiokyByxwXHMggpZF2LwKEnNUtykU=; b=pQ8DBLyFFJUTlCYGbdP7DDntL5BV1MhXHm2EmpMckV3ihmQww4xxle0KP+jK9Qybd5Yhsrm/HxVTuaoijjBsLf3HHkxtN8KoNI/WNQvD/6N9S11Lxh8ytbAw/dP03oKEOlaRs8UV4hLD108jBfuPczrMHp6uosX0KU20NClezMoymw31lE/AnoDerKREZLoRMLadrUhIqfsUQYS/egz/FzQR0CL59jqDQjrbPW93qZ+7Q05IpK4vKoJQiEXLOW5538W7jKYCLO3k9wWtzFkMALBM9LNbS5PE0Va6LKRySIZPVbFZ9E3QYLPAwhki5UDP63OQpOlZCPVF/3aDZwjgpg== Received: from BN0PR02CA0058.namprd02.prod.outlook.com (2603:10b6:408:e5::33) by MN6PR12MB8566.namprd12.prod.outlook.com (2603:10b6:208:47c::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.22; Fri, 27 Jan 2023 18:39:10 +0000 Received: from BN8NAM11FT044.eop-nam11.prod.protection.outlook.com (2603:10b6:408:e5:cafe::76) by BN0PR02CA0058.outlook.office365.com (2603:10b6:408:e5::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.23 via Frontend Transport; Fri, 27 Jan 2023 18:39:10 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.161 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.161) by BN8NAM11FT044.mail.protection.outlook.com (10.13.177.219) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.25 via Frontend Transport; Fri, 27 Jan 2023 18:39:10 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 27 Jan 2023 10:39:02 -0800 Received: from rnnvmail202.nvidia.com (10.129.68.7) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 27 Jan 2023 10:39:02 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.7) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Fri, 27 Jan 2023 10:38:59 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v5 1/7] net: flow_offload: provision conntrack info in ct_metadata Date: Fri, 27 Jan 2023 19:38:39 +0100 Message-ID: <20230127183845.597861-2-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230127183845.597861-1-vladbu@nvidia.com> References: <20230127183845.597861-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN8NAM11FT044:EE_|MN6PR12MB8566:EE_ X-MS-Office365-Filtering-Correlation-Id: a78e6e38-b0d9-456c-095f-08db0095c801 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: K94/puq9VsuS6BNzX/QimMqo5+pBBMa8wF/BCydHz+fc+UNHU57RdnSE6vsw2JNv9cegheYlrzEOtROeD6vlbQobmudk8hqwXrIa4K1X3pD/qGnbhV/+Aj8CGA0VoIk4KC93HgU8a/q6j6PUBSgQsebBn0tRswVpsyRPWPWbKqKHMy661U8kYwmL6c5cbt+P0rQRmY6h9Jyj+G7mmSDXjHJMMzjuv1+NK1Cg6t6t/yhsYCs1cDmZcb681BESa7CIHeUeCd6A6GCIsAewmcQEruOjinG0M0dM1/irRyZsjnXqKln7QaTlDw5UCmLX8EjcEBiMGRLsx/1XRDEU7e+LdB/2R5z8blB+91pfKG+N+KWEWXRF0QSy9avPw1sLbjMN1O6UF51ip5Yn/poYQrZpigJkdRm2bU2cv8/W2C/ONvpleG1XyXTaD+g+QrA8beztqPeF+m0jSm2Md7Qbnq0YKvoux7aLI72V4XGDIRHC3AJHTMQZd+wc6K8VBTgUY61bMgyeBF8FMo11NHK4UeJ5cmNfJMOrLXbYbaKjX5cQauafanx59nhgkTlRT0WADg6gqUIuyDqQqswV73cuEQTT17kNscsjRBCSLS4JuR0hacJabgRBJRvVxrrBWL5tM3tagSk7F+W4AmPfnjgLGjCKYXsssRdEcJYk7IXRXHsk3XQQbTYW/fCdVrlaqHhCRi1veaICoynci5QRPjYloPjHpgaK1YIQgA29Ycbb2T7XyQk= X-Forefront-Antispam-Report: CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230025)(4636009)(376002)(39860400002)(346002)(396003)(136003)(451199018)(40470700004)(36840700001)(46966006)(40460700003)(36756003)(7696005)(8676002)(1076003)(86362001)(6666004)(54906003)(107886003)(316002)(110136005)(5660300002)(478600001)(7416002)(2906002)(4326008)(82740400003)(70206006)(70586007)(41300700001)(7636003)(36860700001)(40480700001)(356005)(186003)(82310400005)(2616005)(336012)(426003)(8936002)(26005)(47076005)(83380400001)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Jan 2023 18:39:10.6664 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: a78e6e38-b0d9-456c-095f-08db0095c801 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT044.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN6PR12MB8566 X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_SPF_HELO, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org In order to offload connections in other states besides "established" the driver offload callbacks need to have access to connection conntrack info. Flow offload intermediate representation data structure already contains that data encoded in 'cookie' field, so just reuse it in the drivers. Reject offloading IP_CT_NEW connections for now by returning an error in relevant driver callbacks based on value of ctinfo. Support for offloading such connections will need to be added to the drivers afterwards. Signed-off-by: Vlad Buslov --- Notes: Changes V3 -> V4: - Only obtain ctinfo in mlx5 after checking the meta action pointer. Changes V2 -> V3: - Reuse existing meta action 'cookie' field to obtain ctinfo instead of introducing a new field as suggested by Marcelo. Changes V1 -> V2: - Add missing include that caused compilation errors on certain configs. - Change naming in nfp driver as suggested by Simon and Baowen. .../ethernet/mellanox/mlx5/core/en/tc_ct.c | 4 ++++ .../ethernet/netronome/nfp/flower/conntrack.c | 24 +++++++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c index 313df8232db7..193562c14c44 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c @@ -1073,12 +1073,16 @@ mlx5_tc_ct_block_flow_offload_add(struct mlx5_ct_ft *ft, struct mlx5_tc_ct_priv *ct_priv = ft->ct_priv; struct flow_action_entry *meta_action; unsigned long cookie = flow->cookie; + enum ip_conntrack_info ctinfo; struct mlx5_ct_entry *entry; int err; meta_action = mlx5_tc_ct_get_ct_metadata_action(flow_rule); if (!meta_action) return -EOPNOTSUPP; + ctinfo = meta_action->ct_metadata.cookie & NFCT_INFOMASK; + if (ctinfo == IP_CT_NEW) + return -EOPNOTSUPP; spin_lock_bh(&ct_priv->ht_lock); entry = rhashtable_lookup_fast(&ft->ct_entries_ht, &cookie, cts_ht_params); diff --git a/drivers/net/ethernet/netronome/nfp/flower/conntrack.c b/drivers/net/ethernet/netronome/nfp/flower/conntrack.c index f693119541d5..d23830b5bcb8 100644 --- a/drivers/net/ethernet/netronome/nfp/flower/conntrack.c +++ b/drivers/net/ethernet/netronome/nfp/flower/conntrack.c @@ -1964,6 +1964,27 @@ int nfp_fl_ct_stats(struct flow_cls_offload *flow, return 0; } +static bool +nfp_fl_ct_offload_nft_supported(struct flow_cls_offload *flow) +{ + struct flow_rule *flow_rule = flow->rule; + struct flow_action *flow_action = + &flow_rule->action; + struct flow_action_entry *act; + int i; + + flow_action_for_each(i, act, flow_action) { + if (act->id == FLOW_ACTION_CT_METADATA) { + enum ip_conntrack_info ctinfo = + act->ct_metadata.cookie & NFCT_INFOMASK; + + return ctinfo != IP_CT_NEW; + } + } + + return false; +} + static int nfp_fl_ct_offload_nft_flow(struct nfp_fl_ct_zone_entry *zt, struct flow_cls_offload *flow) { @@ -1976,6 +1997,9 @@ nfp_fl_ct_offload_nft_flow(struct nfp_fl_ct_zone_entry *zt, struct flow_cls_offl extack = flow->common.extack; switch (flow->command) { case FLOW_CLS_REPLACE: + if (!nfp_fl_ct_offload_nft_supported(flow)) + return -EOPNOTSUPP; + /* Netfilter can request offload multiple times for the same * flow - protect against adding duplicates. */ From patchwork Fri Jan 27 18:38:40 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 1733024 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=Nvidia.com header.i=@Nvidia.com header.a=rsa-sha256 header.s=selector2 header.b=C0CY1keE; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4P3RFQ1mW3z23hm for ; Sat, 28 Jan 2023 05:39:38 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233386AbjA0Sjg (ORCPT ); Fri, 27 Jan 2023 13:39:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46796 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235125AbjA0Sj0 (ORCPT ); Fri, 27 Jan 2023 13:39:26 -0500 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on2067.outbound.protection.outlook.com [40.107.220.67]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2FAF8A25E; Fri, 27 Jan 2023 10:39:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Y+MUr+Chg62AS9DgVJf9gtoFF17LuVI7LOcazZdoqcchZOeaGYP9o2EvMoUXb4q3EfBikoKva9BcoznVLNq0/gtvdgcEEwwgTFr+i6xvaVHR1mBcnAV03AQmhfZz1SrW487LiVTzz2Bfp9zap2EtF41RKDonDN9ZCLhzKqjmjwXsQ2VslrULrmDIz60LM2RkvOHQKbkqPUfAhysvQUyJav/s23sZFvOMEh1Bfy0MlrSgZhe3kF2a386YPCGJ6gmuw2BuYacw566INU0a0t0v2ZOhU6J4xYLHXYH1ARJ7uJSz+WzLMe2NBVU2usVzUlWnZ+9ARdFhwS8AZgE+I7M+3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6hRCCIrcOIvrOs9yZYI2nP2cP9hmUlhGTKjvzGb2BZs=; b=PopgrspVIWM5zsr+54jte2mL9ExGT4kgzXk6BzfEn+jD3gZClF2k0uK77naQG9cFFY26cLsSDv4RDLGAirDko3QaBtuQmYSdplw/8/9oNPAjs8RNCz4332mkrs6z+/Y1rraTh/c7KCsjX+MyllNKpQy1zWqShbQeJgoCWiplmqGNLf6Uso2k9fkpAtpBYVx+jU5Z9KLNzRaxoaYj3GEe2YvYzrAKv/4hlM1st14RCaMUwr8tWmA9oTyONOFsk12kgN34H4C+1ugtwaQi3RdhEAcEeOWAX8p+j3f/tIFMn21FwgbegloiQ9Gtmxtkfs419sTrRg2Ez5ZGXWcItZNGQQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.161) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6hRCCIrcOIvrOs9yZYI2nP2cP9hmUlhGTKjvzGb2BZs=; b=C0CY1keEVo4FAKrLsXLtjPGK0kJqgJ9KOZFfIHnWO0NOXHj2SNyGOd1KxNde+D2Mw9+9CC4K1JMzTJpE/AhcRZP6K9Ic8bP4IlBMmJ95KSRMe49s/9KnZnCiv8amQCXvflPfRz+nPv1IaRNQvizzRZmFM3cnxtDJDitNesrvCRhK0Q9xbUpKlahFR42nli/bOt84lnf9isZVZsnKZtRr3aTC9m0XUZX0fSDpdjuSV8u95UXNp/+d4Qwecn8WR4upTjdcN+1Z6INzn2yj2c9SAflEIb+8ffUijlWHv68jVaFuE14HHsU8WmgvcoreDXTdonWqESJy29eckS06egkWag== Received: from BN0PR02CA0031.namprd02.prod.outlook.com (2603:10b6:408:e5::6) by BN9PR12MB5291.namprd12.prod.outlook.com (2603:10b6:408:104::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.25; Fri, 27 Jan 2023 18:39:16 +0000 Received: from BN8NAM11FT044.eop-nam11.prod.protection.outlook.com (2603:10b6:408:e5:cafe::8d) by BN0PR02CA0031.outlook.office365.com (2603:10b6:408:e5::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.23 via Frontend Transport; Fri, 27 Jan 2023 18:39:16 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.161 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.161) by BN8NAM11FT044.mail.protection.outlook.com (10.13.177.219) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.25 via Frontend Transport; Fri, 27 Jan 2023 18:39:15 +0000 Received: from rnnvmail202.nvidia.com (10.129.68.7) by mail.nvidia.com (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 27 Jan 2023 10:39:06 -0800 Received: from rnnvmail202.nvidia.com (10.129.68.7) by rnnvmail202.nvidia.com (10.129.68.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 27 Jan 2023 10:39:06 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.7) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Fri, 27 Jan 2023 10:39:02 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v5 2/7] netfilter: flowtable: fixup UDP timeout depending on ct state Date: Fri, 27 Jan 2023 19:38:40 +0100 Message-ID: <20230127183845.597861-3-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230127183845.597861-1-vladbu@nvidia.com> References: <20230127183845.597861-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN8NAM11FT044:EE_|BN9PR12MB5291:EE_ X-MS-Office365-Filtering-Correlation-Id: 44e315ca-84eb-4217-3a8d-08db0095cb0a X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: +MDlX9DLlSDegHi+2Q/oHUBXS/2OIEoyyZzZBHcyRdMp/Q7c4NWWT4ZsX/xgmXlN380xbUIzQbvbfec4ITOjaOo7MmImK5Ue83XWa9BCO1wj1muGdkHu/WJYITjkNMcyW5VRoFJtgLLLLRYM2tJ/Ar8Js2n24ThxBimaIrsjyh68sKBdrId12ZaXX07aaDQzj46yeq1zCa4lZdMaRDIVlN5EAgCHTU3BDOUK/TUEm9mU/Ed6qt+OJqqby/ZYia5JExvyIgIZavJvXysxsjWnWsB5GD6bdxfdpqmq3MPCyaCuL66Y49r8TW5Zi8ZJYJchMqD6i8U5iQIuXZDpxwqUN8209J/kbhNzpWZgcq5KREx6i6UZLpEfOH033CN6DxaIQs7vxhfgQX/oOoBplZ5uJ2XsciqgtGTj1sVfNJvZJl1OYB1jHTKS8PM9iB4Pfl+TIyDJvPkMgtzWU7Xk2O+pMyqXSbXUEjdVv9hBaTlasw5R4WbImUnmncfi2ze4Xot/ItPh4NCkHfwmrNHP8Nzc+kXMlOwmtqMf9wTzYI6n0x2JC1VXCQSyR7t49kPG7q+PqlFQHw+KnTJfaX5RPENFDRXD2kPNUozaPBOTXqWM+KdvsbcYUqdAnjGL8Ra0GyiooNLqDDkHWV5ve1Z9t58IbnPXdEXC4H/Seg7hI3VQ5VNju5EGSQjXuUT7eJR/3RVyLRr0UA4UhQCEAbT2y0hrQVz+4bP01QlhBO5fmOWSbgw= X-Forefront-Antispam-Report: CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230025)(4636009)(39860400002)(136003)(396003)(346002)(376002)(451199018)(40470700004)(46966006)(36840700001)(7696005)(6666004)(107886003)(478600001)(26005)(1076003)(186003)(7636003)(5660300002)(8676002)(4326008)(70586007)(2906002)(110136005)(54906003)(36860700001)(316002)(2616005)(83380400001)(47076005)(356005)(8936002)(86362001)(41300700001)(40460700003)(70206006)(36756003)(7416002)(82740400003)(82310400005)(426003)(336012)(40480700001)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Jan 2023 18:39:15.7754 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 44e315ca-84eb-4217-3a8d-08db0095cb0a X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT044.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN9PR12MB5291 X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_SPF_HELO, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Currently flow_offload_fixup_ct() function assumes that only replied UDP connections can be offloaded and hardcodes UDP_CT_REPLIED timeout value. Allow users to modify timeout calculation by implementing new flowtable type callback 'timeout' and use the existing algorithm otherwise. To enable UDP NEW connection offload in following patches implement 'timeout' callback in flowtable_ct of act_ct which extracts the actual connections state from ct->status and set the timeout according to it. Signed-off-by: Vlad Buslov --- Notes: Changes V3 -> V4: - Rework the patch to decouple netfilter and act_ct timeout fixup algorithms. include/net/netfilter/nf_flow_table.h | 6 +++- net/netfilter/nf_flow_table_core.c | 40 +++++++++++++++++++-------- net/netfilter/nf_flow_table_ip.c | 17 ++++++------ net/sched/act_ct.c | 35 ++++++++++++++++++++++- 4 files changed, 76 insertions(+), 22 deletions(-) diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h index cd982f4a0f50..a3e4b5127ad0 100644 --- a/include/net/netfilter/nf_flow_table.h +++ b/include/net/netfilter/nf_flow_table.h @@ -61,6 +61,9 @@ struct nf_flowtable_type { enum flow_offload_tuple_dir dir, struct nf_flow_rule *flow_rule); void (*free)(struct nf_flowtable *ft); + bool (*timeout)(struct nf_flowtable *ft, + struct flow_offload *flow, + s32 *val); nf_hookfn *hook; struct module *owner; }; @@ -278,7 +281,8 @@ void nf_flow_table_cleanup(struct net_device *dev); int nf_flow_table_init(struct nf_flowtable *flow_table); void nf_flow_table_free(struct nf_flowtable *flow_table); -void flow_offload_teardown(struct flow_offload *flow); +void flow_offload_teardown(struct nf_flowtable *flow_table, + struct flow_offload *flow); void nf_flow_snat_port(const struct flow_offload *flow, struct sk_buff *skb, unsigned int thoff, diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c index 81c26a96c30b..e3eeea349c8d 100644 --- a/net/netfilter/nf_flow_table_core.c +++ b/net/netfilter/nf_flow_table_core.c @@ -178,28 +178,43 @@ static void flow_offload_fixup_tcp(struct ip_ct_tcp *tcp) tcp->seen[1].td_maxwin = 0; } -static void flow_offload_fixup_ct(struct nf_conn *ct) +static bool flow_offload_timeout_default(struct nf_conn *ct, s32 *timeout) { struct net *net = nf_ct_net(ct); int l4num = nf_ct_protonum(ct); - s32 timeout; if (l4num == IPPROTO_TCP) { struct nf_tcp_net *tn = nf_tcp_pernet(net); flow_offload_fixup_tcp(&ct->proto.tcp); - timeout = tn->timeouts[ct->proto.tcp.state]; - timeout -= tn->offload_timeout; + *timeout = tn->timeouts[ct->proto.tcp.state]; + *timeout -= tn->offload_timeout; } else if (l4num == IPPROTO_UDP) { struct nf_udp_net *tn = nf_udp_pernet(net); - timeout = tn->timeouts[UDP_CT_REPLIED]; - timeout -= tn->offload_timeout; + *timeout = tn->timeouts[UDP_CT_REPLIED]; + *timeout -= tn->offload_timeout; } else { - return; + return false; } + return true; +} + +static void flow_offload_fixup_ct(struct nf_flowtable *flow_table, + struct flow_offload *flow) +{ + struct nf_conn *ct = flow->ct; + bool needs_fixup; + s32 timeout; + + needs_fixup = flow_table->type->timeout ? + flow_table->type->timeout(flow_table, flow, &timeout) : + flow_offload_timeout_default(ct, &timeout); + if (!needs_fixup) + return; + if (timeout < 0) timeout = 0; @@ -348,11 +363,12 @@ static void flow_offload_del(struct nf_flowtable *flow_table, flow_offload_free(flow); } -void flow_offload_teardown(struct flow_offload *flow) +void flow_offload_teardown(struct nf_flowtable *flow_table, + struct flow_offload *flow) { clear_bit(IPS_OFFLOAD_BIT, &flow->ct->status); set_bit(NF_FLOW_TEARDOWN, &flow->flags); - flow_offload_fixup_ct(flow->ct); + flow_offload_fixup_ct(flow_table, flow); } EXPORT_SYMBOL_GPL(flow_offload_teardown); @@ -421,7 +437,7 @@ static void nf_flow_offload_gc_step(struct nf_flowtable *flow_table, { if (nf_flow_has_expired(flow) || nf_ct_is_dying(flow->ct)) - flow_offload_teardown(flow); + flow_offload_teardown(flow_table, flow); if (test_bit(NF_FLOW_TEARDOWN, &flow->flags)) { if (test_bit(NF_FLOW_HW, &flow->flags)) { @@ -569,14 +585,14 @@ static void nf_flow_table_do_cleanup(struct nf_flowtable *flow_table, struct net_device *dev = data; if (!dev) { - flow_offload_teardown(flow); + flow_offload_teardown(flow_table, flow); return; } if (net_eq(nf_ct_net(flow->ct), dev_net(dev)) && (flow->tuplehash[0].tuple.iifidx == dev->ifindex || flow->tuplehash[1].tuple.iifidx == dev->ifindex)) - flow_offload_teardown(flow); + flow_offload_teardown(flow_table, flow); } void nf_flow_table_gc_cleanup(struct nf_flowtable *flowtable, diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c index 19efba1e51ef..9c97b9994a96 100644 --- a/net/netfilter/nf_flow_table_ip.c +++ b/net/netfilter/nf_flow_table_ip.c @@ -18,7 +18,8 @@ #include #include -static int nf_flow_state_check(struct flow_offload *flow, int proto, +static int nf_flow_state_check(struct nf_flowtable *flow_table, + struct flow_offload *flow, int proto, struct sk_buff *skb, unsigned int thoff) { struct tcphdr *tcph; @@ -28,7 +29,7 @@ static int nf_flow_state_check(struct flow_offload *flow, int proto, tcph = (void *)(skb_network_header(skb) + thoff); if (unlikely(tcph->fin || tcph->rst)) { - flow_offload_teardown(flow); + flow_offload_teardown(flow_table, flow); return -1; } @@ -373,11 +374,11 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, iph = (struct iphdr *)(skb_network_header(skb) + offset); thoff = (iph->ihl * 4) + offset; - if (nf_flow_state_check(flow, iph->protocol, skb, thoff)) + if (nf_flow_state_check(flow_table, flow, iph->protocol, skb, thoff)) return NF_ACCEPT; if (!nf_flow_dst_check(&tuplehash->tuple)) { - flow_offload_teardown(flow); + flow_offload_teardown(flow_table, flow); return NF_ACCEPT; } @@ -419,7 +420,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, case FLOW_OFFLOAD_XMIT_DIRECT: ret = nf_flow_queue_xmit(state->net, skb, tuplehash, ETH_P_IP); if (ret == NF_DROP) - flow_offload_teardown(flow); + flow_offload_teardown(flow_table, flow); break; default: WARN_ON_ONCE(1); @@ -639,11 +640,11 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb, ip6h = (struct ipv6hdr *)(skb_network_header(skb) + offset); thoff = sizeof(*ip6h) + offset; - if (nf_flow_state_check(flow, ip6h->nexthdr, skb, thoff)) + if (nf_flow_state_check(flow_table, flow, ip6h->nexthdr, skb, thoff)) return NF_ACCEPT; if (!nf_flow_dst_check(&tuplehash->tuple)) { - flow_offload_teardown(flow); + flow_offload_teardown(flow_table, flow); return NF_ACCEPT; } @@ -684,7 +685,7 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb, case FLOW_OFFLOAD_XMIT_DIRECT: ret = nf_flow_queue_xmit(state->net, skb, tuplehash, ETH_P_IPV6); if (ret == NF_DROP) - flow_offload_teardown(flow); + flow_offload_teardown(flow_table, flow); break; default: WARN_ON_ONCE(1); diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index 0ca2bb8ed026..861305c9c079 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -274,8 +274,41 @@ static int tcf_ct_flow_table_fill_actions(struct net *net, return err; } +static bool tcf_ct_flow_table_get_timeout(struct nf_flowtable *ft, + struct flow_offload *flow, + s32 *val) +{ + struct nf_conn *ct = flow->ct; + int l4num = + nf_ct_protonum(ct); + struct net *net = + nf_ct_net(ct); + + if (l4num == IPPROTO_TCP) { + struct nf_tcp_net *tn = nf_tcp_pernet(net); + + ct->proto.tcp.seen[0].td_maxwin = 0; + ct->proto.tcp.seen[1].td_maxwin = 0; + *val = tn->timeouts[ct->proto.tcp.state]; + *val -= tn->offload_timeout; + } else if (l4num == IPPROTO_UDP) { + struct nf_udp_net *tn = nf_udp_pernet(net); + enum udp_conntrack state = + test_bit(IPS_SEEN_REPLY_BIT, &ct->status) ? + UDP_CT_REPLIED : UDP_CT_UNREPLIED; + + *val = tn->timeouts[state]; + *val -= tn->offload_timeout; + } else { + return false; + } + + return true; +} + static struct nf_flowtable_type flowtable_ct = { .action = tcf_ct_flow_table_fill_actions, + .timeout = tcf_ct_flow_table_get_timeout, .owner = THIS_MODULE, }; @@ -622,7 +655,7 @@ static bool tcf_ct_flow_table_lookup(struct tcf_ct_params *p, ct = flow->ct; if (tcph && (unlikely(tcph->fin || tcph->rst))) { - flow_offload_teardown(flow); + flow_offload_teardown(nf_ft, flow); return false; } From patchwork Fri Jan 27 18:38:41 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 1733023 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=Nvidia.com header.i=@Nvidia.com header.a=rsa-sha256 header.s=selector2 header.b=ikfLJ9zD; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4P3RFD4HlNz23hw for ; Sat, 28 Jan 2023 05:39:28 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234996AbjA0SjZ (ORCPT ); Fri, 27 Jan 2023 13:39:25 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46532 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235088AbjA0SjX (ORCPT ); Fri, 27 Jan 2023 13:39:23 -0500 Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12on2068.outbound.protection.outlook.com [40.107.243.68]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3A3B86E96; Fri, 27 Jan 2023 10:39:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oTXS11/YiJRwO1pOCXS67qkFyAVYTg3chVjuyFotpLaOFJI/Cs3Z2E33Q6smY6drZEQ86LtsZtp22SHtGqzaVJtrTStSLugxIQBueFo0AZisCY1fCdV4/sNHWQP0WMaLjcSFwNM9N+EBtPtgi/3e53ApoT6AJjpQ42AXDhKyKO+QLBc4Y8r25X6QHmD3sW5ZKko0kCSHFskObPIZCP/L0nwvBXaMkwrnSmkYa/lDMQGbqPqka9UDRB+rElGpDmtzg3EuQcrP12m8RsOniIhdqAxz+p8H9ExwGRGwU8qG0bOQR0SerELOL9Sl15Z0GuGqwu2MNjgLZfUsHleMBBeWvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jiEHwNRseUOKk2qsnr28Ib/6wkMAHi8nqCcurGrTgE8=; b=SWM9Qrc+IPZ+9/yqVQyIFsa3YuX5UZ4KPFl4BUUuRtEf6RK7Dmu3oGlpe8beD8vW4yIVzO+U+BIoNnG3Mu6urJkgfdCGW/xp8PK/YDN0aZBWcC/YlxChYIe0cqvS8F8v71a94Rp2C29BNo/GbLk4WXV2IBJTlujboczRFs5UeevRbBgcocxkzoRFMQI6sEJQMOgIbmQYc9xAaTmPlEsUUy0TGznQ9Ft76eiq52aXsc33dftWEyFXPRdhiPj3yiyUgH4dMd84UQg+txfsjpsp3YbEj2Pv43tBJL68dveD5lExIQoSoLLdzV15UtUmavPA+75NNwv4LwIE40wMK5DfnQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jiEHwNRseUOKk2qsnr28Ib/6wkMAHi8nqCcurGrTgE8=; b=ikfLJ9zDLsvN2Mcumg+03CiLNXggsHjmJmo07+N3j1HO3wUqLeela1r1Itu9r62CaQqq72tRbfuxz9ThzTed2/rL+lM3EyM6hd2+QvHmzeY+MewA32Qj2WXmO2SBvXEDqkpN+rYc8FMAYRUG/HQCSuWepaKZHGF7jmx71sRgaLd5nX8ZkbKS2KfUiWMqA9erQfNzyE4HZoTPsZqDSM8C9z0BgO0n2Te62xuWq6Ju94b21zvANx1XmyvGI9AoTFN7sc/1nOg2vRiDlihyQm3SbmUZ4pPY+Ue0SOyVxs4QA9qbTh657g2VImJKD1s8YWaNycPB+UMFLEFyobXdiF8NtQ== Received: from CY5PR20CA0026.namprd20.prod.outlook.com (2603:10b6:930:3::23) by BL0PR12MB4994.namprd12.prod.outlook.com (2603:10b6:208:1ca::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.23; Fri, 27 Jan 2023 18:39:15 +0000 Received: from CY4PEPF0000B8EE.namprd05.prod.outlook.com (2603:10b6:930:3:cafe::e9) by CY5PR20CA0026.outlook.office365.com (2603:10b6:930:3::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.25 via Frontend Transport; Fri, 27 Jan 2023 18:39:15 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by CY4PEPF0000B8EE.mail.protection.outlook.com (10.167.241.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6064.3 via Frontend Transport; Fri, 27 Jan 2023 18:39:15 +0000 Received: from rnnvmail205.nvidia.com (10.129.68.10) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 27 Jan 2023 10:39:10 -0800 Received: from rnnvmail202.nvidia.com (10.129.68.7) by rnnvmail205.nvidia.com (10.129.68.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 27 Jan 2023 10:39:10 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.7) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Fri, 27 Jan 2023 10:39:06 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v5 3/7] netfilter: flowtable: allow unidirectional rules Date: Fri, 27 Jan 2023 19:38:41 +0100 Message-ID: <20230127183845.597861-4-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230127183845.597861-1-vladbu@nvidia.com> References: <20230127183845.597861-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CY4PEPF0000B8EE:EE_|BL0PR12MB4994:EE_ X-MS-Office365-Filtering-Correlation-Id: 895ce540-d825-4bfc-2cea-08db0095ca8a X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: xoJ4gFeZk6sBdT2SAVoTE3cxI8PCjnubTo+9by7HwsVeC5esxIsNTWWZn3syhIySkOD5nlGngiL2S6+Gsk2RM5Ia3C0CmeWjCAJZfpTca8spVmx7cBmJsFgNz25oXfNnHHPqIY6FxhPdiHnmQ1hBlOlhEnb66MGl3/m5WgWFv7QM0bS3K/9/46VFmIQc9lF2FLrhSIHIxQ90sPaudK3LnirxVYqlxQFFAoZ4VXBVq8Og3iWrRIYHkN7bfv59ig1k/OSbr6hj72eV+j+bZXLy0PGcy19ioLhZ9bYnZbvoPPXy6ekatVEQQDABAv8HEY+FlvXbxSoYSE4rFJbB399ThbX6NS0T7UUWDlMk0y3euIALTHSnJLzxm/zPmFBlQz/nvZJexjbszvWP2DKn/p/cIAPlfoxuGi8KNCOW29G6X2MeKz/fgvl4ikQnF+xdTVTbdHAuO0WZfz55UqflD9tLUjFPHnnY4iBIVFzm2M3ar6HoNNUhIwJjtcY//jCff6o3wcgvBArx5dV/FU7ThZprxcBrYxN4pZTYFMB3BCz0BYmc708d3sz3ZFvAXDn9D//Gw4lCuLm94fPrdzUQ7ry0A4EV9WggPh9WhvpR0Te4Vub0k63shL6fghPzOpazPcAnX8uTiAsFAhTNCihFO8EMuGqRxA6Yv+edkFsjkifSYclKVK9YMU1Chj08mKVuqWAD X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230025)(4636009)(39860400002)(346002)(136003)(376002)(396003)(451199018)(36840700001)(46966006)(478600001)(7696005)(316002)(6666004)(107886003)(54906003)(110136005)(2906002)(5660300002)(1076003)(36756003)(7416002)(2616005)(40480700001)(426003)(83380400001)(86362001)(82310400005)(336012)(47076005)(186003)(26005)(7636003)(8676002)(356005)(8936002)(70586007)(41300700001)(70206006)(4326008)(36860700001)(82740400003)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Jan 2023 18:39:15.0143 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 895ce540-d825-4bfc-2cea-08db0095ca8a X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000B8EE.namprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR12MB4994 X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_SPF_HELO, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Modify flow table offload to support unidirectional connections by extending enum nf_flow_flags with new "NF_FLOW_HW_BIDIRECTIONAL" flag. Only offload reply direction when the flag is set. This infrastructure change is necessary to support offloading UDP NEW connections in original direction in following patches in series. Signed-off-by: Vlad Buslov --- Notes: Changes V2 -> V3: - Fix error in commit message (spotted by Marcelo). include/net/netfilter/nf_flow_table.h | 1 + net/netfilter/nf_flow_table_offload.c | 12 ++++++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h index a3e4b5127ad0..103798ae10fc 100644 --- a/include/net/netfilter/nf_flow_table.h +++ b/include/net/netfilter/nf_flow_table.h @@ -167,6 +167,7 @@ enum nf_flow_flags { NF_FLOW_HW_DYING, NF_FLOW_HW_DEAD, NF_FLOW_HW_PENDING, + NF_FLOW_HW_BIDIRECTIONAL, }; enum flow_offload_type { diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c index 4d9b99abe37d..8b852f10fab4 100644 --- a/net/netfilter/nf_flow_table_offload.c +++ b/net/netfilter/nf_flow_table_offload.c @@ -895,8 +895,9 @@ static int flow_offload_rule_add(struct flow_offload_work *offload, ok_count += flow_offload_tuple_add(offload, flow_rule[0], FLOW_OFFLOAD_DIR_ORIGINAL); - ok_count += flow_offload_tuple_add(offload, flow_rule[1], - FLOW_OFFLOAD_DIR_REPLY); + if (test_bit(NF_FLOW_HW_BIDIRECTIONAL, &offload->flow->flags)) + ok_count += flow_offload_tuple_add(offload, flow_rule[1], + FLOW_OFFLOAD_DIR_REPLY); if (ok_count == 0) return -ENOENT; @@ -926,7 +927,8 @@ static void flow_offload_work_del(struct flow_offload_work *offload) { clear_bit(IPS_HW_OFFLOAD_BIT, &offload->flow->ct->status); flow_offload_tuple_del(offload, FLOW_OFFLOAD_DIR_ORIGINAL); - flow_offload_tuple_del(offload, FLOW_OFFLOAD_DIR_REPLY); + if (test_bit(NF_FLOW_HW_BIDIRECTIONAL, &offload->flow->flags)) + flow_offload_tuple_del(offload, FLOW_OFFLOAD_DIR_REPLY); set_bit(NF_FLOW_HW_DEAD, &offload->flow->flags); } @@ -946,7 +948,9 @@ static void flow_offload_work_stats(struct flow_offload_work *offload) u64 lastused; flow_offload_tuple_stats(offload, FLOW_OFFLOAD_DIR_ORIGINAL, &stats[0]); - flow_offload_tuple_stats(offload, FLOW_OFFLOAD_DIR_REPLY, &stats[1]); + if (test_bit(NF_FLOW_HW_BIDIRECTIONAL, &offload->flow->flags)) + flow_offload_tuple_stats(offload, FLOW_OFFLOAD_DIR_REPLY, + &stats[1]); lastused = max_t(u64, stats[0].lastused, stats[1].lastused); offload->flow->timeout = max_t(u64, offload->flow->timeout, From patchwork Fri Jan 27 18:38:42 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 1733025 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=Nvidia.com header.i=@Nvidia.com header.a=rsa-sha256 header.s=selector2 header.b=l5TiRlJ+; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4P3RFT2l3Bz23hm for ; Sat, 28 Jan 2023 05:39:41 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235203AbjA0Sjj (ORCPT ); Fri, 27 Jan 2023 13:39:39 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46942 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235088AbjA0Sj3 (ORCPT ); Fri, 27 Jan 2023 13:39:29 -0500 Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10on2046.outbound.protection.outlook.com [40.107.94.46]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9AAFFA5F3; Fri, 27 Jan 2023 10:39:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kenb16ExhHOMjWfrk/h8SjDwBd8bwFsZMz4U0+O/Bs4Vwu0BEt26NCSGIgHU6vgOhZsJwmKpDOVyu09a2i4tPgLt/2SB9FAydFOq3NSkXPNWqGiuHywq4LTqgxSv5bViVkn61Y9V3Os6sjJsGAjV41EFEeAe1uqYnXewcXcCApCPtkdJu526bBL6PSHaJDnqTwAmv9y7oT2JKwzWDBklsB9NyelgIPTHCyU+km71+xR3cutfyyOVMd1EFSVsu7lebfEsJs+nfhTBqaPMb3ibf4bjQouVisL8uoBblfy1lJN20ddkX3DPIi0y/zKLRBKp5+hr4AV3Q23WA5r/MlkB3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=4MqW2wuBqP+NUSb1oqVUHY/8syLIRcYnfLrWqhyD3oQ=; b=V01hca/Wg2OXeqfl+0GLuK7XRdihfAsw2/LP1LMvdPoxWKO57rfS5HhAUPwiGTQt4K3h9WvIJ+VSWybowrYkgGVTnhr6J6PtAN4ZwXHKBChgURu1P1ST4kCbqOtqdBi6sYoeWH8ZpRlx8w+oT9cy+pth+1miHlFefgwrnAT6yhKsPZHQMCa3PsAXjZ74p4IUOAzsQdCXfXObsHWOjKOoBBOkj1Z3fA1JJy8ldsPeZeOx7NaBlJIKN5dh6YrPocTRvBUlGQ/kdaWyc4X5Z9nB8j1qNODw7p0t/h/kla6qLJAD+O5MMnOwLb62zddhbBDOPIDibRo9T5uem6ql6zQ1Uw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4MqW2wuBqP+NUSb1oqVUHY/8syLIRcYnfLrWqhyD3oQ=; b=l5TiRlJ+FWjtMZ9oamE4sau6NGgiRajvQjjx/vYaCpRVlG3fsOmXvTQePtWVmBJI52ZQKUS8gRk/XgwZ4nyHIEMzBVZjGdi80QcqmCtOmGJJAnXLPJlbaU6sjsYRqXa+dELtARaY0KsgplnFcGP+StgJFJ3POEM3RE17Zd4SHZ7Evmf9IinhF+QsUUSadmAQbZ9P+togewOw/kVqMdQaje4bDd4BSH0I3ijaP81FP+L5zVnUbvSquCyI0ap3zz1HlJv6MtRXALCCVgQrhyGalYlLGMqDrjBAaeiv84/wvVQn9C6VRHZWfp01nmVZRyf9kyzfKinJfuqqsBkd0iNtHQ== Received: from CY5PR10CA0026.namprd10.prod.outlook.com (2603:10b6:930:1c::9) by DS0PR12MB6631.namprd12.prod.outlook.com (2603:10b6:8:d1::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.23; Fri, 27 Jan 2023 18:39:21 +0000 Received: from CY4PEPF0000B8EC.namprd05.prod.outlook.com (2603:10b6:930:1c:cafe::c8) by CY5PR10CA0026.outlook.office365.com (2603:10b6:930:1c::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.23 via Frontend Transport; Fri, 27 Jan 2023 18:39:20 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by CY4PEPF0000B8EC.mail.protection.outlook.com (10.167.241.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6064.3 via Frontend Transport; Fri, 27 Jan 2023 18:39:20 +0000 Received: from rnnvmail204.nvidia.com (10.129.68.6) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 27 Jan 2023 10:39:14 -0800 Received: from rnnvmail202.nvidia.com (10.129.68.7) by rnnvmail204.nvidia.com (10.129.68.6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 27 Jan 2023 10:39:13 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.7) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Fri, 27 Jan 2023 10:39:10 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v5 4/7] netfilter: flowtable: save ctinfo in flow_offload Date: Fri, 27 Jan 2023 19:38:42 +0100 Message-ID: <20230127183845.597861-5-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230127183845.597861-1-vladbu@nvidia.com> References: <20230127183845.597861-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CY4PEPF0000B8EC:EE_|DS0PR12MB6631:EE_ X-MS-Office365-Filtering-Correlation-Id: 18a5f5e4-5252-4e8f-f3a5-08db0095cde0 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: JUvALr0LNNr5PIuPDdxHSAvZUvj2nB3wjmTHaT3yPXuGoDJyJNZ0WGpTyhPlMEN9/YvvfUamYt3g+KnudF1BkWtCoJR7svynJT249U88vo/dYf60R5waF7CMZcvfWB7eRiTAHIA6zrywtT4mUy5QcoGOsMQI4uhex6Sr5pFf0yYdscOZqZ0icdaTk1Q+wk5DyhT2oCnsS3+9zBjyd/q05ww+6uav/7AQOHDicRvdTZAWeHdynaUlO4laCo+ahj25tdZD4ounmUr1Sm1FO98PMKnxXMpwwnGoPqL5VLelEBjYNJ8a8oxx7CbJdTpvBL1XgWG7ZqXJSU2Pq/xIPFKwToNNRmxFXQtVcgqZyGRfquCUnL9DDUhwF2vSGIzh0U8+ZZ06BxkQiB3uJdslse9RhDeLuApQk1p3vDrY2G33J1DtC1UzOaRtIzdvV5gUfgzMX04+PYWzLJDaVivN2e/AA/IvfWi5wSCxD82jxDMPH6CA785UmkPjLHvbGQyDJRZMQdhk+Zn6zPxglB2kH6ckEzYowYoqEYXUzu6gBUd6xGQRZKVGheirS0IOzmvlYdvOAXVKNDacL0S8ktGTjRurl+w/DYQwnu/56qQeMwqMIBfe7jiXySbhHfqWk2aAy9EqwZ1YxOGiZyupVNSoNSS1V/mfM/gJRlghmWvzGCSHQDdW0Nyh5qX+Ya4w/Ad7lUmffvR55Q6C9g/Qp+vYzMtLWU5PWMS+PJ5NQcj+vaU7IbY= X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230025)(4636009)(136003)(376002)(346002)(39860400002)(396003)(451199018)(46966006)(36840700001)(40470700004)(83380400001)(336012)(36860700001)(40480700001)(36756003)(40460700003)(7636003)(86362001)(82310400005)(316002)(7416002)(110136005)(54906003)(5660300002)(2616005)(426003)(356005)(8936002)(47076005)(82740400003)(186003)(7696005)(478600001)(2906002)(8676002)(4326008)(70206006)(70586007)(1076003)(26005)(6666004)(107886003)(41300700001)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Jan 2023 18:39:20.6162 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 18a5f5e4-5252-4e8f-f3a5-08db0095cde0 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000B8EC.namprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR12MB6631 X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_SPF_HELO, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Extend struct flow_offload with generic 'ext_data' field. Use the field in act_ct to cache the last ctinfo value that was used to update the hardware offload when generating the actions. This is used to optimize the flow refresh algorithm in following patches. Signed-off-by: Vlad Buslov --- Notes: Changes V3 -> V4: - New patch replaces gc async update that is no longer needed after refactoring of following act_ct patches. include/net/netfilter/nf_flow_table.h | 7 ++++--- net/netfilter/nf_flow_table_inet.c | 2 +- net/netfilter/nf_flow_table_offload.c | 6 +++--- net/sched/act_ct.c | 12 +++++++----- 4 files changed, 15 insertions(+), 12 deletions(-) diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h index 103798ae10fc..6f3250624d49 100644 --- a/include/net/netfilter/nf_flow_table.h +++ b/include/net/netfilter/nf_flow_table.h @@ -57,7 +57,7 @@ struct nf_flowtable_type { struct net_device *dev, enum flow_block_command cmd); int (*action)(struct net *net, - const struct flow_offload *flow, + struct flow_offload *flow, enum flow_offload_tuple_dir dir, struct nf_flow_rule *flow_rule); void (*free)(struct nf_flowtable *ft); @@ -178,6 +178,7 @@ enum flow_offload_type { struct flow_offload { struct flow_offload_tuple_rhash tuplehash[FLOW_OFFLOAD_DIR_MAX]; struct nf_conn *ct; + void *ext_data; unsigned long flags; u16 type; u32 timeout; @@ -317,10 +318,10 @@ void nf_flow_table_offload_flush_cleanup(struct nf_flowtable *flowtable); int nf_flow_table_offload_setup(struct nf_flowtable *flowtable, struct net_device *dev, enum flow_block_command cmd); -int nf_flow_rule_route_ipv4(struct net *net, const struct flow_offload *flow, +int nf_flow_rule_route_ipv4(struct net *net, struct flow_offload *flow, enum flow_offload_tuple_dir dir, struct nf_flow_rule *flow_rule); -int nf_flow_rule_route_ipv6(struct net *net, const struct flow_offload *flow, +int nf_flow_rule_route_ipv6(struct net *net, struct flow_offload *flow, enum flow_offload_tuple_dir dir, struct nf_flow_rule *flow_rule); diff --git a/net/netfilter/nf_flow_table_inet.c b/net/netfilter/nf_flow_table_inet.c index 0ccabf3fa6aa..9505f9d188ff 100644 --- a/net/netfilter/nf_flow_table_inet.c +++ b/net/netfilter/nf_flow_table_inet.c @@ -39,7 +39,7 @@ nf_flow_offload_inet_hook(void *priv, struct sk_buff *skb, } static int nf_flow_rule_route_inet(struct net *net, - const struct flow_offload *flow, + struct flow_offload *flow, enum flow_offload_tuple_dir dir, struct nf_flow_rule *flow_rule) { diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c index 8b852f10fab4..1c26f03fc661 100644 --- a/net/netfilter/nf_flow_table_offload.c +++ b/net/netfilter/nf_flow_table_offload.c @@ -679,7 +679,7 @@ nf_flow_rule_route_common(struct net *net, const struct flow_offload *flow, return 0; } -int nf_flow_rule_route_ipv4(struct net *net, const struct flow_offload *flow, +int nf_flow_rule_route_ipv4(struct net *net, struct flow_offload *flow, enum flow_offload_tuple_dir dir, struct nf_flow_rule *flow_rule) { @@ -704,7 +704,7 @@ int nf_flow_rule_route_ipv4(struct net *net, const struct flow_offload *flow, } EXPORT_SYMBOL_GPL(nf_flow_rule_route_ipv4); -int nf_flow_rule_route_ipv6(struct net *net, const struct flow_offload *flow, +int nf_flow_rule_route_ipv6(struct net *net, struct flow_offload *flow, enum flow_offload_tuple_dir dir, struct nf_flow_rule *flow_rule) { @@ -735,7 +735,7 @@ nf_flow_offload_rule_alloc(struct net *net, { const struct nf_flowtable *flowtable = offload->flowtable; const struct flow_offload_tuple *tuple, *other_tuple; - const struct flow_offload *flow = offload->flow; + struct flow_offload *flow = offload->flow; struct dst_entry *other_dst = NULL; struct nf_flow_rule *flow_rule; int err = -ENOMEM; diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index 861305c9c079..48b88c96de86 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -170,11 +170,11 @@ tcf_ct_flow_table_add_action_nat_udp(const struct nf_conntrack_tuple *tuple, static void tcf_ct_flow_table_add_action_meta(struct nf_conn *ct, enum ip_conntrack_dir dir, + enum ip_conntrack_info ctinfo, struct flow_action *action) { struct nf_conn_labels *ct_labels; struct flow_action_entry *entry; - enum ip_conntrack_info ctinfo; u32 *act_ct_labels; entry = tcf_ct_flow_table_flow_action_get_next(action); @@ -182,8 +182,6 @@ static void tcf_ct_flow_table_add_action_meta(struct nf_conn *ct, #if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) entry->ct_metadata.mark = READ_ONCE(ct->mark); #endif - ctinfo = dir == IP_CT_DIR_ORIGINAL ? IP_CT_ESTABLISHED : - IP_CT_ESTABLISHED_REPLY; /* aligns with the CT reference on the SKB nf_ct_set */ entry->ct_metadata.cookie = (unsigned long)ct | ctinfo; entry->ct_metadata.orig_dir = dir == IP_CT_DIR_ORIGINAL; @@ -237,22 +235,26 @@ static int tcf_ct_flow_table_add_action_nat(struct net *net, } static int tcf_ct_flow_table_fill_actions(struct net *net, - const struct flow_offload *flow, + struct flow_offload *flow, enum flow_offload_tuple_dir tdir, struct nf_flow_rule *flow_rule) { struct flow_action *action = &flow_rule->rule->action; int num_entries = action->num_entries; struct nf_conn *ct = flow->ct; + enum ip_conntrack_info ctinfo; enum ip_conntrack_dir dir; int i, err; switch (tdir) { case FLOW_OFFLOAD_DIR_ORIGINAL: dir = IP_CT_DIR_ORIGINAL; + ctinfo = IP_CT_ESTABLISHED; + WRITE_ONCE(flow->ext_data, (void *)ctinfo); break; case FLOW_OFFLOAD_DIR_REPLY: dir = IP_CT_DIR_REPLY; + ctinfo = IP_CT_ESTABLISHED_REPLY; break; default: return -EOPNOTSUPP; @@ -262,7 +264,7 @@ static int tcf_ct_flow_table_fill_actions(struct net *net, if (err) goto err_nat; - tcf_ct_flow_table_add_action_meta(ct, dir, action); + tcf_ct_flow_table_add_action_meta(ct, dir, ctinfo, action); return 0; err_nat: From patchwork Fri Jan 27 18:38:43 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 1733026 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=Nvidia.com header.i=@Nvidia.com header.a=rsa-sha256 header.s=selector2 header.b=Ad3Xvj86; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4P3RFk4L7qz23hm for ; Sat, 28 Jan 2023 05:39:54 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233708AbjA0Sjx (ORCPT ); Fri, 27 Jan 2023 13:39:53 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47268 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235192AbjA0Sji (ORCPT ); Fri, 27 Jan 2023 13:39:38 -0500 Received: from NAM02-BN1-obe.outbound.protection.outlook.com (mail-bn1nam02on2047.outbound.protection.outlook.com [40.107.212.47]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C613A1DB81; Fri, 27 Jan 2023 10:39:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CV2CHA5Nn16nYCYCc1tMeDVy3x8ey7+84CWN4w6yX3osTUhHAYnFFvsZK6J6/+cG2W3xv9rioFCUC9oM8lXG3e1Jl0KzpRSwtuk2chOQh2vY4MbfrvO5BI00HLWAiWpLblNOGNyd6Zkm9YbsKziamAaZ9WucRvKOvOvtGmzVLXuFyNExqFlGZfoXd316cnvTzkGGiHLtnH6hS52iip1JecL09nYlKRRTvyvD6XuZmfGpL7tRzNIEC6qhDU/f3COZjWz5aUD7v+LkBkVNo4gC+2N9DNTseI4+kN70Fxo8IDhmfui+MOq8KHVZfATTyf28oGr+iRuLsMr5X4/ggrKVYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Fc5chHB3Hj+JbD878mPb0uD62fVD37gKGI4Eclruct0=; b=gHIrEGJp6rI6RF4VLx09WCajFbpmYNy+xLMzfrz7eUImvuj6AUmqzM/27twLtZ3so1iGSJCcJwTOERXdGL1QvJhq1bZ43Fr+th04jW9V1jdYThRx6gOf67D3mAPlGGLNBrN50gawgvajyK4X1yhor+JnDsV00EOwJpO+p3atTCmtJCdcsqsBfi9ECOPBp4UYNEASPp1oX2sdSlAQOEpNeWz0o+Vx/WZf8Yj6ERB2SFnIYEjtv8cSNEmpD/16WLx4EuhF7jjrWy81252KWsFHjXxTLSXvAQ9Q2+Oy1/F9TVenduVThoXmfEp8CJBnWw1feH80KQYZBX+dOr1ywMFhTw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Fc5chHB3Hj+JbD878mPb0uD62fVD37gKGI4Eclruct0=; b=Ad3Xvj86aBC+rycPiTYSHY9GMhgc7toKpNWdtt2wvcwZIHSykyGIuyYq3eqSFNiMfuvl8SFa5cftUDzgh/1/FW24Fqfpxr+z64N1Q+x2YzzmrN9ZUarF6Np6SH4vVqDpd+ImdFN78Ji8vZD+a715OrfLjeaqoWJvzRhh/ASJZWltTWRm1nkEsDFpdhTZ8TbCGIYTtWDqfMMHg1KGoNutxUzR46DA3g8IOW2XqLdCwnL3GqSFOBSbhEeE9sKur/aivUdlYax9QnT2X9SlYNh7JF/Lxc0aayV+cdPXnYJ2JhVYVtBKHsmEU606HqwBNcj2bU/NXJB3ZfkjPwdeR0yRlQ== Received: from CY5PR10CA0017.namprd10.prod.outlook.com (2603:10b6:930:1c::20) by DM4PR12MB6157.namprd12.prod.outlook.com (2603:10b6:8:ac::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.22; Fri, 27 Jan 2023 18:39:26 +0000 Received: from CY4PEPF0000B8EC.namprd05.prod.outlook.com (2603:10b6:930:1c:cafe::ab) by CY5PR10CA0017.outlook.office365.com (2603:10b6:930:1c::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.25 via Frontend Transport; Fri, 27 Jan 2023 18:39:26 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by CY4PEPF0000B8EC.mail.protection.outlook.com (10.167.241.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6064.3 via Frontend Transport; Fri, 27 Jan 2023 18:39:25 +0000 Received: from rnnvmail204.nvidia.com (10.129.68.6) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 27 Jan 2023 10:39:18 -0800 Received: from rnnvmail202.nvidia.com (10.129.68.7) by rnnvmail204.nvidia.com (10.129.68.6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 27 Jan 2023 10:39:17 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.7) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Fri, 27 Jan 2023 10:39:14 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v5 5/7] net/sched: act_ct: set ctinfo in meta action depending on ct state Date: Fri, 27 Jan 2023 19:38:43 +0100 Message-ID: <20230127183845.597861-6-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230127183845.597861-1-vladbu@nvidia.com> References: <20230127183845.597861-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CY4PEPF0000B8EC:EE_|DM4PR12MB6157:EE_ X-MS-Office365-Filtering-Correlation-Id: 6bb8dcf1-70af-4df1-ccb8-08db0095d106 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: YYxc+j1d5E6YMj+ibnefY4wTNdHnrowHybJZbLB0h398CfKTs4r4Dpu5i2fozpVDocYpyCPTt6DVacpQuWUYTKWP9Ff+NMIYDx2S61U0aQtqGNBGS1gKP8HhCmveoxwRgF2jjP2ph75C0HjZERBhOPEd64zRX2lj/7qCAC8biOASTKbuLxHBAR4qti8t7yZvnau+M0EjuExOi2y0fjEfS+p1fNUlcG4CNWsmVXFgtLtQahg3MkzHUQ4R5rqhnBbIH0rO1lvS0ZW4BkSy5X82mYWz3ON4pRBjuR7xT6V62ncRr2JBUL1/QjrfXvcff84pdS9qcGSnf6RvxRSPJyYFvaS2ZtO1lsk2VVuN86ZEjn108ynr60XqejesULQybPBomUw6EnNox1yY7h7/KbamUSEAtcNTLiXvyMT8mtVWAaG1RqhbsOWmgW+1lDHuKKOKaIjwQ9MMgPQjk/wHNn4KL2EiUdkKjCSUM+nDbVFPLpr6YWoRnSg6WXreIw4ZU1rkxDwURtobtxxlsuE9VmGro57A6emkamEUHkSfHC5sHmPssdh8XYyk6dPug7D6Ne8C6n/mkYqX6geKGa6bfd0J2zEgeN1ONu5AbIIgpaF/GHCwaIs9Sf3OoLo84q6Y5z8KDHJRlSI0gqInb3WICLJJ1mINjYjC+xZvikYOYHRF6L6wcujPzIfAIwXwpll7s4gcXPbrSm3e6huuOJdB6zCLzq9O5C/9xFRzEMx7P1sVZys= X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230025)(4636009)(136003)(396003)(346002)(376002)(39860400002)(451199018)(40470700004)(46966006)(36840700001)(7696005)(186003)(26005)(478600001)(47076005)(2616005)(336012)(82310400005)(426003)(83380400001)(107886003)(6666004)(316002)(54906003)(41300700001)(7636003)(8676002)(356005)(1076003)(70206006)(82740400003)(110136005)(7416002)(8936002)(4744005)(40460700003)(4326008)(86362001)(5660300002)(70586007)(36756003)(40480700001)(36860700001)(2906002)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Jan 2023 18:39:25.9024 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 6bb8dcf1-70af-4df1-ccb8-08db0095d106 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000B8EC.namprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR12MB6157 X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_SPF_HELO, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Currently tcf_ct_flow_table_add_action_meta() function assumes that only established connections can be offloaded and always sets ctinfo to either IP_CT_ESTABLISHED or IP_CT_ESTABLISHED_REPLY strictly based on direction without checking actual connection state. To enable UDP NEW connection offload set the ctinfo and metadata cookie based on ct->status value. Signed-off-by: Vlad Buslov --- net/sched/act_ct.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index 48b88c96de86..2b81a7898662 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -249,7 +249,8 @@ static int tcf_ct_flow_table_fill_actions(struct net *net, switch (tdir) { case FLOW_OFFLOAD_DIR_ORIGINAL: dir = IP_CT_DIR_ORIGINAL; - ctinfo = IP_CT_ESTABLISHED; + ctinfo = test_bit(IPS_SEEN_REPLY_BIT, &ct->status) ? + IP_CT_ESTABLISHED : IP_CT_NEW; WRITE_ONCE(flow->ext_data, (void *)ctinfo); break; case FLOW_OFFLOAD_DIR_REPLY: From patchwork Fri Jan 27 18:38:44 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 1733027 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=Nvidia.com header.i=@Nvidia.com header.a=rsa-sha256 header.s=selector2 header.b=GlSQd+LY; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4P3RFl0CKWz23ht for ; Sat, 28 Jan 2023 05:39:55 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234860AbjA0Sjx (ORCPT ); Fri, 27 Jan 2023 13:39:53 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46822 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235168AbjA0Sjr (ORCPT ); Fri, 27 Jan 2023 13:39:47 -0500 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2047.outbound.protection.outlook.com [40.107.237.47]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EF92E8737F; Fri, 27 Jan 2023 10:39:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Rvnwlb1c3j3uo3oRRK0atOTlqC6DiS57VbVmGUDoCpSKxa3NtOjEzNmWZGX8+gfXy/Hv2rtF6P8PAPPXQ2CeNPzS/rvd7N07SRIN1ncRLqiAZM6V5yLQ4XhRElBHeutvJRRRrp6wsP+PkOWmIOEpcn0imDMMhQr4PFi5M+7LvXR19GvVS0Qg77296ZleQKcSlPzeWj+cCFfsIr1558dQgSJUUNv4vKmqokT9Lc5ovkr6ofm+Im9I/PzFiFi3bSdU+AocnONuZbR/8CWSFKY6C9ptsSE61SWnhLokMfJJ03KIruQgOUTF7aWlztuTRCnXrGMSSP0l9Ppw9flFnTUsyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=xjOmgY6gUtIxb0LXGEBTRKMWCnRPhXjklty3iBiVzZo=; b=NQIx1f0rKubn9CNBojRc4kTdE318aPd/8hj2Qk99FfSKeHtAxxCIOY8F3nN96HKyXDDcl42fQkcwueFP6q3cZO9nRKrPRwIsDgjXDmq7XpEUmDijAyyLuulWPGZ0q3uX5IQwPz9cgqnSIXeh5dLd8iUkUBk/pTLaUOV4ddSFBjP8ok1+Z0bTYdaqer85A32Yp3/cpIt3FLmrVNUUAiEjwJWaoOu/1ddrniJCYZQEEahweB2Ys9NEPavc1QaEYdS2TdLOKSjo7Noe3JZ8v4nJXabsrurYxPVEylhcPDI3xhopcfot3HAbkbXpE81kdaBGrBDKKRkudDpAVTC4swGPgg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xjOmgY6gUtIxb0LXGEBTRKMWCnRPhXjklty3iBiVzZo=; b=GlSQd+LYCK++Se/yscOygpNH2lKfXOWhc8eMky0wU6oNAkLPYGs3xb5nGxZJXUPKnAeViJNJbeRaZyoCIsCTlzBrwYwOp865swYb/zGUW/4sm46RJe0avdtfSHhi2KdbjfEpCiVjf5I/KDK/I5+D/GxGPdxjs1ZsG8kYlhXrrtDggDBWIikLl2VM+Nsyhc/k3LZr+Zp0ZNPV8Ppf4klKA5DwpAM+GGhdyAd0uAYvDKC5ykyTYOnrSP2YhM3lEryuDsjUrFkPaOkpH9kgPYVvwrCbiP6ptmHQvHfQo9lynwQ+bj5Tvl1kNSpGhdKbtw7l5cw51iLLeBPfkEk37IYBHg== Received: from CY5PR10CA0006.namprd10.prod.outlook.com (2603:10b6:930:1c::6) by CH2PR12MB4118.namprd12.prod.outlook.com (2603:10b6:610:a4::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.22; Fri, 27 Jan 2023 18:39:29 +0000 Received: from CY4PEPF0000B8EC.namprd05.prod.outlook.com (2603:10b6:930:1c:cafe::b1) by CY5PR10CA0006.outlook.office365.com (2603:10b6:930:1c::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.25 via Frontend Transport; Fri, 27 Jan 2023 18:39:29 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by CY4PEPF0000B8EC.mail.protection.outlook.com (10.167.241.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6064.3 via Frontend Transport; Fri, 27 Jan 2023 18:39:29 +0000 Received: from rnnvmail204.nvidia.com (10.129.68.6) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 27 Jan 2023 10:39:22 -0800 Received: from rnnvmail202.nvidia.com (10.129.68.7) by rnnvmail204.nvidia.com (10.129.68.6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 27 Jan 2023 10:39:21 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.7) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Fri, 27 Jan 2023 10:39:18 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v5 6/7] net/sched: act_ct: offload UDP NEW connections Date: Fri, 27 Jan 2023 19:38:44 +0100 Message-ID: <20230127183845.597861-7-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230127183845.597861-1-vladbu@nvidia.com> References: <20230127183845.597861-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CY4PEPF0000B8EC:EE_|CH2PR12MB4118:EE_ X-MS-Office365-Filtering-Correlation-Id: 0138c5c0-0bab-408c-c7cd-08db0095d328 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: tG4yDSRsf/7aQiAddK/Y5BjdljdGnk5XmQhtC1EYNMf4UzUg1kgqPWKTK7S4ZRRBGaZyLwXMnqhp6Q+VN8Dk5f72nxPWOH64GKpCSuR26dE6q5mkf9gLlW7NW+/SIKpWmMXea6uMVdcHJm2B2yp9NyEwj6pngIUfB6o9AN5wSUE/t+9tYvooQ6vDkQmXc32nYfGuF7HSil46U5b7E3dKFyGt8fj18GbzLwFWcoymydq/BoY3p+4WNEuWSQvKLH5wXc+ZAiEYJBiwkfgsu7hJt/Ypoa+dvEs3bEIZ2e3wyxNU7hXx222YqJ5KiZS5keFAhbmEa8W2ngeXSZH7qRTC3zhpbEim7p8itQD//9ZhTWqzmlRKfGybFhi0gTmMF0pY6MGhP0epiXhWpQFBVE27oraUrSoPs7vfLQcriZNMmQLdTjCHIUiz066lEQaMYiYxCtBS7Kp4vDHZewP8g0LJO9AsxcsweqdRwgoJg0Z26rsP60Oi73UgxLGUz7Ga01HBCnP+DoSQu8COH1C/m/RgKIyfbl4kTVV18SeBWIHurhEU7t2hciZ6fFtQRm6iFFCHINDUTp9xWNYiKwCF3eWxoH2gSOtGCJDmaaRyr2g4wHLgYRrDo814Q4dBcXDclvYBCyi73JrtL8UG8DGoyRloig5ekuL47S7gno5/HsRilqk0t975qV+aBpaw1jdGVq41EIIR34GHKe0gyVxYNyZaYXhuCu/aO7IrBT9x/OGibmw= X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230025)(4636009)(136003)(39860400002)(396003)(376002)(346002)(451199018)(36840700001)(40470700004)(46966006)(47076005)(8676002)(36756003)(40460700003)(7696005)(54906003)(40480700001)(356005)(336012)(110136005)(36860700001)(26005)(2616005)(83380400001)(7636003)(86362001)(186003)(82310400005)(426003)(6666004)(7416002)(478600001)(107886003)(316002)(1076003)(70586007)(82740400003)(8936002)(70206006)(5660300002)(4326008)(2906002)(41300700001)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Jan 2023 18:39:29.4755 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 0138c5c0-0bab-408c-c7cd-08db0095d328 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000B8EC.namprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR12MB4118 X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_SPF_HELO, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Modify the offload algorithm of UDP connections to the following: - Offload NEW connection as unidirectional. - When connection state changes to ESTABLISHED also update the hardware flow. However, in order to prevent act_ct from spamming offload add wq for every packet coming in reply direction in this state verify whether connection has already been updated to ESTABLISHED in the drivers. If that it the case, then skip flow_table and let conntrack handle such packets which will also allow conntrack to potentially promote the connection to ASSURED. - When connection state changes to ASSURED set the flow_table flow NF_FLOW_HW_BIDIRECTIONAL flag which will cause refresh mechanism to offload the reply direction. All other protocols have their offload algorithm preserved and are always offloaded as bidirectional. Note that this change tries to minimize the load on flow_table add workqueue. First, it tracks the last ctinfo that was offloaded by using new flow 'ext_data' field and doesn't schedule the refresh for reply direction packets when the offloads have already been updated with current ctinfo. Second, when 'add' task executes on workqueue it always update the offload with current flow state (by checking 'bidirectional' flow flag and obtaining actual ctinfo/cookie through meta action instead of caching any of these from the moment of scheduling the 'add' work) preventing the need from scheduling more updates if state changed concurrently while the 'add' work was pending on workqueue. Signed-off-by: Vlad Buslov --- Notes: Changes V4 -> V5: - Make clang happy. Changes V3 -> V4: - Refactor the patch to leverage the refresh code and new flow 'ext_data' field in order to change the offload state instead of relying on async gc update. net/sched/act_ct.c | 51 +++++++++++++++++++++++++++++++++++----------- 1 file changed, 39 insertions(+), 12 deletions(-) diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index 2b81a7898662..5107f4149474 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -401,7 +401,7 @@ static void tcf_ct_flow_tc_ifidx(struct flow_offload *entry, static void tcf_ct_flow_table_add(struct tcf_ct_flow_table *ct_ft, struct nf_conn *ct, - bool tcp) + bool tcp, bool bidirectional) { struct nf_conn_act_ct_ext *act_ct_ext; struct flow_offload *entry; @@ -420,6 +420,8 @@ static void tcf_ct_flow_table_add(struct tcf_ct_flow_table *ct_ft, ct->proto.tcp.seen[0].flags |= IP_CT_TCP_FLAG_BE_LIBERAL; ct->proto.tcp.seen[1].flags |= IP_CT_TCP_FLAG_BE_LIBERAL; } + if (bidirectional) + __set_bit(NF_FLOW_HW_BIDIRECTIONAL, &entry->flags); act_ct_ext = nf_conn_act_ct_ext_find(ct); if (act_ct_ext) { @@ -443,26 +445,34 @@ static void tcf_ct_flow_table_process_conn(struct tcf_ct_flow_table *ct_ft, struct nf_conn *ct, enum ip_conntrack_info ctinfo) { - bool tcp = false; - - if ((ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY) || - !test_bit(IPS_ASSURED_BIT, &ct->status)) - return; + bool tcp = false, bidirectional = true; switch (nf_ct_protonum(ct)) { case IPPROTO_TCP: - tcp = true; - if (ct->proto.tcp.state != TCP_CONNTRACK_ESTABLISHED) + if ((ctinfo != IP_CT_ESTABLISHED && + ctinfo != IP_CT_ESTABLISHED_REPLY) || + !test_bit(IPS_ASSURED_BIT, &ct->status) || + ct->proto.tcp.state != TCP_CONNTRACK_ESTABLISHED) return; + + tcp = true; break; case IPPROTO_UDP: + if (!nf_ct_is_confirmed(ct)) + return; + if (!test_bit(IPS_ASSURED_BIT, &ct->status)) + bidirectional = false; break; #ifdef CONFIG_NF_CT_PROTO_GRE case IPPROTO_GRE: { struct nf_conntrack_tuple *tuple; - if (ct->status & IPS_NAT_MASK) + if ((ctinfo != IP_CT_ESTABLISHED && + ctinfo != IP_CT_ESTABLISHED_REPLY) || + !test_bit(IPS_ASSURED_BIT, &ct->status) || + ct->status & IPS_NAT_MASK) return; + tuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple; /* No support for GRE v1 */ if (tuple->src.u.gre.key || tuple->dst.u.gre.key) @@ -478,7 +488,7 @@ static void tcf_ct_flow_table_process_conn(struct tcf_ct_flow_table *ct_ft, ct->status & IPS_SEQ_ADJUST) return; - tcf_ct_flow_table_add(ct_ft, ct, tcp); + tcf_ct_flow_table_add(ct_ft, ct, tcp, bidirectional); } static bool @@ -657,13 +667,30 @@ static bool tcf_ct_flow_table_lookup(struct tcf_ct_params *p, flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]); ct = flow->ct; + if (dir == FLOW_OFFLOAD_DIR_REPLY && + !test_bit(NF_FLOW_HW_BIDIRECTIONAL, &flow->flags)) { + /* Only offload reply direction after connection became + * assured. + */ + if (test_bit(IPS_ASSURED_BIT, &ct->status)) + set_bit(NF_FLOW_HW_BIDIRECTIONAL, &flow->flags); + else if (READ_ONCE(flow->ext_data) == IP_CT_ESTABLISHED) + /* If flow_table flow has already been updated to the + * established state, then don't refresh. + */ + return false; + } + if (tcph && (unlikely(tcph->fin || tcph->rst))) { flow_offload_teardown(nf_ft, flow); return false; } - ctinfo = dir == FLOW_OFFLOAD_DIR_ORIGINAL ? IP_CT_ESTABLISHED : - IP_CT_ESTABLISHED_REPLY; + if (dir == FLOW_OFFLOAD_DIR_ORIGINAL) + ctinfo = test_bit(IPS_SEEN_REPLY_BIT, &ct->status) ? + IP_CT_ESTABLISHED : IP_CT_NEW; + else + ctinfo = IP_CT_ESTABLISHED_REPLY; flow_offload_refresh(nf_ft, flow); nf_conntrack_get(&ct->ct_general); From patchwork Fri Jan 27 18:38:45 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 1733028 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=Nvidia.com header.i=@Nvidia.com header.a=rsa-sha256 header.s=selector2 header.b=pO47+3wD; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4P3RFx0KJyz23hm for ; Sat, 28 Jan 2023 05:40:05 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235188AbjA0SkC (ORCPT ); Fri, 27 Jan 2023 13:40:02 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46732 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235358AbjA0Sju (ORCPT ); Fri, 27 Jan 2023 13:39:50 -0500 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2062.outbound.protection.outlook.com [40.107.237.62]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A2EB012F28; Fri, 27 Jan 2023 10:39:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kF8sUv88TnBAN7X8tTWI5NGok0Y4Kl1ea/D9n/dfkCfFIGiIsF5JzXqQLxsOb7y9NIL4AIiwPeJmSOM/LQv053Pj1M57DLJ3P2fi/KaGq5Q3tdpGlLU6N1p2hXVzBqjG83sjj+B1cloXs8ITbRzUNpi/NbME5+dM9QMjrvYm5N1DettCCAPBn9eTaqAj8tTXGoRg2pMi/kXYq/rnwVll09vtU6/Tg3JbUFABmS/9c0Jsrmg6/LYMGVf1Ndg8bhsR5a+6uPXHXHIIPQjathwQwM9GEef0iepe8nYd3HuLC/qTiEVNsqLxk0VOJ7XKGAuw0M6wbdhbb/4CI5KT1A7a+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JLcQDuTm7f0BQbsr+DZXqTDP8Fsw23ph80Ixl7U15/8=; b=ZUkPj60lu2f/aZMXgUedUI/pngrCWP3tmmp+7dRkf8YrINeU9ZkTYHgRMNzEhmqAtip8w4Nq7oftZYWc3Cu4hoxARCcQ/mbBrUJigs/tobstcWmuFsPUp9TESR3nV9b6K73Ha8PZbojbSkKfkZpWd2OIAt4w1j2BmQNgyXtvrhk2ConLBhopA1FVI/Pi0EPZ6VHZzpWDtcHwWHA48a42njDqCaqJUVwh7m0tTF9l6icIz1puv+V2BgTi9TnR2d65dZCC8irOpVQxTN4lhnq2HmFg0pbyebvMOQfczy/pYZzEgQ1aGSI2DebidTwdWcK3AbsPnlnV9VvLJU/ezCtStg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JLcQDuTm7f0BQbsr+DZXqTDP8Fsw23ph80Ixl7U15/8=; b=pO47+3wDP+A/dL8KjBR/ihEhfsy/7sZkC2xMMagUXZqRNzd97KngISq309SwL9OCGGD7/c3lStUJIO9LNmvklAY3c0JwJLfCr6nop8tG9xL4OYo8pxptGnYUt2bO97R2kCV94rZEs7j8jrJt/5wbIWOnaiyL1bEST19xQAYrbycF72GK71rVUdUhu7jHXYG2iuDatPWZ20txp4pzhwAtul87H8RIEDB2GVVX4r77Gvjka9EA9Zzm13xzlpV5tarHTKvUm2waH2sUZMTqyHH48Hh9dO2VwoGr8xWvOBKiwEdL2ooGNDzAuCiO7mvqcAgyEAx+6AwR8BEdY3NJ306B5w== Received: from CY5PR10CA0029.namprd10.prod.outlook.com (2603:10b6:930:1c::27) by PH8PR12MB6795.namprd12.prod.outlook.com (2603:10b6:510:1c6::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.22; Fri, 27 Jan 2023 18:39:32 +0000 Received: from CY4PEPF0000B8EC.namprd05.prod.outlook.com (2603:10b6:930:1c:cafe::1a) by CY5PR10CA0029.outlook.office365.com (2603:10b6:930:1c::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.25 via Frontend Transport; Fri, 27 Jan 2023 18:39:32 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by CY4PEPF0000B8EC.mail.protection.outlook.com (10.167.241.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6064.3 via Frontend Transport; Fri, 27 Jan 2023 18:39:32 +0000 Received: from rnnvmail204.nvidia.com (10.129.68.6) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 27 Jan 2023 10:39:26 -0800 Received: from rnnvmail202.nvidia.com (10.129.68.7) by rnnvmail204.nvidia.com (10.129.68.6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 27 Jan 2023 10:39:25 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.7) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Fri, 27 Jan 2023 10:39:22 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v5 7/7] netfilter: nf_conntrack: allow early drop of offloaded UDP conns Date: Fri, 27 Jan 2023 19:38:45 +0100 Message-ID: <20230127183845.597861-8-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230127183845.597861-1-vladbu@nvidia.com> References: <20230127183845.597861-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CY4PEPF0000B8EC:EE_|PH8PR12MB6795:EE_ X-MS-Office365-Filtering-Correlation-Id: b034ad7c-a3ab-4792-ea22-08db0095d4f4 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: EngVKwAWIjaGdNsM7L3Cmlvqeh/84NFSZCClw0QNujtuppYGIldVoLiSTAGkZYZ4B+CZJVNQU4ViUPZWiAhifbDVv+9D5mxhTkZBQN5yuQgVJoTzf8CU8uUw7N/x/6bqIfJlyNjNH6riG5z0GkFhpFc40EUTjWY6tjEiEX7vja2jqBW/Y046SkaX+WaOKyW9573Lq/DiXip02ByTV7Q+bIgNogoehwxzCPEiv4fl7IDE4HqX9EFrEQa11EsmCpwS2gcaOI2o1tTDxsVppBztD8npM+YvQ+eDgxigMeBSJxWV3JqFe/KaCll+AACBxbluNs3xhsCltyHhiPxKEBZWPLxKS4pc7SwJkN3wu9RtUjDhj2D03FjRj9/mvpgbuSTpA8xEjFUSaWRf48yX/qbaJfimd+rYnYTfvJYywbtfq2VlFmHZB67iWLd1/tffIIdqKhh8JvZJRJ0ErHvCjKD01EKEvk49Wfz5YxkOPCMPM+WF1WAjArzzOh8UTsSp6SNHqiaorP52rs+WQZohD4VdNVQCViJnCcc+IvBu+evzDOD6j8HgHWdw6QnOR3PlYlqosOgOhqL3sHZfsm3h1m6Vxv5bGD0UPkZEFtfjnf0bd2v27CCa34TTfMUmTCt3Wgw9yxh/YM+xUr8fFIWO8Eu0aIS/bObM/sbcYmOwSGjRlweNcq4Hx9YwkxBeulVtKqxZ0/wfgBabHLpev6FqOhzaGAG13AUCi5JYUJcDt8+4yx0= X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230025)(4636009)(376002)(346002)(39860400002)(136003)(396003)(451199018)(46966006)(40470700004)(36840700001)(40460700003)(36756003)(86362001)(82740400003)(82310400005)(41300700001)(2906002)(316002)(83380400001)(47076005)(426003)(6666004)(107886003)(110136005)(26005)(8936002)(7696005)(54906003)(336012)(7416002)(40480700001)(186003)(5660300002)(478600001)(2616005)(356005)(1076003)(70586007)(36860700001)(7636003)(70206006)(8676002)(4326008)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Jan 2023 18:39:32.4911 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: b034ad7c-a3ab-4792-ea22-08db0095d4f4 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000B8EC.namprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH8PR12MB6795 X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_SPF_HELO, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Both synchronous early drop algorithm and asynchronous gc worker completely ignore connections with IPS_OFFLOAD_BIT status bit set. With new functionality that enabled UDP NEW connection offload in action CT malicious user can flood the conntrack table with offloaded UDP connections by just sending a single packet per 5tuple because such connections can no longer be deleted by early drop algorithm. To mitigate the issue allow both early drop and gc to consider offloaded UDP connections for deletion. Signed-off-by: Vlad Buslov --- net/netfilter/nf_conntrack_core.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 496c4920505b..52b824a60176 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -1374,9 +1374,6 @@ static unsigned int early_drop_list(struct net *net, hlist_nulls_for_each_entry_rcu(h, n, head, hnnode) { tmp = nf_ct_tuplehash_to_ctrack(h); - if (test_bit(IPS_OFFLOAD_BIT, &tmp->status)) - continue; - if (nf_ct_is_expired(tmp)) { nf_ct_gc_expired(tmp); continue; @@ -1446,11 +1443,14 @@ static bool gc_worker_skip_ct(const struct nf_conn *ct) static bool gc_worker_can_early_drop(const struct nf_conn *ct) { const struct nf_conntrack_l4proto *l4proto; + u8 protonum = nf_ct_protonum(ct); + if (test_bit(IPS_OFFLOAD_BIT, &ct->status) && protonum != IPPROTO_UDP) + return false; if (!test_bit(IPS_ASSURED_BIT, &ct->status)) return true; - l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct)); + l4proto = nf_ct_l4proto_find(protonum); if (l4proto->can_early_drop && l4proto->can_early_drop(ct)) return true; @@ -1507,7 +1507,8 @@ static void gc_worker(struct work_struct *work) if (test_bit(IPS_OFFLOAD_BIT, &tmp->status)) { nf_ct_offload_timeout(tmp); - continue; + if (!nf_conntrack_max95) + continue; } if (expired_count > GC_SCAN_EXPIRED_MAX) {