From patchwork Thu Aug 15 19:31:11 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yi-Hung Wei X-Patchwork-Id: 1147796 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="ClyiA+Ok"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 468c5d1CQBz9s00 for ; Fri, 16 Aug 2019 05:31:48 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id A5EF610D5; Thu, 15 Aug 2019 19:31:44 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id E0E1C10CD for ; Thu, 15 Aug 2019 19:31:42 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pf1-f194.google.com (mail-pf1-f194.google.com [209.85.210.194]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 90B9FCF for ; Thu, 15 Aug 2019 19:31:41 +0000 (UTC) Received: by mail-pf1-f194.google.com with SMTP id w2so1830861pfi.3 for ; Thu, 15 Aug 2019 12:31:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=ox80NyZRF1dPawKfsr4Mp75UY9icSElYZJ74jcK4TKM=; b=ClyiA+OkTIl5/UpVwoWGlPS5A0sghqBNfh2cBgvmARYgas51J4/QBNV9jsqc36vea7 gmU8Rl6nCxvSFf9+YpazlrJ8q8rCagBRWb0yM5XiOc+Ms6037E7w2zAd4CfbrH5TjTJ8 OWgp2MP7K3irWZ2vQ5GA5evnpciicO3iy42/4KTfL2zEle8rw9fwLXhiGstUN2MjBtgB 5oiqTO9RIcRmgoTcZH3zyeaJooAZSMemaEgsN0bfGGFvsihcJF3TKkPfc1HhuLdRw99Y JAUJVV6HaXDnZL5gnoA/ddul6JEEHimpo7SvjrePNmseURy7j7PaRuHZFRVCblm/UaZq xpDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=ox80NyZRF1dPawKfsr4Mp75UY9icSElYZJ74jcK4TKM=; b=LP8ts+NcLe+gHra+1kTP1bglzLHThEvF96j+XAQrLki+ftJpvZOblbfMkHQUyZOI8P 6vvmUtKbjZtp94mJIHnz5Z7p5a3XOzfSXMLjjJIWzcgCF89hvZmZXH0WY6hky8a9nAgi ZdCBjn7KNpE8iwW8u+RdtgGCzPfis2yWtCuqbXSNlZA1AqrILCWDA7hGda7ZxX6Rvrtf Mu1KJxg4gR64uR/5ZV4rBM6I9KItjWQyeVyngZmDdTFPFfUIBo3HSnA8rLvH45TT/Cb0 2I8CH6CB7y9OdzzJoCwgpnjh8dJZcIG7PsEA0TDJmkI7z4dDYPma6Jz/lF7jZdvJCD/y S/bg== X-Gm-Message-State: APjAAAWfiwe+k2Blf11Gu0yxbq3wYTg9uyy+eB++PyjoyAepQoLgD0sE vSajTAOO80p+RZS6cpL9/TcZDmzG X-Google-Smtp-Source: APXvYqxL46zKm+zHbowJBDbFCGaB2Mbw7YssOXFCLOOA982gt0UTxwsC3xVJzKNgoCB63pkV88xunw== X-Received: by 2002:a65:6850:: with SMTP id q16mr4815154pgt.423.1565897500279; Thu, 15 Aug 2019 12:31:40 -0700 (PDT) Received: from vm-main.eng.vmware.com ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id ce7sm1925232pjb.16.2019.08.15.12.31.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 15 Aug 2019 12:31:39 -0700 (PDT) From: Yi-Hung Wei To: dev@openvswitch.org Date: Thu, 15 Aug 2019 12:31:11 -0700 Message-Id: <1565897480-120133-1-git-send-email-yihung.wei@gmail.com> X-Mailer: git-send-email 2.7.4 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH v4 0/9] Support zone-based conntrack timeout policy X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org This patch series enables zone-based conntrack timeout policy support in OVS. Timeout policy is a set of timeout attributes that can be associated with a connection when it is committed. Then, the connection tracking system will expire a connection based on its connection state. For example, one use case would be to extend the timeout of TCP connection in the established state to avoid re-connect overhead. Other use case may be to shorten the connection timeout so that the system can reclaim resources faster. The idea of zone-based conntrack timeout policy is to group connections with similar characteristics in a conntrack zone, and assign timeout policy to the conntrack zone. In this way, all the connections in that zone will share the same timeout policy. For zone-based timeout policy configuration, the association of conntrack zone and conntrack timeout policy is defined per datapath in vswitchd ovsdb schema. User can program the database through ovs-vsctl or using ovsdb protocol directly. Once the zone-based timeout policy configuration is in the database, vswitchd will read those configuration and organize it in internal datapath structure, and push the timeout policy into datapath. Currently, only the kernel datapath supports customized timeout policy. When a packet is committed to connection tracking system, during flow translation in ofproto-dpif-xlate, vswitchd will lookup the internal data structure to figure out which timeout policy to associate with the connection. If timeout policy is not specified to the committed zone, it defaults to the timeout policy in the default zone (zone 0). If the timeout policy is not specified in the default zone, it defaults to the system default timeouts. Here are some more details about each patch * p01: Introduce ovsdb schema for ct timeout policy. * p02: ovs-vsctl commands to configure zone-based ct timeout policy. * p03: Expose a utility functions. * p04: dpif interface along with dpif-netlink implementation to support ct timeout policy. * p05: Consume ct timeout policy configuration from ovsdb server, keep it in internal data structure, and push configuration to datapath. * p06: Add utility function to help compare two simaps. * p07-08: Kernel datapath support for the new ct action attribute. * p09: Translate timeout policy in ofproto-dpif-xlate and system traffic test. v3->v4: * ofproto-dpif - Probe datapath for timeout policy support. - With the probing information only translate timeout policy when the datapath is supported. - Resolve the old kernel compatibility issue reported by Darrell. * system-traffic - Simplify the testing script (diff from Darrell). * Address various code changes as in the mailing list discussion. v2->v3 * ovsdb schema - Fold in changes from Justin. - Make ct timeout policy key to be in a pre-defined set. * ovs-vsctl - Bug fixes. * ct-dpif - Fold in diff suggestion from Justin. * bridge, ofproto-dpif - Restruct the ofproto and dpif layer support for zone based timeout policy. * system traffic test - Fix bug reported by Darrell. * Address review comments from Justin and Darrell. v1->v2 * ovs-vsctl - Remove add-dp,del-dp,list-dp ovs-vsctl commands. - Add --may-exist and --if-exists to ovs-vsctl add-zone-tp command. - Improve ovs-vsctl test. * ct-dpif, dpif-netlink - Remove support to change default timeout policy in the datapath. - Squash ct-dpif and dpif-netlink layer implementation altogether. - Address review comments from William. * ofproto-dpif - Remove changes from datapath-config module to ofproto-dpif layer. - Maintain zone-based timeout policy in dpif-backer since this is per datapath type configuration. This will not break the OVS hierarchy as Ilya suggested. - Allocate timeout policy id using id_pool instead of idl_seqno as Darrell suggested. - Add a timeout policy sweep function that clean up unnecessary timeout policy regularly in the datapath. * ofproto-dpif-xlate - Only translate ct timeout policy if it is a ct commit action in kernel datapath. * system-traffic test - Update system traffic test with low level ovs-vsctl command. - Make system traffic test to be datapath type agnostic. - Improve system traffic test as Darrell suggested. * Rebase to master Ben Pfaff (1): simap: Add utility function to help compare two simaps. Justin Pettit (1): ovs-vswitchd: Add Datapath, CT_Zone, and CT_Zone_Policy tables. William Tu (1): ovs-vsctl: Add conntrack zone commands. Yi-Hung Wei (6): ct-dpif: Export ct_dpif_format_ipproto() ct-dpif, dpif-netlink: Add conntrack timeout policy support ofproto-dpif: Consume CT_Zone, and CT_Timeout_Policy tables datapath: compat: Backport nf_conntrack_timeout support datapath: Add support for conntrack timeout policy ofproto-dpif-xlate: Translate timeout policy in ct action Documentation/faq/releases.rst | 3 +- NEWS | 1 + acinclude.m4 | 7 + datapath-windows/include/OvsDpInterfaceCtExt.h | 114 +++++ datapath-windows/ovsext/Netlink/NetlinkProto.h | 8 +- datapath/conntrack.c | 30 +- datapath/linux/Modules.mk | 2 + datapath/linux/compat/include/linux/openvswitch.h | 4 + .../include/net/netfilter/nf_conntrack_timeout.h | 34 ++ datapath/linux/compat/nf_conntrack_timeout.c | 102 +++++ include/windows/automake.mk | 1 + .../windows/linux/netfilter/nfnetlink_cttimeout.h | 0 lib/ct-dpif.c | 116 ++++- lib/ct-dpif.h | 60 +++ lib/dpif-netdev.c | 11 + lib/dpif-netlink.c | 490 +++++++++++++++++++++ lib/dpif-netlink.h | 1 - lib/dpif-provider.h | 54 +++ lib/netlink-conntrack.c | 301 +++++++++++++ lib/netlink-conntrack.h | 27 +- lib/netlink-protocol.h | 8 +- lib/odp-util.c | 29 +- lib/simap.c | 15 +- lib/simap.h | 1 + ofproto/ofproto-dpif-xlate.c | 23 + ofproto/ofproto-dpif.c | 383 ++++++++++++++++ ofproto/ofproto-dpif.h | 22 +- ofproto/ofproto-provider.h | 10 + ofproto/ofproto.c | 26 ++ ofproto/ofproto.h | 5 + tests/odp.at | 1 + tests/ovs-vsctl.at | 34 +- tests/system-kmod-macros.at | 20 + tests/system-traffic.at | 66 +++ tests/system-userspace-macros.at | 19 + utilities/ovs-vsctl.8.in | 26 ++ utilities/ovs-vsctl.c | 202 ++++++++- vswitchd/bridge.c | 198 +++++++++ vswitchd/vswitch.ovsschema | 51 ++- vswitchd/vswitch.xml | 275 ++++++++++-- 40 files changed, 2708 insertions(+), 72 deletions(-) create mode 100644 datapath/linux/compat/include/net/netfilter/nf_conntrack_timeout.h create mode 100644 datapath/linux/compat/nf_conntrack_timeout.c create mode 100644 include/windows/linux/netfilter/nfnetlink_cttimeout.h