From patchwork Wed Mar 7 01:23:09 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Yangxiaoliang (Neo)" X-Patchwork-Id: 882351 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=huawei.com Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3zwwrX6tsrz9sZp for ; Wed, 7 Mar 2018 12:23:24 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 5C97111E2; Wed, 7 Mar 2018 01:23:21 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 2C6AC907 for ; Wed, 7 Mar 2018 01:23:20 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from huawei.com (szxga02-in.huawei.com [45.249.212.188]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 683C65E1 for ; Wed, 7 Mar 2018 01:23:19 +0000 (UTC) Received: from DGGEML403-HUB.china.huawei.com (unknown [172.30.72.56]) by Forcepoint Email with ESMTP id BF50CEB81D997 for ; Wed, 7 Mar 2018 09:23:14 +0800 (CST) Received: from DGGEML424-HUB.china.huawei.com (10.1.199.41) by DGGEML403-HUB.china.huawei.com (10.3.17.33) with Microsoft SMTP Server (TLS) id 14.3.361.1; Wed, 7 Mar 2018 09:23:16 +0800 Received: from DGGEML511-MBX.china.huawei.com ([169.254.1.185]) by dggeml424-hub.china.huawei.com ([10.1.199.41]) with mapi id 14.03.0361.001; Wed, 7 Mar 2018 09:23:09 +0800 From: "Yangxiaoliang (Neo)" To: Darrell Ball , "dev@openvswitch.org" Thread-Topic: Test result. RE: [ovs-dev] [patch v1] conntrack-tcp: Handle tcp session reuse. Thread-Index: AdO1srcNHpGDTw9ySQurS3Ne2NbbUw== Date: Wed, 7 Mar 2018 01:23:09 +0000 Message-ID: Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.177.29.62] MIME-Version: 1.0 X-CFilter-Loop: Reflected X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_NONE, T_RP_MATCHES_RCVD autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: "Liujinsong \(Paul\)" , zhangyuexi , gaoxiaoqiu , Yinpeijun , "liucheng \(J\)" , "Jiangtao \(D\)" , Lichunhe , Zhoujingbin , "lixiao \(H\)" Subject: [ovs-dev] Test result. RE: [patch v1] conntrack-tcp: Handle tcp session reuse. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Hi Darrell, I have tested VM migration with this patch for several times. And this patch can avoid stopping the TCP stream, but the issue is that the TCP stream will suspend for a big number of seconds after migration ( for example, more than 100 seconds on 8Gbps). I think users will not be satisfied this issue. Can we enlarge the range that is saved by sequence tracking to be more permissive to decrease the time. Or maybe in the future we will solve this issue completely, for now it's not recommended to migrate VM with a big network throughput. Or any other idea ? Thanks. -----Original Message----- From: ovs-dev-bounces@openvswitch.org [mailto:ovs-dev-bounces@openvswitch.org] On Behalf Of Darrell Ball Sent: Thursday, March 01, 2018 3:26 PM To: dlu998@gmail.com; dev@openvswitch.org Subject: [ovs-dev] [patch v1] conntrack-tcp: Handle tcp session reuse. Fix tcp sequence tracking for session reuse cases. This can happen, for example by doing VM migration, where sequence tracking needs to be more permissive. The solution is to be more permissive for session restart and session start only. We don't differentiate session start here where we could be more strict, although we could, because the gain in protection is almost zero and the code modularity would be lessened and code complexity increased. This issue originates in release 2.7. Signed-off-by: Darrell Ball Signed-off-by: Darrell Ball > --- lib/conntrack-tcp.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) -- 1.9.1 diff --git a/lib/conntrack-tcp.c b/lib/conntrack-tcp.c index 04460c3..a0ddd65 100644 --- a/lib/conntrack-tcp.c +++ b/lib/conntrack-tcp.c @@ -160,7 +160,6 @@ tcp_conn_update(struct conn *conn_, struct conntrack_bucket *ctb, uint16_t win = ntohs(tcp->tcp_winsz); uint32_t ack, end, seq, orig_seq; uint32_t p_len = tcp_payload_length(pkt); - int ackskew; if (tcp_invalid_flags(tcp_flags)) { return CT_UPDATE_INVALID; @@ -195,11 +194,11 @@ tcp_conn_update(struct conn *conn_, struct conntrack_bucket *ctb, */ orig_seq = seq = ntohl(get_16aligned_be32(&tcp->tcp_seq)); + bool check_ackskew = true; if (src->state < CT_DPIF_TCPS_SYN_SENT) { /* First packet from this end. Set its state */ ack = ntohl(get_16aligned_be32(&tcp->tcp_ack)); - end = seq + p_len; if (tcp_flags & TCP_SYN) { end++; @@ -232,6 +231,7 @@ tcp_conn_update(struct conn *conn_, struct conntrack_bucket *ctb, if (src->seqhi == 1 || SEQ_GEQ(end + MAX(1, dst->max_win << dws), src->seqhi)) { src->seqhi = end + MAX(1, dst->max_win << dws); + check_ackskew = false; } if (win > src->max_win) { src->max_win = win; @@ -265,7 +265,13 @@ tcp_conn_update(struct conn *conn_, struct conntrack_bucket *ctb, end = seq; } - ackskew = dst->seqlo - ack; + int ackskew; + if (check_ackskew) { + ackskew = dst->seqlo - ack; + } else { + ackskew = 0; + } + #define MAXACKWINDOW (0xffff + 1500) /* 1500 is an arbitrary fudge factor */ if (SEQ_GEQ(src->seqhi, end) /* Last octet inside other's window space */