From patchwork Wed Aug  1 22:46:09 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yi-Hung Wei <yihung.wei@gmail.com>
X-Patchwork-Id: 952456
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=openvswitch.org
	(client-ip=140.211.169.12; helo=mail.linuxfoundation.org;
	envelope-from=ovs-dev-bounces@openvswitch.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="gbn6kJs5"; dkim-atps=neutral
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
	[140.211.169.12])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 41gpRt3MK1z9s3Z
	for <incoming@patchwork.ozlabs.org>;
	Thu,  2 Aug 2018 08:50:34 +1000 (AEST)
Received: from mail.linux-foundation.org (localhost [127.0.0.1])
	by mail.linuxfoundation.org (Postfix) with ESMTP id 19875D4C;
	Wed,  1 Aug 2018 22:50:33 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@mail.linuxfoundation.org
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 105ACD32
	for <dev@openvswitch.org>; Wed,  1 Aug 2018 22:50:32 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-pf1-f196.google.com (mail-pf1-f196.google.com
	[209.85.210.196])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 0DC336C5
	for <dev@openvswitch.org>; Wed,  1 Aug 2018 22:50:30 +0000 (UTC)
Received: by mail-pf1-f196.google.com with SMTP id i26-v6so114655pfo.12
	for <dev@openvswitch.org>; Wed, 01 Aug 2018 15:50:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=etpbfspUpVN93fs/T9IpLG4cHb+u+VEZbhhvWxvN0aA=;
	b=gbn6kJs5f7zgd+PRapak9C1gri8tnlBFP+weMQVEG2MZqyWbFUkASauetUJe9Dp5fb
	zqWHBgwB5tSTQ+jVWzVgy5qgjnK0NCePnWQ2NgLkpMjJghEsocJJUOittTaFwmzh8Zq+
	JM+Mi9Dn7l+Sal54DliJlu0m9ZHZn+RZ8x8yN8WkGt+oxhlkmad9iu7cnjL6p5ceIp30
	jGzLdRk1qFVPEId+5M3lMl7yhXegHWaAKcnvgPxo5mWOWAn+tfbL6ypVS6bUUxNmnxcS
	bIWo+fv6sevY7YA6L373d89laZiakhzqBi5Pxn4LJPnqEHYIg9Vveq288e1Wuqwylga+
	ormA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=etpbfspUpVN93fs/T9IpLG4cHb+u+VEZbhhvWxvN0aA=;
	b=hQOp0hRs+C8dyyYFp7dYLvFwiBfVhqpCt4O09F1HAAox//0O0Fp9J1mKy7BLaSWkG+
	gBE7Dj/A1c1blzpjJgk+12QBKkTEOp4YxATrAmCZCxfpEzPnc83Bg+Up4P3eN+o4k//O
	2w261mK6o48V2lNYZC5tutVwodkjI2OZ+C3V/RdfS+WWP/kQ14WtGWeuZtiD0lU4wHrD
	0KXJfOjlsvaVTZqgEV9+H/xpdiyE5UTl3slAq7evvtDqGB0yMGhF2HwGNeUKnfj67wUW
	04Wj7qNF29mc3HwEYouobQeDOqkLlFZspCXf0EyhK1JBOpYCPAaiKGYsILOA5p47XgkH
	RBXg==
X-Gm-Message-State: AOUpUlFk+7FA0e/1OwsnWzockDHfoRaXN7sHpOs6RF52uiZd/x8t/V1h
	3c55hFi61vwDihvB59Vl8o4GXsZe
X-Google-Smtp-Source: 
 AAOMgpcRhS/1XEA3mnipefwwKyHW0xyif6MjS7cgQ3lvm8/Pgk2Xr1vGaalM+78S4yEdZUrFSNAl1w==
X-Received: by 2002:a63:be4a:: with SMTP id
	g10-v6mr251106pgo.378.1533163830131;
	Wed, 01 Aug 2018 15:50:30 -0700 (PDT)
Received: from Husky.eng.vmware.com ([66.170.99.1])
	by smtp.gmail.com with ESMTPSA id
	l85-v6sm196899pfk.34.2018.08.01.15.50.28
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 01 Aug 2018 15:50:28 -0700 (PDT)
From: Yi-Hung Wei <yihung.wei@gmail.com>
To: dev@openvswitch.org
Date: Wed,  1 Aug 2018 15:46:09 -0700
Message-Id: <1533163580-27989-1-git-send-email-yihung.wei@gmail.com>
X-Mailer: git-send-email 2.7.4
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Subject: [ovs-dev] [PATCH 00/11] conntrack zone limitation
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org

This patch series implements connection tracking zone limitation to
limit the maximum number of conntrack entries in the conntrack table
for every zone.  This feature aims to resolve a problem that if one
of the VM/container under attack that abuses the usage the conntrack
entries, it may block the others from committing valid conntrack
entries into the conntrack table.  

To address this issue, this patch series proposes to have a
fine-grained mechanism that could limit the # of conntrack entries
per-zone.  For example, we can designate different zone to different VM,
and set conntrack limit to each zone.  By providing this isolation, a
mis-behaved VM only consumes the conntrack entries in its own zone, and
it will not influence other well-behaved VMs.  Moreover, the users can
set various conntrack limit to different zone based on their preference.

This patch series consist of dpif layer support, kernel backports to
support this features in dpif-netlinkt, dpif-netlink implementation,
dpctl commands, and a system traffic test to verify this feature.


Yi-Hung Wei (11):
  compat: Backport nf_ct_netns_{get,put}()
  datapath: compat: Backports nf_conncount
  datapath: compat: Introduce static key support
  datapath: Add conntrack limit netlink definition
  datapath: conntrack: Support conntrack zone limit
  dpif: Support conntrack zone limit.
  ct-dpif: Helper functions for conntrack zone limit
  dpif-netlink: Implement conntrack zone limiit
  dpctl: Refactor opt_dpif_open().
  dpctl: Implement dpctl commands for conntrack per zone limit
  system-traffic: Add conntrack per zoen limit test case

 NEWS                                               |   3 +
 acinclude.m4                                       |   9 +
 datapath/compat.h                                  |   8 +
 datapath/conntrack.c                               | 551 +++++++++++++++++-
 datapath/conntrack.h                               |   9 +-
 datapath/datapath.c                                |   7 +-
 datapath/datapath.h                                |   3 +
 datapath/linux/Modules.mk                          |   7 +-
 datapath/linux/compat/include/linux/openvswitch.h  |  28 +
 datapath/linux/compat/include/linux/static_key.h   |  70 +++
 .../compat/include/net/netfilter/nf_conntrack.h    |   8 +
 .../include/net/netfilter/nf_conntrack_count.h     |  61 ++
 .../linux/compat/include/uapi/linux/netfilter.h    |  14 +
 datapath/linux/compat/nf_conncount.c               | 637 +++++++++++++++++++++
 datapath/linux/compat/nf_conntrack_proto.c         | 112 ++++
 lib/ct-dpif.c                                      | 129 +++++
 lib/ct-dpif.h                                      |  20 +
 lib/dpctl.c                                        | 252 ++++++--
 lib/dpctl.man                                      |  18 +
 lib/dpif-netdev.c                                  |   3 +
 lib/dpif-netlink.c                                 | 198 +++++++
 lib/dpif-provider.h                                |  26 +
 tests/system-traffic.at                            |  75 +++
 23 files changed, 2201 insertions(+), 47 deletions(-)
 create mode 100644 datapath/linux/compat/include/linux/static_key.h
 create mode 100644 datapath/linux/compat/include/net/netfilter/nf_conntrack_count.h
 create mode 100644 datapath/linux/compat/include/uapi/linux/netfilter.h
 create mode 100644 datapath/linux/compat/nf_conncount.c
 create mode 100644 datapath/linux/compat/nf_conntrack_proto.c