[ovs-dev,v2,00/11] conntrack zone limitation

Message ID	1533170156-769-1-git-send-email-yihung.wei@gmail.com
Headers	show Return-Path: <ovs-dev-bounces@openvswitch.org> From: Yi-Hung Wei <yihung.wei@gmail.com> To: dev@openvswitch.org Date: Wed, 1 Aug 2018 17:35:45 -0700 Message-Id: <1533170156-769-1-git-send-email-yihung.wei@gmail.com> Subject: [ovs-dev] [PATCH v2 00/11] conntrack zone limitation Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org
Series	conntrack zone limitation \| expand [ovs-dev,v2,00/11] conntrack zone limitation [ovs-dev,v2,01/11] compat: Backport nf_ct_netns_{get, put}() [ovs-dev,v2,02/11] datapath: compat: Backports nf_conncount [ovs-dev,v2,03/11] datapath: compat: Introduce static key support [ovs-dev,v2,04/11] datapath: Add conntrack limit netlink definition [ovs-dev,v2,05/11] datapath: conntrack: Support conntrack zone limit [ovs-dev,v2,06/11] dpif: Support conntrack zone limit. [ovs-dev,v2,07/11] ct-dpif: Helper functions for conntrack zone limit [ovs-dev,v2,08/11] dpif-netlink: Implement conntrack zone limiit [ovs-dev,v2,09/11] dpctl: Refactor opt_dpif_open(). [ovs-dev,v2,10/11] dpctl: Implement dpctl commands for conntrack per zone limit [ovs-dev,v2,11/11] system-traffic: Add conntrack per zoen limit test case

Message ID

1533170156-769-1-git-send-email-yihung.wei@gmail.com

Headers

From: Yi-Hung Wei <yihung.wei@gmail.com>
To: dev@openvswitch.org
Date: Wed,  1 Aug 2018 17:35:45 -0700
Message-Id: <1533170156-769-1-git-send-email-yihung.wei@gmail.com>
Subject: [ovs-dev] [PATCH v2 00/11]  conntrack zone limitation
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org

Series

conntrack zone limitation | expand

Message

Yi-Hung Wei Aug. 2, 2018, 12:35 a.m. UTC

This patch series implements connection tracking zone limitation to
limit the maximum number of conntrack entries in the conntrack table
for every zone.  This feature aims to resolve a problem that if one
of the VM/container under attack that abuses the usage the conntrack
entries, it may block the others from committing valid conntrack
entries into the conntrack table.  

To address this issue, this patch series proposes to have a
fine-grained mechanism that could limit the # of conntrack entries
per-zone.  For example, we can designate different zone to different VM,
and set conntrack limit to each zone.  By providing this isolation, a
mis-behaved VM only consumes the conntrack entries in its own zone, and
it will not influence other well-behaved VMs.  Moreover, the users can
set various conntrack limit to different zone based on their preference.

This patch series consist of dpif layer support, kernel backports to
support this features in dpif-netlinkt, dpif-netlink implementation,
dpctl commands, and a system traffic test to verify this feature.

v1->v2: Fix a rebase error. Only patch 8 has changed.

Yi-Hung Wei (11):
  compat: Backport nf_ct_netns_{get,put}()
  datapath: compat: Backports nf_conncount
  datapath: compat: Introduce static key support
  datapath: Add conntrack limit netlink definition
  datapath: conntrack: Support conntrack zone limit
  dpif: Support conntrack zone limit.
  ct-dpif: Helper functions for conntrack zone limit
  dpif-netlink: Implement conntrack zone limiit
  dpctl: Refactor opt_dpif_open().
  dpctl: Implement dpctl commands for conntrack per zone limit
  system-traffic: Add conntrack per zoen limit test case

 NEWS                                               |   3 +
 acinclude.m4                                       |   9 +
 datapath/compat.h                                  |   8 +
 datapath/conntrack.c                               | 551 +++++++++++++++++-
 datapath/conntrack.h                               |   9 +-
 datapath/datapath.c                                |   7 +-
 datapath/datapath.h                                |   3 +
 datapath/linux/Modules.mk                          |   7 +-
 datapath/linux/compat/include/linux/openvswitch.h  |  28 +
 datapath/linux/compat/include/linux/static_key.h   |  70 +++
 .../compat/include/net/netfilter/nf_conntrack.h    |   8 +
 .../include/net/netfilter/nf_conntrack_count.h     |  61 ++
 .../linux/compat/include/uapi/linux/netfilter.h    |  14 +
 datapath/linux/compat/nf_conncount.c               | 637 +++++++++++++++++++++
 datapath/linux/compat/nf_conntrack_proto.c         | 112 ++++
 lib/ct-dpif.c                                      | 129 +++++
 lib/ct-dpif.h                                      |  20 +
 lib/dpctl.c                                        | 252 ++++++--
 lib/dpctl.man                                      |  18 +
 lib/dpif-netdev.c                                  |   3 +
 lib/dpif-netlink.c                                 | 199 +++++++
 lib/dpif-provider.h                                |  26 +
 tests/system-traffic.at                            |  75 +++
 23 files changed, 2202 insertions(+), 47 deletions(-)
 create mode 100644 datapath/linux/compat/include/linux/static_key.h
 create mode 100644 datapath/linux/compat/include/net/netfilter/nf_conntrack_count.h
 create mode 100644 datapath/linux/compat/include/uapi/linux/netfilter.h
 create mode 100644 datapath/linux/compat/nf_conncount.c
 create mode 100644 datapath/linux/compat/nf_conntrack_proto.c

Comments

Darrell Ball Aug. 2, 2018, 4:55 a.m. UTC | #1

Thanks for the series Yi-hung

I will help review it.

I have a few general queries initially.

Darrell

On 8/1/18, 5:41 PM, "ovs-dev-bounces@openvswitch.org on behalf of Yi-Hung Wei" <ovs-dev-bounces@openvswitch.org on behalf of yihung.wei@gmail.com> wrote:

    This patch series implements connection tracking zone limitation to
    limit the maximum number of conntrack entries in the conntrack table
    for every zone.  This feature aims to resolve a problem that if one
    of the VM/container under attack that abuses the usage the conntrack
    entries, it may block the others from committing valid conntrack
    entries into the conntrack table.  
    
    To address this issue, this patch series proposes to have a
    fine-grained mechanism that could limit the # of conntrack entries
    per-zone.  For example, we can designate different zone to different VM,
    and set conntrack limit to each zone.  By providing this isolation, a
    mis-behaved VM only consumes the conntrack entries in its own zone, and
    it will not influence other well-behaved VMs.  Moreover, the users can
    set various conntrack limit to different zone based on their preference.
    
    This patch series consist of dpif layer support, kernel backports to
    support this features in dpif-netlinkt, dpif-netlink implementation,
    dpctl commands, and a system traffic test to verify this feature.
    
    v1->v2: Fix a rebase error. Only patch 8 has changed.
    
    Yi-Hung Wei (11):
      compat: Backport nf_ct_netns_{get,put}()
      datapath: compat: Backports nf_conncount
      datapath: compat: Introduce static key support
      datapath: Add conntrack limit netlink definition
      datapath: conntrack: Support conntrack zone limit
      dpif: Support conntrack zone limit.
      ct-dpif: Helper functions for conntrack zone limit
      dpif-netlink: Implement conntrack zone limiit
      dpctl: Refactor opt_dpif_open().
      dpctl: Implement dpctl commands for conntrack per zone limit
      system-traffic: Add conntrack per zoen limit test case
    
     NEWS                                               |   3 +
     acinclude.m4                                       |   9 +
     datapath/compat.h                                  |   8 +
     datapath/conntrack.c                               | 551 +++++++++++++++++-
     datapath/conntrack.h                               |   9 +-
     datapath/datapath.c                                |   7 +-
     datapath/datapath.h                                |   3 +
     datapath/linux/Modules.mk                          |   7 +-
     datapath/linux/compat/include/linux/openvswitch.h  |  28 +
     datapath/linux/compat/include/linux/static_key.h   |  70 +++
     .../compat/include/net/netfilter/nf_conntrack.h    |   8 +
     .../include/net/netfilter/nf_conntrack_count.h     |  61 ++
     .../linux/compat/include/uapi/linux/netfilter.h    |  14 +
     datapath/linux/compat/nf_conncount.c               | 637 +++++++++++++++++++++
     datapath/linux/compat/nf_conntrack_proto.c         | 112 ++++
     lib/ct-dpif.c                                      | 129 +++++
     lib/ct-dpif.h                                      |  20 +
     lib/dpctl.c                                        | 252 ++++++--
     lib/dpctl.man                                      |  18 +
     lib/dpif-netdev.c                                  |   3 +
     lib/dpif-netlink.c                                 | 199 +++++++
     lib/dpif-provider.h                                |  26 +
     tests/system-traffic.at                            |  75 +++
     23 files changed, 2202 insertions(+), 47 deletions(-)
     create mode 100644 datapath/linux/compat/include/linux/static_key.h
     create mode 100644 datapath/linux/compat/include/net/netfilter/nf_conntrack_count.h
     create mode 100644 datapath/linux/compat/include/uapi/linux/netfilter.h
     create mode 100644 datapath/linux/compat/nf_conncount.c
     create mode 100644 datapath/linux/compat/nf_conntrack_proto.c
    
    -- 
    2.7.4
    
    _______________________________________________
    dev mailing list
    dev@openvswitch.org
    https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmail.openvswitch.org%2Fmailman%2Flistinfo%2Fovs-dev&amp;data=02%7C01%7Cdball%40vmware.com%7C43dc76263e044a9776fb08d5f810abbf%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C1%7C0%7C636687672857189783&amp;sdata=UamO%2FNcn3WkKcCT770y3HqcIPYgahhsbt%2FUkVFRCDoU%3D&amp;reserved=0