Message ID | 167094574930.237883.17731476417288468428.stgit@ebuild |
---|---|
State | Superseded |
Headers | show |
Series | tests: Add system-traffic.at tests to check-offloads. | expand |
Context | Check | Description |
---|---|---|
ovsrobot/apply-robot | success | apply and check: success |
ovsrobot/github-robot-_Build_and_Test | success | github build: passed |
ovsrobot/intel-ovs-compilation | success | test: success |
On 13/12/2022 17:35, Eelco Chaudron wrote: > tc does not support conntrack ALGs. Even worse, with tc enabled, they > should not be used/configured at all. This is because even though TC > will ignore the rules with ALG configured, i.e., they will flow through > the kernel module, return traffic might flow through a tc conntrack > rule, and it will not invoke the ALG helper. > > Signed-off-by: Eelco Chaudron <echaudro@redhat.com> > Acked-by: Roi Dayan <roid@nvidia.com> > --- > Documentation/howto/tc-offload.rst | 11 +++++++++++ > lib/netdev-offload-tc.c | 4 ++++ > tests/system-offloads.at | 28 ++++++++-------------------- > 3 files changed, 23 insertions(+), 20 deletions(-) > > diff --git a/Documentation/howto/tc-offload.rst b/Documentation/howto/tc-offload.rst > index f6482c8af..63687adc9 100644 > --- a/Documentation/howto/tc-offload.rst > +++ b/Documentation/howto/tc-offload.rst > @@ -112,3 +112,14 @@ First flow packet not processed by meter > Packets that are received by ovs-vswitchd through an upcall before the actual > meter flow is installed, are not passing TC police action and therefore are > not considered for policing. > + > +Conntrack Application Layer Gateways(ALG) > ++++++++++++++++++++++++++++++++++++++++++ > + > +TC does not support conntrack helpers, i.e., ALGs. TC will not offload flows if > +the ALG keyword is present within the ct() action. However, this will not allow > +ALGs to work within the datapath, as the return traffic without the ALG keyword > +might run through a TC rule, which internally will not call the conntrack > +helper required. > + > +So if ALG support is required, tc offload must be disabled. > diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c > index 915c45ed3..ba309c2b6 100644 > --- a/lib/netdev-offload-tc.c > +++ b/lib/netdev-offload-tc.c > @@ -1357,6 +1357,10 @@ parse_put_flow_ct_action(struct tc_flower *flower, > action->ct.label_mask = ct_label->mask; > } > break; > + /* The following option we do not support in tc-ct, and should > + * not be ignored for proper operation. */ > + case OVS_CT_ATTR_HELPER: > + return EOPNOTSUPP; > } > } > > diff --git a/tests/system-offloads.at b/tests/system-offloads.at > index 9d1e80c8d..73a761316 100644 > --- a/tests/system-offloads.at > +++ b/tests/system-offloads.at > @@ -30,6 +30,7 @@ m4_define([OVS_TRAFFIC_VSWITCHD_START], > AT_CHECK([ovs-vsctl -- _ADD_BR([br0]) -- $1 m4_if([$2], [], [], [| uuidfilt])], [0], [$2]) > ]) > > +<<<<<<< current Hi, I just noticed this. I guess from rebases as the file was supposed to be ok since v2. I see it got added by mistake since v3 also, beside this any reason to hold the series? Thanks, Roi > > # We override the OVS_REVALIDATOR_PURGE macro, allowing a bit more time for the > # tc-datapath entries to be installed. > @@ -42,6 +43,13 @@ m4_define([OVS_REVALIDATOR_PURGE], > m4_define([DPCTL_DUMP_CONNTRACK], [sleep 3; ovs-appctl dpctl/dump-conntrack]) > > > +# Conntrack ALGs are not supported for tc. > +m4_define([CHECK_CONNTRACK_ALG], > +[ > + AT_SKIP_IF([:]) > +]) > + > + > # The list below are tests that will not pass for a "test environment" specific > # issue. > m4_define([OVS_TEST_SKIP_LIST], > @@ -60,27 +68,7 @@ conntrack - IPv6 Fragmentation over vxlan > conntrack - zone-based timeout policy > conntrack - multiple zones, local > conntrack - multi-stage pipeline, local > -conntrack - FTP > -conntrack - FTP over IPv6 > -conntrack - IPv6 FTP Passive > -conntrack - FTP with multiple expectations > -conntrack - TFTP > conntrack - ICMP related with NAT > -conntrack - FTP SNAT prerecirc<SPC> > -conntrack - FTP SNAT prerecirc seqadj > -conntrack - FTP SNAT postrecirc<SPC> > -conntrack - FTP SNAT postrecirc seqadj > -conntrack - FTP SNAT orig tuple<SPC> > -conntrack - FTP SNAT orig tuple seqadj > -conntrack - IPv4 FTP Passive with SNAT > -conntrack - IPv4 FTP Passive with DNAT > -conntrack - IPv4 FTP Passive with DNAT 2 > -conntrack - IPv4 FTP Active with DNAT > -conntrack - IPv4 FTP Active with DNAT with reverse skew > -conntrack - IPv6 FTP with SNAT > -conntrack - IPv6 FTP Passive with SNAT > -conntrack - IPv6 FTP with SNAT - orig tuple > -conntrack - IPv4 TFTP with SNAT > conntrack - DNAT load balancing > conntrack - DNAT load balancing with NC > conntrack - Multiple ICMP traverse >
On 24 Jan 2023, at 7:39, Roi Dayan wrote: > On 13/12/2022 17:35, Eelco Chaudron wrote: >> tc does not support conntrack ALGs. Even worse, with tc enabled, they >> should not be used/configured at all. This is because even though TC >> will ignore the rules with ALG configured, i.e., they will flow through >> the kernel module, return traffic might flow through a tc conntrack >> rule, and it will not invoke the ALG helper. >> >> Signed-off-by: Eelco Chaudron <echaudro@redhat.com> >> Acked-by: Roi Dayan <roid@nvidia.com> >> --- >> Documentation/howto/tc-offload.rst | 11 +++++++++++ >> lib/netdev-offload-tc.c | 4 ++++ >> tests/system-offloads.at | 28 ++++++++-------------------- >> 3 files changed, 23 insertions(+), 20 deletions(-) >> >> diff --git a/Documentation/howto/tc-offload.rst b/Documentation/howto/tc-offload.rst >> index f6482c8af..63687adc9 100644 >> --- a/Documentation/howto/tc-offload.rst >> +++ b/Documentation/howto/tc-offload.rst >> @@ -112,3 +112,14 @@ First flow packet not processed by meter >> Packets that are received by ovs-vswitchd through an upcall before the actual >> meter flow is installed, are not passing TC police action and therefore are >> not considered for policing. >> + >> +Conntrack Application Layer Gateways(ALG) >> ++++++++++++++++++++++++++++++++++++++++++ >> + >> +TC does not support conntrack helpers, i.e., ALGs. TC will not offload flows if >> +the ALG keyword is present within the ct() action. However, this will not allow >> +ALGs to work within the datapath, as the return traffic without the ALG keyword >> +might run through a TC rule, which internally will not call the conntrack >> +helper required. >> + >> +So if ALG support is required, tc offload must be disabled. >> diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c >> index 915c45ed3..ba309c2b6 100644 >> --- a/lib/netdev-offload-tc.c >> +++ b/lib/netdev-offload-tc.c >> @@ -1357,6 +1357,10 @@ parse_put_flow_ct_action(struct tc_flower *flower, >> action->ct.label_mask = ct_label->mask; >> } >> break; >> + /* The following option we do not support in tc-ct, and should >> + * not be ignored for proper operation. */ >> + case OVS_CT_ATTR_HELPER: >> + return EOPNOTSUPP; >> } >> } >> >> diff --git a/tests/system-offloads.at b/tests/system-offloads.at >> index 9d1e80c8d..73a761316 100644 >> --- a/tests/system-offloads.at >> +++ b/tests/system-offloads.at >> @@ -30,6 +30,7 @@ m4_define([OVS_TRAFFIC_VSWITCHD_START], >> AT_CHECK([ovs-vsctl -- _ADD_BR([br0]) -- $1 m4_if([$2], [], [], [| uuidfilt])], [0], [$2]) >> ]) >> >> +<<<<<<< current > > Hi, > > I just noticed this. I guess from rebases as the file was supposed to be ok since v2. > I see it got added by mistake since v3 > also, beside this any reason to hold the series? Thanks, I’ll send out a v7 to fix this. I think it’s not yet in because Ilya had no time to look at this before the 3.1 branch creation :( > Thanks, > Roi > > >> >> # We override the OVS_REVALIDATOR_PURGE macro, allowing a bit more time for the >> # tc-datapath entries to be installed. >> @@ -42,6 +43,13 @@ m4_define([OVS_REVALIDATOR_PURGE], >> m4_define([DPCTL_DUMP_CONNTRACK], [sleep 3; ovs-appctl dpctl/dump-conntrack]) >> >> >> +# Conntrack ALGs are not supported for tc. >> +m4_define([CHECK_CONNTRACK_ALG], >> +[ >> + AT_SKIP_IF([:]) >> +]) >> + >> + >> # The list below are tests that will not pass for a "test environment" specific >> # issue. >> m4_define([OVS_TEST_SKIP_LIST], >> @@ -60,27 +68,7 @@ conntrack - IPv6 Fragmentation over vxlan >> conntrack - zone-based timeout policy >> conntrack - multiple zones, local >> conntrack - multi-stage pipeline, local >> -conntrack - FTP >> -conntrack - FTP over IPv6 >> -conntrack - IPv6 FTP Passive >> -conntrack - FTP with multiple expectations >> -conntrack - TFTP >> conntrack - ICMP related with NAT >> -conntrack - FTP SNAT prerecirc<SPC> >> -conntrack - FTP SNAT prerecirc seqadj >> -conntrack - FTP SNAT postrecirc<SPC> >> -conntrack - FTP SNAT postrecirc seqadj >> -conntrack - FTP SNAT orig tuple<SPC> >> -conntrack - FTP SNAT orig tuple seqadj >> -conntrack - IPv4 FTP Passive with SNAT >> -conntrack - IPv4 FTP Passive with DNAT >> -conntrack - IPv4 FTP Passive with DNAT 2 >> -conntrack - IPv4 FTP Active with DNAT >> -conntrack - IPv4 FTP Active with DNAT with reverse skew >> -conntrack - IPv6 FTP with SNAT >> -conntrack - IPv6 FTP Passive with SNAT >> -conntrack - IPv6 FTP with SNAT - orig tuple >> -conntrack - IPv4 TFTP with SNAT >> conntrack - DNAT load balancing >> conntrack - DNAT load balancing with NC >> conntrack - Multiple ICMP traverse >>
diff --git a/Documentation/howto/tc-offload.rst b/Documentation/howto/tc-offload.rst index f6482c8af..63687adc9 100644 --- a/Documentation/howto/tc-offload.rst +++ b/Documentation/howto/tc-offload.rst @@ -112,3 +112,14 @@ First flow packet not processed by meter Packets that are received by ovs-vswitchd through an upcall before the actual meter flow is installed, are not passing TC police action and therefore are not considered for policing. + +Conntrack Application Layer Gateways(ALG) ++++++++++++++++++++++++++++++++++++++++++ + +TC does not support conntrack helpers, i.e., ALGs. TC will not offload flows if +the ALG keyword is present within the ct() action. However, this will not allow +ALGs to work within the datapath, as the return traffic without the ALG keyword +might run through a TC rule, which internally will not call the conntrack +helper required. + +So if ALG support is required, tc offload must be disabled. diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c index 915c45ed3..ba309c2b6 100644 --- a/lib/netdev-offload-tc.c +++ b/lib/netdev-offload-tc.c @@ -1357,6 +1357,10 @@ parse_put_flow_ct_action(struct tc_flower *flower, action->ct.label_mask = ct_label->mask; } break; + /* The following option we do not support in tc-ct, and should + * not be ignored for proper operation. */ + case OVS_CT_ATTR_HELPER: + return EOPNOTSUPP; } } diff --git a/tests/system-offloads.at b/tests/system-offloads.at index 9d1e80c8d..73a761316 100644 --- a/tests/system-offloads.at +++ b/tests/system-offloads.at @@ -30,6 +30,7 @@ m4_define([OVS_TRAFFIC_VSWITCHD_START], AT_CHECK([ovs-vsctl -- _ADD_BR([br0]) -- $1 m4_if([$2], [], [], [| uuidfilt])], [0], [$2]) ]) +<<<<<<< current # We override the OVS_REVALIDATOR_PURGE macro, allowing a bit more time for the # tc-datapath entries to be installed. @@ -42,6 +43,13 @@ m4_define([OVS_REVALIDATOR_PURGE], m4_define([DPCTL_DUMP_CONNTRACK], [sleep 3; ovs-appctl dpctl/dump-conntrack]) +# Conntrack ALGs are not supported for tc. +m4_define([CHECK_CONNTRACK_ALG], +[ + AT_SKIP_IF([:]) +]) + + # The list below are tests that will not pass for a "test environment" specific # issue. m4_define([OVS_TEST_SKIP_LIST], @@ -60,27 +68,7 @@ conntrack - IPv6 Fragmentation over vxlan conntrack - zone-based timeout policy conntrack - multiple zones, local conntrack - multi-stage pipeline, local -conntrack - FTP -conntrack - FTP over IPv6 -conntrack - IPv6 FTP Passive -conntrack - FTP with multiple expectations -conntrack - TFTP conntrack - ICMP related with NAT -conntrack - FTP SNAT prerecirc<SPC> -conntrack - FTP SNAT prerecirc seqadj -conntrack - FTP SNAT postrecirc<SPC> -conntrack - FTP SNAT postrecirc seqadj -conntrack - FTP SNAT orig tuple<SPC> -conntrack - FTP SNAT orig tuple seqadj -conntrack - IPv4 FTP Passive with SNAT -conntrack - IPv4 FTP Passive with DNAT -conntrack - IPv4 FTP Passive with DNAT 2 -conntrack - IPv4 FTP Active with DNAT -conntrack - IPv4 FTP Active with DNAT with reverse skew -conntrack - IPv6 FTP with SNAT -conntrack - IPv6 FTP Passive with SNAT -conntrack - IPv6 FTP with SNAT - orig tuple -conntrack - IPv4 TFTP with SNAT conntrack - DNAT load balancing conntrack - DNAT load balancing with NC conntrack - Multiple ICMP traverse