| Message ID | 167456504150.1023551.288479495118576709.stgit@ebuild.local |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | tests: Add system-traffic.at tests to check-offloads. | expand |
| Context | Check | Description |
|---|---|---|
| ovsrobot/apply-robot | success | apply and check: success |
| ovsrobot/github-robot-_Build_and_Test | success | github build: passed |
On 1/24/23 13:57, Eelco Chaudron wrote: > tc does not support conntrack ALGs. Even worse, with tc enabled, they > should not be used/configured at all. This is because even though TC > will ignore the rules with ALG configured, i.e., they will flow through > the kernel module, return traffic might flow through a tc conntrack > rule, and it will not invoke the ALG helper. > > Signed-off-by: Eelco Chaudron <echaudro@redhat.com> > Acked-by: Roi Dayan <roid@nvidia.com> > --- > Documentation/howto/tc-offload.rst | 11 +++++++++++ > lib/netdev-offload-tc.c | 4 ++++ > tests/system-offloads.at | 27 +++++++-------------------- > 3 files changed, 22 insertions(+), 20 deletions(-) > > diff --git a/Documentation/howto/tc-offload.rst b/Documentation/howto/tc-offload.rst > index f6482c8af..63687adc9 100644 > --- a/Documentation/howto/tc-offload.rst > +++ b/Documentation/howto/tc-offload.rst > @@ -112,3 +112,14 @@ First flow packet not processed by meter > Packets that are received by ovs-vswitchd through an upcall before the actual > meter flow is installed, are not passing TC police action and therefore are > not considered for policing. > + > +Conntrack Application Layer Gateways(ALG) Nit: a space before the '(ALG)' would be nice.
On 1/26/23 22:32, Ilya Maximets wrote: > On 1/24/23 13:57, Eelco Chaudron wrote: >> tc does not support conntrack ALGs. Even worse, with tc enabled, they >> should not be used/configured at all. This is because even though TC >> will ignore the rules with ALG configured, i.e., they will flow through >> the kernel module, return traffic might flow through a tc conntrack >> rule, and it will not invoke the ALG helper. >> And maybe a Fixes tag? >> Signed-off-by: Eelco Chaudron <echaudro@redhat.com> >> Acked-by: Roi Dayan <roid@nvidia.com> >> --- >> Documentation/howto/tc-offload.rst | 11 +++++++++++ >> lib/netdev-offload-tc.c | 4 ++++ >> tests/system-offloads.at | 27 +++++++-------------------- >> 3 files changed, 22 insertions(+), 20 deletions(-) >> >> diff --git a/Documentation/howto/tc-offload.rst b/Documentation/howto/tc-offload.rst >> index f6482c8af..63687adc9 100644 >> --- a/Documentation/howto/tc-offload.rst >> +++ b/Documentation/howto/tc-offload.rst >> @@ -112,3 +112,14 @@ First flow packet not processed by meter >> Packets that are received by ovs-vswitchd through an upcall before the actual >> meter flow is installed, are not passing TC police action and therefore are >> not considered for policing. >> + >> +Conntrack Application Layer Gateways(ALG) > > Nit: a space before the '(ALG)' would be nice.
On 26 Jan 2023, at 22:33, Ilya Maximets wrote: > On 1/26/23 22:32, Ilya Maximets wrote: >> On 1/24/23 13:57, Eelco Chaudron wrote: >>> tc does not support conntrack ALGs. Even worse, with tc enabled, they >>> should not be used/configured at all. This is because even though TC >>> will ignore the rules with ALG configured, i.e., they will flow through >>> the kernel module, return traffic might flow through a tc conntrack >>> rule, and it will not invoke the ALG helper. >>> > > And maybe a Fixes tag? Will add Fixes: 576126a931cd ("netdev-offload-tc: Add conntrack support") >>> Signed-off-by: Eelco Chaudron <echaudro@redhat.com> >>> Acked-by: Roi Dayan <roid@nvidia.com> >>> --- >>> Documentation/howto/tc-offload.rst | 11 +++++++++++ >>> lib/netdev-offload-tc.c | 4 ++++ >>> tests/system-offloads.at | 27 +++++++-------------------- >>> 3 files changed, 22 insertions(+), 20 deletions(-) >>> >>> diff --git a/Documentation/howto/tc-offload.rst b/Documentation/howto/tc-offload.rst >>> index f6482c8af..63687adc9 100644 >>> --- a/Documentation/howto/tc-offload.rst >>> +++ b/Documentation/howto/tc-offload.rst >>> @@ -112,3 +112,14 @@ First flow packet not processed by meter >>> Packets that are received by ovs-vswitchd through an upcall before the actual >>> meter flow is installed, are not passing TC police action and therefore are >>> not considered for policing. >>> + >>> +Conntrack Application Layer Gateways(ALG) >> >> Nit: a space before the '(ALG)' would be nice. Will fix.
diff --git a/Documentation/howto/tc-offload.rst b/Documentation/howto/tc-offload.rst index f6482c8af..63687adc9 100644 --- a/Documentation/howto/tc-offload.rst +++ b/Documentation/howto/tc-offload.rst @@ -112,3 +112,14 @@ First flow packet not processed by meter Packets that are received by ovs-vswitchd through an upcall before the actual meter flow is installed, are not passing TC police action and therefore are not considered for policing. + +Conntrack Application Layer Gateways(ALG) ++++++++++++++++++++++++++++++++++++++++++ + +TC does not support conntrack helpers, i.e., ALGs. TC will not offload flows if +the ALG keyword is present within the ct() action. However, this will not allow +ALGs to work within the datapath, as the return traffic without the ALG keyword +might run through a TC rule, which internally will not call the conntrack +helper required. + +So if ALG support is required, tc offload must be disabled. diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c index 915c45ed3..ba309c2b6 100644 --- a/lib/netdev-offload-tc.c +++ b/lib/netdev-offload-tc.c @@ -1357,6 +1357,10 @@ parse_put_flow_ct_action(struct tc_flower *flower, action->ct.label_mask = ct_label->mask; } break; + /* The following option we do not support in tc-ct, and should + * not be ignored for proper operation. */ + case OVS_CT_ATTR_HELPER: + return EOPNOTSUPP; } } diff --git a/tests/system-offloads.at b/tests/system-offloads.at index 9d1e80c8d..c4ed3a171 100644 --- a/tests/system-offloads.at +++ b/tests/system-offloads.at @@ -42,6 +42,13 @@ m4_define([OVS_REVALIDATOR_PURGE], m4_define([DPCTL_DUMP_CONNTRACK], [sleep 3; ovs-appctl dpctl/dump-conntrack]) +# Conntrack ALGs are not supported for tc. +m4_define([CHECK_CONNTRACK_ALG], +[ + AT_SKIP_IF([:]) +]) + + # The list below are tests that will not pass for a "test environment" specific # issue. m4_define([OVS_TEST_SKIP_LIST], @@ -60,27 +67,7 @@ conntrack - IPv6 Fragmentation over vxlan conntrack - zone-based timeout policy conntrack - multiple zones, local conntrack - multi-stage pipeline, local -conntrack - FTP -conntrack - FTP over IPv6 -conntrack - IPv6 FTP Passive -conntrack - FTP with multiple expectations -conntrack - TFTP conntrack - ICMP related with NAT -conntrack - FTP SNAT prerecirc<SPC> -conntrack - FTP SNAT prerecirc seqadj -conntrack - FTP SNAT postrecirc<SPC> -conntrack - FTP SNAT postrecirc seqadj -conntrack - FTP SNAT orig tuple<SPC> -conntrack - FTP SNAT orig tuple seqadj -conntrack - IPv4 FTP Passive with SNAT -conntrack - IPv4 FTP Passive with DNAT -conntrack - IPv4 FTP Passive with DNAT 2 -conntrack - IPv4 FTP Active with DNAT -conntrack - IPv4 FTP Active with DNAT with reverse skew -conntrack - IPv6 FTP with SNAT -conntrack - IPv6 FTP Passive with SNAT -conntrack - IPv6 FTP with SNAT - orig tuple -conntrack - IPv4 TFTP with SNAT conntrack - DNAT load balancing conntrack - DNAT load balancing with NC conntrack - Multiple ICMP traverse