diff mbox series

[ovs-dev,05/11] netdev-offload-tc: Conntrack ALGs are not supported with tc.

Message ID 167532352240.747532.4592168342941030115.stgit@ebuild.local
State Superseded
Headers show
Series tests: Add system-traffic.at tests to check-offloads. | expand

Checks

Context Check Description
ovsrobot/apply-robot success apply and check: success
ovsrobot/github-robot-_Build_and_Test success github build: passed
ovsrobot/intel-ovs-compilation fail test: fail

Commit Message

Eelco Chaudron Feb. 2, 2023, 7:38 a.m. UTC 
tc does not support conntrack ALGs. Even worse, with tc enabled, they
should not be used/configured at all. This is because even though TC
will ignore the rules with ALG configured, i.e., they will flow through
the kernel module, return traffic might flow through a tc conntrack
rule, and it will not invoke the ALG helper.

Fixes: 576126a931cd ("netdev-offload-tc: Add conntrack support")
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Acked-by: Roi Dayan <roid@nvidia.com>
---
 Documentation/howto/tc-offload.rst        |   11 +++++++++++
 lib/netdev-offload-tc.c                   |    4 ++++
 tests/system-offloads-testsuite-macros.at |    6 ++++++
 tests/system-traffic.at                   |   15 ---------------
 4 files changed, 21 insertions(+), 15 deletions(-)
diff mbox series

Patch

diff --git a/Documentation/howto/tc-offload.rst b/Documentation/howto/tc-offload.rst
index f6482c8af..681dff13e 100644
--- a/Documentation/howto/tc-offload.rst
+++ b/Documentation/howto/tc-offload.rst
@@ -112,3 +112,14 @@  First flow packet not processed by meter
 Packets that are received by ovs-vswitchd through an upcall before the actual
 meter flow is installed, are not passing TC police action and therefore are
 not considered for policing.
+
+Conntrack Application Layer Gateways (ALG)
+++++++++++++++++++++++++++++++++++++++++++
+
+TC does not support conntrack helpers, i.e., ALGs. TC will not offload flows if
+the ALG keyword is present within the ct() action. However, this will not allow
+ALGs to work within the datapath, as the return traffic without the ALG keyword
+might run through a TC rule, which internally will not call the conntrack
+helper required.
+
+So if ALG support is required, tc offload must be disabled.
diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c
index f9f05cd5c..4e94430ec 100644
--- a/lib/netdev-offload-tc.c
+++ b/lib/netdev-offload-tc.c
@@ -1425,6 +1425,10 @@  parse_put_flow_ct_action(struct tc_flower *flower,
                         get_32aligned_u128(&ct_label->mask);
                 }
                 break;
+                /* The following option we do not support in tc-ct, and should
+                 * not be ignored for proper operation. */
+            case OVS_CT_ATTR_HELPER:
+                return EOPNOTSUPP;
             }
         }
 
diff --git a/tests/system-offloads-testsuite-macros.at b/tests/system-offloads-testsuite-macros.at
index 2129cf7f0..5d7044f42 100644
--- a/tests/system-offloads-testsuite-macros.at
+++ b/tests/system-offloads-testsuite-macros.at
@@ -34,3 +34,9 @@  m4_define([CHECK_NO_TC_OFFLOAD],
 [
      AT_SKIP_IF([:])
 ])
+
+# Conntrack ALGs are not supported for tc.
+m4_define([CHECK_CONNTRACK_ALG],
+[
+     AT_SKIP_IF([:])
+])
diff --git a/tests/system-traffic.at b/tests/system-traffic.at
index b2751e7e4..05e0473ec 100644
--- a/tests/system-traffic.at
+++ b/tests/system-traffic.at
@@ -4827,7 +4827,6 @@  OVS_TRAFFIC_VSWITCHD_STOP
 AT_CLEANUP
 
 AT_SETUP([conntrack - FTP])
-CHECK_NO_TC_OFFLOAD()
 AT_SKIP_IF([test $HAVE_FTP = no])
 CHECK_CONNTRACK()
 CHECK_CONNTRACK_ALG()
@@ -4937,7 +4936,6 @@  AT_SETUP([conntrack - FTP over IPv6])
 AT_SKIP_IF([test $HAVE_FTP = no])
 CHECK_CONNTRACK()
 CHECK_CONNTRACK_ALG()
-CHECK_NO_TC_OFFLOAD()
 OVS_TRAFFIC_VSWITCHD_START()
 
 ADD_NAMESPACES(at_ns0, at_ns1)
@@ -4993,7 +4991,6 @@  AT_SETUP([conntrack - IPv6 FTP Passive])
 AT_SKIP_IF([test $HAVE_FTP = no])
 CHECK_CONNTRACK()
 CHECK_CONNTRACK_ALG()
-CHECK_NO_TC_OFFLOAD()
 OVS_TRAFFIC_VSWITCHD_START()
 
 ADD_NAMESPACES(at_ns0, at_ns1)
@@ -5053,7 +5050,6 @@  AT_SETUP([conntrack - FTP with multiple expectations])
 AT_SKIP_IF([test $HAVE_FTP = no])
 CHECK_CONNTRACK()
 CHECK_CONNTRACK_ALG()
-CHECK_NO_TC_OFFLOAD()
 OVS_TRAFFIC_VSWITCHD_START()
 
 ADD_NAMESPACES(at_ns0, at_ns1)
@@ -5120,7 +5116,6 @@  AT_SETUP([conntrack - TFTP])
 AT_SKIP_IF([test $HAVE_TFTP = no])
 CHECK_CONNTRACK()
 CHECK_CONNTRACK_ALG()
-CHECK_NO_TC_OFFLOAD()
 OVS_TRAFFIC_VSWITCHD_START()
 
 ADD_NAMESPACES(at_ns0, at_ns1)
@@ -5756,7 +5751,6 @@  m4_define([CHECK_FTP_NAT],
     CHECK_CONNTRACK()
     CHECK_CONNTRACK_NAT()
     CHECK_CONNTRACK_ALG()
-    CHECK_NO_TC_OFFLOAD()
 
     OVS_TRAFFIC_VSWITCHD_START()
 
@@ -6064,7 +6058,6 @@  AT_SKIP_IF([test $HAVE_FTP = no])
 CHECK_CONNTRACK()
 CHECK_CONNTRACK_NAT()
 CHECK_CONNTRACK_ALG()
-CHECK_NO_TC_OFFLOAD()
 
 OVS_TRAFFIC_VSWITCHD_START()
 
@@ -6125,7 +6118,6 @@  AT_SKIP_IF([test $HAVE_FTP = no])
 CHECK_CONNTRACK()
 CHECK_CONNTRACK_NAT()
 CHECK_CONNTRACK_ALG()
-CHECK_NO_TC_OFFLOAD()
 
 OVS_TRAFFIC_VSWITCHD_START()
 
@@ -6186,7 +6178,6 @@  AT_SKIP_IF([test $HAVE_FTP = no])
 CHECK_CONNTRACK()
 CHECK_CONNTRACK_NAT()
 CHECK_CONNTRACK_ALG()
-CHECK_NO_TC_OFFLOAD()
 
 OVS_TRAFFIC_VSWITCHD_START()
 
@@ -6247,7 +6238,6 @@  AT_SKIP_IF([test $HAVE_FTP = no])
 CHECK_CONNTRACK()
 CHECK_CONNTRACK_NAT()
 CHECK_CONNTRACK_ALG()
-CHECK_NO_TC_OFFLOAD()
 
 OVS_TRAFFIC_VSWITCHD_START()
 
@@ -6308,7 +6298,6 @@  AT_SKIP_IF([test $HAVE_FTP = no])
 CHECK_CONNTRACK()
 CHECK_CONNTRACK_NAT()
 CHECK_CONNTRACK_ALG()
-CHECK_NO_TC_OFFLOAD()
 
 OVS_TRAFFIC_VSWITCHD_START()
 
@@ -6511,7 +6500,6 @@  AT_SKIP_IF([test $HAVE_FTP = no])
 CHECK_CONNTRACK()
 CHECK_CONNTRACK_NAT()
 CHECK_CONNTRACK_ALG()
-CHECK_NO_TC_OFFLOAD()
 
 OVS_TRAFFIC_VSWITCHD_START()
 
@@ -6572,7 +6560,6 @@  AT_SKIP_IF([test $HAVE_FTP = no])
 CHECK_CONNTRACK()
 CHECK_CONNTRACK_NAT()
 CHECK_CONNTRACK_ALG()
-CHECK_NO_TC_OFFLOAD()
 
 OVS_TRAFFIC_VSWITCHD_START()
 
@@ -6634,7 +6621,6 @@  AT_SKIP_IF([test $HAVE_FTP = no])
 CHECK_CONNTRACK()
 CHECK_CONNTRACK_NAT()
 CHECK_CONNTRACK_ALG()
-CHECK_NO_TC_OFFLOAD()
 OVS_TRAFFIC_VSWITCHD_START()
 
 ADD_NAMESPACES(at_ns0, at_ns1)
@@ -6695,7 +6681,6 @@  AT_SKIP_IF([test $HAVE_TFTP = no])
 CHECK_CONNTRACK()
 CHECK_CONNTRACK_NAT()
 CHECK_CONNTRACK_ALG()
-CHECK_NO_TC_OFFLOAD()
 
 OVS_TRAFFIC_VSWITCHD_START()