| Message ID | 1625670778-30586-1-git-send-email-bodong@nvidia.com |
|---|---|
| Headers | show |
| Series | Control nf flow table timeouts | expand |
Acked-by: Tim Gardner <tim.gardner@canonical.com> On 7/7/21 9:12 AM, Bodong Wang wrote: > TCP and UDP connections may be offloaded from nf conntrack to nf flow table. > Offloaded connections are aged after 30 seconds of inactivity. > Once aged, ownership is returned to conntrack with a hard coded tcp/udp > pickup time of 120/30 seconds, after which the connection may be deleted. > > The current hard-coded pickup intervals may introduce a very aggressive > aging policy. For example, offloaded tcp connections in established state > will timeout from nf conntrack after just 150 seconds of inactivity, > instead of 5 days. In addition, the hard-coded 30 second offload timeout > period can significantly increase the hardware insertion rate requirements > in some use cases. > > This patchset provides the user with the ability to configure protocol > specific offload timeout and pickup intervals via sysctl. > > The first and second patches revert the existing non-upstream solution. > The next two patches introduce the sysctl configuration for tcp and udp > protocols. > The last patch modifies nf flow table aging mechanisms to use the configured > time intervals. > > v2: add linux-next to cherry pick branch > > Oz Shlomo (5): > Revert "UBUNTU: SAUCE: net/sched: Add module parameter to set CT age > out time" > Revert "UBUNTU: SAUCE: netfilter: flowtable: Control flow timeout > interval" > (upstream) netfilter: conntrack: Introduce tcp offload timeout > configuration > (upstream) netfilter: conntrack: Introduce udp offload timeout > configuration > (upstream) netfilter: flowtable: Set offload timeouts according to > proto values > > include/net/netfilter/nf_flow_table.h | 10 ++----- > include/net/netns/conntrack.h | 8 +++++ > net/netfilter/nf_conntrack_proto_tcp.c | 5 ++++ > net/netfilter/nf_conntrack_proto_udp.c | 5 ++++ > net/netfilter/nf_conntrack_standalone.c | 46 ++++++++++++++++++++++++++++ > net/netfilter/nf_flow_table_core.c | 53 +++++++++++++++++++++++---------- > net/netfilter/nf_flow_table_offload.c | 5 ++-- > net/sched/act_ct.c | 5 ---- > 8 files changed, 106 insertions(+), 31 deletions(-) >
On 07.07.21 17:12, Bodong Wang wrote: > TCP and UDP connections may be offloaded from nf conntrack to nf flow table. > Offloaded connections are aged after 30 seconds of inactivity. > Once aged, ownership is returned to conntrack with a hard coded tcp/udp > pickup time of 120/30 seconds, after which the connection may be deleted. > > The current hard-coded pickup intervals may introduce a very aggressive > aging policy. For example, offloaded tcp connections in established state > will timeout from nf conntrack after just 150 seconds of inactivity, > instead of 5 days. In addition, the hard-coded 30 second offload timeout > period can significantly increase the hardware insertion rate requirements > in some use cases. > > This patchset provides the user with the ability to configure protocol > specific offload timeout and pickup intervals via sysctl. > > The first and second patches revert the existing non-upstream solution. > The next two patches introduce the sysctl configuration for tcp and udp > protocols. > The last patch modifies nf flow table aging mechanisms to use the configured > time intervals. > > v2: add linux-next to cherry pick branch > > Oz Shlomo (5): > Revert "UBUNTU: SAUCE: net/sched: Add module parameter to set CT age > out time" > Revert "UBUNTU: SAUCE: netfilter: flowtable: Control flow timeout > interval" > (upstream) netfilter: conntrack: Introduce tcp offload timeout > configuration > (upstream) netfilter: conntrack: Introduce udp offload timeout > configuration > (upstream) netfilter: flowtable: Set offload timeouts according to > proto values > > include/net/netfilter/nf_flow_table.h | 10 ++----- > include/net/netns/conntrack.h | 8 +++++ > net/netfilter/nf_conntrack_proto_tcp.c | 5 ++++ > net/netfilter/nf_conntrack_proto_udp.c | 5 ++++ > net/netfilter/nf_conntrack_standalone.c | 46 ++++++++++++++++++++++++++++ > net/netfilter/nf_flow_table_core.c | 53 +++++++++++++++++++++++---------- > net/netfilter/nf_flow_table_offload.c | 5 ++-- > net/sched/act_ct.c | 5 ---- > 8 files changed, 106 insertions(+), 31 deletions(-) > Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Thanks
On 07.07.21 17:12, Bodong Wang wrote: > TCP and UDP connections may be offloaded from nf conntrack to nf flow table. > Offloaded connections are aged after 30 seconds of inactivity. > Once aged, ownership is returned to conntrack with a hard coded tcp/udp > pickup time of 120/30 seconds, after which the connection may be deleted. > > The current hard-coded pickup intervals may introduce a very aggressive > aging policy. For example, offloaded tcp connections in established state > will timeout from nf conntrack after just 150 seconds of inactivity, > instead of 5 days. In addition, the hard-coded 30 second offload timeout > period can significantly increase the hardware insertion rate requirements > in some use cases. > > This patchset provides the user with the ability to configure protocol > specific offload timeout and pickup intervals via sysctl. > > The first and second patches revert the existing non-upstream solution. > The next two patches introduce the sysctl configuration for tcp and udp > protocols. > The last patch modifies nf flow table aging mechanisms to use the configured > time intervals. > > v2: add linux-next to cherry pick branch > > Oz Shlomo (5): > Revert "UBUNTU: SAUCE: net/sched: Add module parameter to set CT age > out time" > Revert "UBUNTU: SAUCE: netfilter: flowtable: Control flow timeout > interval" > (upstream) netfilter: conntrack: Introduce tcp offload timeout > configuration > (upstream) netfilter: conntrack: Introduce udp offload timeout > configuration > (upstream) netfilter: flowtable: Set offload timeouts according to > proto values > > include/net/netfilter/nf_flow_table.h | 10 ++----- > include/net/netns/conntrack.h | 8 +++++ > net/netfilter/nf_conntrack_proto_tcp.c | 5 ++++ > net/netfilter/nf_conntrack_proto_udp.c | 5 ++++ > net/netfilter/nf_conntrack_standalone.c | 46 ++++++++++++++++++++++++++++ > net/netfilter/nf_flow_table_core.c | 53 +++++++++++++++++++++++---------- > net/netfilter/nf_flow_table_offload.c | 5 ++-- > net/sched/act_ct.c | 5 ---- > 8 files changed, 106 insertions(+), 31 deletions(-) > Applied to focal:linux-bluefield/master-next. Thanks. -Stefan
TCP and UDP connections may be offloaded from nf conntrack to nf flow table. Offloaded connections are aged after 30 seconds of inactivity. Once aged, ownership is returned to conntrack with a hard coded tcp/udp pickup time of 120/30 seconds, after which the connection may be deleted. The current hard-coded pickup intervals may introduce a very aggressive aging policy. For example, offloaded tcp connections in established state will timeout from nf conntrack after just 150 seconds of inactivity, instead of 5 days. In addition, the hard-coded 30 second offload timeout period can significantly increase the hardware insertion rate requirements in some use cases. This patchset provides the user with the ability to configure protocol specific offload timeout and pickup intervals via sysctl. The first and second patches revert the existing non-upstream solution. The next two patches introduce the sysctl configuration for tcp and udp protocols. The last patch modifies nf flow table aging mechanisms to use the configured time intervals. v2: add linux-next to cherry pick branch Oz Shlomo (5): Revert "UBUNTU: SAUCE: net/sched: Add module parameter to set CT age out time" Revert "UBUNTU: SAUCE: netfilter: flowtable: Control flow timeout interval" (upstream) netfilter: conntrack: Introduce tcp offload timeout configuration (upstream) netfilter: conntrack: Introduce udp offload timeout configuration (upstream) netfilter: flowtable: Set offload timeouts according to proto values include/net/netfilter/nf_flow_table.h | 10 ++----- include/net/netns/conntrack.h | 8 +++++ net/netfilter/nf_conntrack_proto_tcp.c | 5 ++++ net/netfilter/nf_conntrack_proto_udp.c | 5 ++++ net/netfilter/nf_conntrack_standalone.c | 46 ++++++++++++++++++++++++++++ net/netfilter/nf_flow_table_core.c | 53 +++++++++++++++++++++++---------- net/netfilter/nf_flow_table_offload.c | 5 ++-- net/sched/act_ct.c | 5 ---- 8 files changed, 106 insertions(+), 31 deletions(-)