From patchwork Tue Jan 10 13:30:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13095151 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C4CAEC678D6 for ; Tue, 10 Jan 2023 13:32:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238482AbjAJNcF (ORCPT ); Tue, 10 Jan 2023 08:32:05 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56792 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232828AbjAJNba (ORCPT ); Tue, 10 Jan 2023 08:31:30 -0500 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on2069.outbound.protection.outlook.com [40.107.220.69]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 83C832197; Tue, 10 Jan 2023 05:31:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LUnvWYYSHrktvYiWeyLzseTzzmTxQCMc5H4pM52uW37ZCi2AapJKUoWouFT5ckFA8fIqF91COKflWKlopZMFMs0mLhr3Wgq5lhvuy2Fb+f0ASfu7Vz0BjRjBQxPit79f+WPZBb6dHEjAdfQT/1nGnwAhFwrALG9w6xmGVCzkmQfETMADC16ew+l0Hbl61Ecg44be7fOpbTd8yRkqNzOlzZ2f4pK3NSkfLak5V2qCDilcPnzPy8zM0HRdtavuYeQhmvJE3NC8DuOUvt7EfxSOpy5Rs28OLWnJbL2rAvMGcWdrCjx1AzqwufFhHKM3RzvoerW9lAXnUsHnzzS68Crqsw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ZLJekRO2OoO/bta6mmFV6UN1TNc44YJFaehwu0WnfqI=; b=f5cuwMR6u3ufN/nlYOa7CLeUPL22//u41ZQazpvF1dOfJNvy2SaTvcPzJAFSpXC0naeyZMGHApcPsdhzqSlGz+4aJNE1yIj7Pla9By/MNZck0+ipPoQMo4qZK41IxNHzpcSDSyPtWBczfVaCHSB0k9S+cZ3jkcj/oyxWJjYYsGbSijUjGgLYIf01FOmFr7sE2EgAuFKer/ZCbIomnvimqDaba15U32mUHip7PpirL6U5Ibt7sWs1J8xto/ZcRbyfyDdF8er7Ln1s/RU/nLofMfK4pu3JocSaQTfu3Enu5/Dt3gQQoBPIboowFlq7z/Zg9oMpyNVIeeE0oIbgyFfVDw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.161) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZLJekRO2OoO/bta6mmFV6UN1TNc44YJFaehwu0WnfqI=; b=ogXNbSjvKCHG/r/JR5l7aUSPNCmmYJoREGwqa/SIRJqJTFHQypXLP1s9C5tKuC4FjoFdX8pr3EhWXcj0agq0zMlm83rGgFcAPLyOgVeADW96nN1AMqQOtOXlUOoPgNCri31acOh99eIBbYH7aSb93ggsk5dlI1gCBWwV50o9RMEO2Aisbb0FoexNJFodq3Mpa3voGF05EmcFmagJEhTDv3BpDJ0hnEZsvLWL2Bi7DEztl+OWc2SIEUedG+YpBcWqOs0lXebHwYUQT338CXbeO85g3B3oqBya8CQWjWd3oL+vQwuZ7K/HI/lcfOUtrYiLi5kerQ90rNAuuJ60/+8uSg== Received: from BN9PR03CA0574.namprd03.prod.outlook.com (2603:10b6:408:10d::9) by BY5PR12MB4936.namprd12.prod.outlook.com (2603:10b6:a03:1d4::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18; Tue, 10 Jan 2023 13:31:25 +0000 Received: from BN8NAM11FT052.eop-nam11.prod.protection.outlook.com (2603:10b6:408:10d:cafe::a1) by BN9PR03CA0574.outlook.office365.com (2603:10b6:408:10d::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18 via Frontend Transport; Tue, 10 Jan 2023 13:31:24 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.161 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.161) by BN8NAM11FT052.mail.protection.outlook.com (10.13.177.210) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18 via Frontend Transport; Tue, 10 Jan 2023 13:31:24 +0000 Received: from rnnvmail202.nvidia.com (10.129.68.7) by mail.nvidia.com (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Tue, 10 Jan 2023 05:31:02 -0800 Received: from rnnvmail204.nvidia.com (10.129.68.6) by rnnvmail202.nvidia.com (10.129.68.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Tue, 10 Jan 2023 05:31:02 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.6) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Tue, 10 Jan 2023 05:30:58 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v1 1/7] net: flow_offload: provision conntrack info in ct_metadata Date: Tue, 10 Jan 2023 14:30:17 +0100 Message-ID: <20230110133023.2366381-2-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230110133023.2366381-1-vladbu@nvidia.com> References: <20230110133023.2366381-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN8NAM11FT052:EE_|BY5PR12MB4936:EE_ X-MS-Office365-Filtering-Correlation-Id: 5711a2ed-eb3c-4a68-c753-08daf30ef800 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: YHdJvJmRbF9EPuh15OFABcF4Ok4F8pdmVwtmef5rE20DUnX6aHfYDLNS79aHv5HZKSiL34oOwvMDelJgyn9rZ8+xkMF+OSZ7+nlmNOMjfdaRLkfQRaZMjdxYHKWYZfCTggbCdgZv1tXSqkdCnYLLzVSCN1ddxLjgYwsO7myk6o69t+k0otUw1eT63Axigf9ns6wfEAM08LG2saNwhRRS5uy/CZ6P0y/190ySAPQWyA8753CkJorMTPNHhC0OddF19H5zQ/IqoBurdYTB7PO61RXzn4BOCgDBOF+mHr/Zez3IFUUrDYqAjDghClnVoKNFWbTFU4vkIQ8qnoglgszz5U1D2hI8z6TuIPu6D1Je2saNckGdOapG0CahhCuyK8hIlmXxSy/4HM5MIZuU4vQG2hOOTphFEWHmP9CEAKcNrW19S7GcQ1X9PxpG62G/GLo/xFp1WsHOLgFgoR+4u20YPHoCoe8Yu4zG3yHmIFwGWT+nllU9MLTLUmVOp+V2ebTWSvd3nEIOBNmcjLLYura/EfM+Q1H0rXcNr2P6R/QX/Okq5VVgb7QsXepWHQay8B/WpfJZ5vdCORLPkKep+UhdRvf5h0qBA+d4WHEibEQpAvqV463i/N/wQhPjOoRqTmgHxr98Fiy2YOuIjkvMC7NswyEBlrA59WUGzaKc0SFWyfOv1ONBZ89SjiEa1EfZ4ui8aUzjna9xj/+pDUBVtLOihqbJV8GoYcwBT/3w/9pG5Q8= X-Forefront-Antispam-Report: CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230022)(4636009)(376002)(39860400002)(136003)(396003)(346002)(451199015)(36840700001)(46966006)(40470700004)(2906002)(82310400005)(47076005)(83380400001)(336012)(36860700001)(426003)(2616005)(1076003)(7696005)(7416002)(5660300002)(40480700001)(107886003)(6666004)(8936002)(26005)(186003)(36756003)(478600001)(7636003)(70586007)(110136005)(70206006)(54906003)(8676002)(41300700001)(356005)(86362001)(4326008)(316002)(40460700003)(82740400003)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Jan 2023 13:31:24.0051 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 5711a2ed-eb3c-4a68-c753-08daf30ef800 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT052.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR12MB4936 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org In order to offload connections in other states besides "established" the driver offload callbacks need to have access to connection conntrack info. Extend flow offload intermediate representation data structure flow_action_entry->ct_metadata with new enum ip_conntrack_info field and fill it in tcf_ct_flow_table_add_action_meta() callback. Reject offloading IP_CT_NEW connections for now by returning an error in relevant driver callbacks based on value of ctinfo. Support for offloading such connections will need to be added to the drivers afterwards. Signed-off-by: Vlad Buslov --- .../ethernet/mellanox/mlx5/core/en/tc_ct.c | 2 +- .../ethernet/netronome/nfp/flower/conntrack.c | 20 +++++++++++++++++++ include/net/flow_offload.h | 1 + net/sched/act_ct.c | 1 + 4 files changed, 23 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c index 313df8232db7..8cad5cf3305d 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c @@ -1077,7 +1077,7 @@ mlx5_tc_ct_block_flow_offload_add(struct mlx5_ct_ft *ft, int err; meta_action = mlx5_tc_ct_get_ct_metadata_action(flow_rule); - if (!meta_action) + if (!meta_action || meta_action->ct_metadata.ctinfo == IP_CT_NEW) return -EOPNOTSUPP; spin_lock_bh(&ct_priv->ht_lock); diff --git a/drivers/net/ethernet/netronome/nfp/flower/conntrack.c b/drivers/net/ethernet/netronome/nfp/flower/conntrack.c index f693119541d5..2c550a1792b7 100644 --- a/drivers/net/ethernet/netronome/nfp/flower/conntrack.c +++ b/drivers/net/ethernet/netronome/nfp/flower/conntrack.c @@ -1964,6 +1964,23 @@ int nfp_fl_ct_stats(struct flow_cls_offload *flow, return 0; } +static bool +nfp_fl_ct_offload_supported(struct flow_cls_offload *flow) +{ + struct flow_rule *flow_rule = flow->rule; + struct flow_action *flow_action = + &flow_rule->action; + struct flow_action_entry *act; + int i; + + flow_action_for_each(i, act, flow_action) { + if (act->id == FLOW_ACTION_CT_METADATA) + return act->ct_metadata.ctinfo != IP_CT_NEW; + } + + return false; +} + static int nfp_fl_ct_offload_nft_flow(struct nfp_fl_ct_zone_entry *zt, struct flow_cls_offload *flow) { @@ -1976,6 +1993,9 @@ nfp_fl_ct_offload_nft_flow(struct nfp_fl_ct_zone_entry *zt, struct flow_cls_offl extack = flow->common.extack; switch (flow->command) { case FLOW_CLS_REPLACE: + if (!nfp_fl_ct_offload_supported(flow)) + return -EOPNOTSUPP; + /* Netfilter can request offload multiple times for the same * flow - protect against adding duplicates. */ diff --git a/include/net/flow_offload.h b/include/net/flow_offload.h index 0400a0ac8a29..4a350f518b40 100644 --- a/include/net/flow_offload.h +++ b/include/net/flow_offload.h @@ -288,6 +288,7 @@ struct flow_action_entry { } ct; struct { unsigned long cookie; + enum ip_conntrack_info ctinfo; u32 mark; u32 labels[4]; bool orig_dir; diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index 0ca2bb8ed026..515577f913a3 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -187,6 +187,7 @@ static void tcf_ct_flow_table_add_action_meta(struct nf_conn *ct, /* aligns with the CT reference on the SKB nf_ct_set */ entry->ct_metadata.cookie = (unsigned long)ct | ctinfo; entry->ct_metadata.orig_dir = dir == IP_CT_DIR_ORIGINAL; + entry->ct_metadata.ctinfo = ctinfo; act_ct_labels = entry->ct_metadata.labels; ct_labels = nf_ct_labels_find(ct); From patchwork Tue Jan 10 13:30:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13095150 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 860F4C54EBE for ; Tue, 10 Jan 2023 13:32:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238281AbjAJNcD (ORCPT ); Tue, 10 Jan 2023 08:32:03 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56798 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232892AbjAJNbb (ORCPT ); Tue, 10 Jan 2023 08:31:31 -0500 Received: from NAM04-BN8-obe.outbound.protection.outlook.com (mail-bn8nam04on2079.outbound.protection.outlook.com [40.107.100.79]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 85D6C2DFC; Tue, 10 Jan 2023 05:31:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ak2kiobU3HY2xj0s+iWdfiOJKtzmKvdKNzf653u50CEj2VbZ3Q4OgZgktFfHiNBtwuBwEpLtmutP6nF4Ptx3MzUX064LXh4C7FT2WDnDQrLI2MViMmNS3zAiJVnnFhGOFrKRDIKXWTEGTm5IKu7BIkiTWUXfIlMzl/Wbl+FTgeY1q9dW9zItHB0psbH7uAakKqPIlp5g0QGpcKZt0c5Yjg2hs5rVYanu0+fHhDjCCcnWMPumdPxORigJhBXRB+OPF7dFL1mWFN0vyY7Ex+Py8KtsKoDMlfROg7/WSl1tRMS/VMyWH/8s+X/vuoIYOKdaWOisYpVAXgv+jDebzzNJdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Ciq8UUN0gvkcFTVqiQIpLh1OYypUHTPyPDDSQWDbzzE=; b=AHAKCqseNgi0hQZuJdJ6AX9Ax4BNiGJ+l8mHAaMKvBHGR3UDHX9Rh2WcpJWqNxtcb+YUExKUog2EsZXYCmKomS+LjLHnuIhVYVFmDqJupZDxCor6BmRb/HLIX+tznMV6Z+8M1vRpSkFxuvxAP65CG1dqr2307rzsGjl5PX7N6JH7770dJtEKSO/BiSJzI1q4CmnKIxIuF2K7/pNhHOp9erfPodbwDBmPGR9hkpRJ0ToYAuX4G6DyI+gUA27yzdmv1GK6sqGjyDgYTmnMQcDpQwyt9NGEsZ0acMe9hflIUvBgmaemtyCdXU4s/7XpSJxO083UZfp5pv9uiRpmZTVG/Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.161) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ciq8UUN0gvkcFTVqiQIpLh1OYypUHTPyPDDSQWDbzzE=; b=pSHuuGmsf6RuAzSMOn+thEGyKEXTHru2pgddTu2O98Cdb8u3ed7qbK+OaLg5iUE1I0AZ+QFADKlFJff/OoFeQ3ica6x1xt2ea+ZSNBXfNuZnD9m8WnnRRKyf3QoH6jiZamsFoLRlCG+CneOSO9wn/sQb45+fMptsVGxXgB9kQXpm1MvBwFlZZTUWfCMGCkLN8dQU3CJVtJkVKU/gxTjjb4b1RTMWW5V/aLNYsiF5qU7n7XxRtJbz+o7IS4AFrv8eDIZbMSQh/uEo6SZrcJUp/wj8ys/f4NTgdQmRrjs4tdcf0BnE8z+RZWxX7quJgb1Unc2tlsy0J/PPLP0sTF4dHA== Received: from BN9PR03CA0596.namprd03.prod.outlook.com (2603:10b6:408:10d::31) by DM4PR12MB6445.namprd12.prod.outlook.com (2603:10b6:8:bd::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18; Tue, 10 Jan 2023 13:31:28 +0000 Received: from BN8NAM11FT052.eop-nam11.prod.protection.outlook.com (2603:10b6:408:10d:cafe::8d) by BN9PR03CA0596.outlook.office365.com (2603:10b6:408:10d::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18 via Frontend Transport; Tue, 10 Jan 2023 13:31:28 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.161 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.161) by BN8NAM11FT052.mail.protection.outlook.com (10.13.177.210) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18 via Frontend Transport; Tue, 10 Jan 2023 13:31:27 +0000 Received: from rnnvmail203.nvidia.com (10.129.68.9) by mail.nvidia.com (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Tue, 10 Jan 2023 05:31:06 -0800 Received: from rnnvmail204.nvidia.com (10.129.68.6) by rnnvmail203.nvidia.com (10.129.68.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Tue, 10 Jan 2023 05:31:05 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.6) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Tue, 10 Jan 2023 05:31:02 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v1 2/7] netfilter: flowtable: fixup UDP timeout depending on ct state Date: Tue, 10 Jan 2023 14:30:18 +0100 Message-ID: <20230110133023.2366381-3-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230110133023.2366381-1-vladbu@nvidia.com> References: <20230110133023.2366381-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN8NAM11FT052:EE_|DM4PR12MB6445:EE_ X-MS-Office365-Filtering-Correlation-Id: 3f035816-a9f1-4832-a842-08daf30efa0f X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: g6sl7L2IkJgOhSTkr85M8bNH3BwQYyLm3R0jLyI/o9J66yvH2UaQ/9yMLdK5iSi6aKwj/hV+eigtqYYuXrDzaS5FBY42Zi1IfphLxCceKPuPr/35qIapsbGfdXU4RGcG7o1Qr+nQOZuyUIVsFuM0uRKuBOqh8fNpA3rEKZQzBYyZc66ooe6cpi6iYwXyZW1mmeBxJ346j/OFUHhOfvy3ZCLQV9lPAEmfxuqhFg8pZ9ZRY7Deyk16hk8tKfVBbNwQFk07Yl/Gik9AmSrIFhAPWz7CCIpCTigqIkvZ1gNCs5vRdVYDzkczcwh9zyokuGE2207NSD81ppjus9y+f4nsB9FiQDuVGFhswHTIocwBRReyAyL8IHbBG95VQJiXni5KSLZxzz/FS/vTNwncd5ANCFVn13WmiheRYVDyqsQgvCHyAG+NJfnWDKnmw5045+24bYN4axpCeLi6Gg/t1jzs2EgL2ewGlhpDHBEDWFf3dlmFNUg5ia2TMJcgBAppRXrpK1OQop+7CZiPw5/sXDRibDf4zbweMAo5aXRcYetK0nNeUMi2uKK9MATEWYx1V+N0luuLO8KiSt+gBNat9LQkz0w/5I7l2a11AbHvFtFTtRJ/CJ5/CK1sc7uIQKpPmDxso57m0nRKvl3cYgFGCmuDnzyjkXQV72E2eV5DTc3JWNVAnBP73k3BiZrV35dF0CtRYiaSaP5HFv9dskZA7y+3nntBgNrgMKDZ7ylB0O6jq/k= X-Forefront-Antispam-Report: CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230022)(4636009)(376002)(39860400002)(136003)(396003)(346002)(451199015)(36840700001)(46966006)(40470700004)(2906002)(82310400005)(47076005)(83380400001)(336012)(36860700001)(426003)(2616005)(1076003)(7696005)(7416002)(5660300002)(40480700001)(107886003)(6666004)(8936002)(26005)(186003)(36756003)(478600001)(7636003)(70586007)(110136005)(70206006)(54906003)(8676002)(41300700001)(356005)(86362001)(4326008)(316002)(40460700003)(82740400003)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Jan 2023 13:31:27.4737 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 3f035816-a9f1-4832-a842-08daf30efa0f X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT052.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR12MB6445 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Currently flow_offload_fixup_ct() function assumes that only replied UDP connections can be offloaded and hardcodes UDP_CT_REPLIED timeout value. To enable UDP NEW connection offload in following patches extract the actual connections state from ct->status and set the timeout according to it. Signed-off-by: Vlad Buslov --- net/netfilter/nf_flow_table_core.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c index 81c26a96c30b..04bd0ed4d2ae 100644 --- a/net/netfilter/nf_flow_table_core.c +++ b/net/netfilter/nf_flow_table_core.c @@ -193,8 +193,11 @@ static void flow_offload_fixup_ct(struct nf_conn *ct) timeout -= tn->offload_timeout; } else if (l4num == IPPROTO_UDP) { struct nf_udp_net *tn = nf_udp_pernet(net); + enum udp_conntrack state = + test_bit(IPS_SEEN_REPLY_BIT, &ct->status) ? + UDP_CT_REPLIED : UDP_CT_UNREPLIED; - timeout = tn->timeouts[UDP_CT_REPLIED]; + timeout = tn->timeouts[state]; timeout -= tn->offload_timeout; } else { return; From patchwork Tue Jan 10 13:30:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13095153 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3BF19C678DA for ; Tue, 10 Jan 2023 13:32:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238555AbjAJNcI (ORCPT ); Tue, 10 Jan 2023 08:32:08 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56866 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238025AbjAJNbe (ORCPT ); Tue, 10 Jan 2023 08:31:34 -0500 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2042.outbound.protection.outlook.com [40.107.237.42]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 645CF3AA9D; Tue, 10 Jan 2023 05:31:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=W1W/xsFSdO/VATzWdDYq9QGC2H0ps2tlJT5Oq+quSlJrx9I7mgLINVlWXJTs22cr0U63FrDJO9rpDoyC6wSpcB0z1A/A/ucA9IF02YN7Vg+AmvPv6toqepBhwEg/yrK/v2i0AW3MsDTrEG0zpbfiEmBJydgn0LUcPPI0hxeaoSOQCETUA8c6htBtOuO4VvmDb3Q6yrt/mgE9g2ON0Q4O+TPMeLwgYYMaKSxCerGRPclbq4EsipfZoH5yJ+y6033Ky1eRYy5Q10RTqUodwGWR1XDMxVMDCVtPKVW0SGlTzElgDH+NHOUsthovnK6I2PZCn7lxxp5aa1cjJU5HIKbGtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9hEkvfNid554/edezqmJkbmWBn+U9LvTjp4jBTLeAy0=; b=JsbW9jOXFN8IoTA5W2po4VoioMEisdSUtNgZiuNwPHpLSRxXthxAFW4DpBCdvECBFybVo2QG+v17f2aBrengDbOrMb3oY4pwW5/Xl0uOspNzXhr9sRcXy539a1qzjlNNLdzvFnMLoUnCaDPNA3wi6SvrADUR2JygqouIJRVUT23wrWtTJE5UfXT8WSnaVJhsCK2jWiRuO1H+oSlzr7McuxPjZ0w5fCAhev2tZlwo0mZO2DIdI2Avw11S8ybqXdmtWB1HaRvRHaAIwK40khUmJ0Qid6s7UjKwkIMNXUJ0V5WHFyco8nXYm4hUIZ3a5jdvJaQMQRDqBnjzUGGhMwshvQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.161) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9hEkvfNid554/edezqmJkbmWBn+U9LvTjp4jBTLeAy0=; b=EQ/0TJkfYguopSD/tALFnTtR366ZHb2+IMe6yM/aWI5itPsjFlHhfDfkOZGg/HeOhOLdH9ToD0WOwdzR5xQImAAh7iH6eJZ5KUSMUgI0KIpphw9LDwayyJFt2wfDYbSNTHkL6HaIgaUCvLPRbAQjRYV4BC4cJ4ktoW7GXXYckcCUhymVPn7YncH3G4YknGw4rLv1+cQqqP+H2ywQ/fhJiuYh4rdtaeq2MT6psyRQTxMccG8BMSfg6Nn7RvMy8CF2FUmr9PTZXYiZGqgULfoalMnTvEZ+I519Lj/hFh6hhEGrrvgriiKgVkMDhQCRABbWwddF467lm7RnJ7ucCZa4bw== Received: from BN9PR03CA0589.namprd03.prod.outlook.com (2603:10b6:408:10d::24) by DM4PR12MB5359.namprd12.prod.outlook.com (2603:10b6:5:39e::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18; Tue, 10 Jan 2023 13:31:30 +0000 Received: from BN8NAM11FT052.eop-nam11.prod.protection.outlook.com (2603:10b6:408:10d:cafe::8a) by BN9PR03CA0589.outlook.office365.com (2603:10b6:408:10d::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18 via Frontend Transport; Tue, 10 Jan 2023 13:31:29 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.161 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.161) by BN8NAM11FT052.mail.protection.outlook.com (10.13.177.210) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18 via Frontend Transport; Tue, 10 Jan 2023 13:31:29 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Tue, 10 Jan 2023 05:31:10 -0800 Received: from rnnvmail204.nvidia.com (10.129.68.6) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Tue, 10 Jan 2023 05:31:09 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.6) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Tue, 10 Jan 2023 05:31:06 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v1 3/7] netfilter: flowtable: allow unidirectional rules Date: Tue, 10 Jan 2023 14:30:19 +0100 Message-ID: <20230110133023.2366381-4-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230110133023.2366381-1-vladbu@nvidia.com> References: <20230110133023.2366381-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN8NAM11FT052:EE_|DM4PR12MB5359:EE_ X-MS-Office365-Filtering-Correlation-Id: 616705fb-bdc5-4291-bebf-08daf30efb2d X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 43HST3juNSpJOJ9QfNsEeeyF9eMzrxqstQs/BBhATXtildrLe/BxwP6klFlZ/Gvget13Q4fMg5VR7F/4lyvKPJXyHZLqjvBQrEG4WLmmcJK27sVtW25OXyntjhoSgrdbaswbqm0InD9mnccw3CGZ6cVjMlCKG9qaIrqdZMmro522rO85AdNAD2vlq6LBxpqUHs9O77TDOmg+vRCkhphDttUFEVmIouX5q2PAyEtmHfwCee1eSuE+7ps3MVBxRYcbnid5b5b/yxjeHYguJl8AXzT3AwVzBqSRosZ1MC+VWNBYjODy6DkDLtUlrGFNjSsat5f4e1FrmHA5xxP5AIPOU8vowCDsgyI0KWDiSDo8jmdh0cEghNCzMyKWJSi7TyoHxUmcer92dz96zZiLUbRGwlIVafeZ84PB/bkF1EtcREGLsbso0yJIuoxM0pVGoQ9I1ybvMvYE4PlxUewD/RBf7w4ORqH4/eQUq354R5p0+p6yplrjVj5zVFBWc1LM9HbBGJMiobiYuEdk+vGyYYwrKFoAyHmZawcos1uUDJGvUd39N+iBOfO7JR/NYWskdmItSqsA7HcrEuxOINsJEmbHclNDlVBZr+V+U56tg+wthQX0pUJLsgvwG4RJ7KrRAlop4U9/I3Rwh4yRTPARKHHTlsGK5fSSukv3qvrI0c8dD4rPiATKnMhoBSHN39ziecQ/XiHyqbhlR54nv+ZvxNye/FimlupettP5atEPPTbmrJA= X-Forefront-Antispam-Report: CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230022)(4636009)(396003)(136003)(39860400002)(346002)(376002)(451199015)(36840700001)(40470700004)(46966006)(1076003)(7416002)(316002)(40480700001)(5660300002)(26005)(7696005)(186003)(478600001)(2616005)(47076005)(426003)(40460700003)(41300700001)(110136005)(54906003)(70586007)(4326008)(70206006)(336012)(8676002)(82310400005)(8936002)(83380400001)(86362001)(36756003)(6666004)(107886003)(36860700001)(82740400003)(2906002)(356005)(7636003)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Jan 2023 13:31:29.3642 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 616705fb-bdc5-4291-bebf-08daf30efb2d X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT052.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR12MB5359 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Modify flow table offload to support unidirectional connections by extending enum nf_flow_flags with new "NF_FLOW_HW_BIDIRECTIONAL" flag. Only offload reply direction when the flag is not set. This infrastructure change is necessary to support offloading UDP NEW connections in original direction in following patches in series. Signed-off-by: Vlad Buslov --- include/net/netfilter/nf_flow_table.h | 1 + net/netfilter/nf_flow_table_offload.c | 12 ++++++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h index cd982f4a0f50..88ab98ab41d9 100644 --- a/include/net/netfilter/nf_flow_table.h +++ b/include/net/netfilter/nf_flow_table.h @@ -164,6 +164,7 @@ enum nf_flow_flags { NF_FLOW_HW_DYING, NF_FLOW_HW_DEAD, NF_FLOW_HW_PENDING, + NF_FLOW_HW_BIDIRECTIONAL, }; enum flow_offload_type { diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c index 4d9b99abe37d..8b852f10fab4 100644 --- a/net/netfilter/nf_flow_table_offload.c +++ b/net/netfilter/nf_flow_table_offload.c @@ -895,8 +895,9 @@ static int flow_offload_rule_add(struct flow_offload_work *offload, ok_count += flow_offload_tuple_add(offload, flow_rule[0], FLOW_OFFLOAD_DIR_ORIGINAL); - ok_count += flow_offload_tuple_add(offload, flow_rule[1], - FLOW_OFFLOAD_DIR_REPLY); + if (test_bit(NF_FLOW_HW_BIDIRECTIONAL, &offload->flow->flags)) + ok_count += flow_offload_tuple_add(offload, flow_rule[1], + FLOW_OFFLOAD_DIR_REPLY); if (ok_count == 0) return -ENOENT; @@ -926,7 +927,8 @@ static void flow_offload_work_del(struct flow_offload_work *offload) { clear_bit(IPS_HW_OFFLOAD_BIT, &offload->flow->ct->status); flow_offload_tuple_del(offload, FLOW_OFFLOAD_DIR_ORIGINAL); - flow_offload_tuple_del(offload, FLOW_OFFLOAD_DIR_REPLY); + if (test_bit(NF_FLOW_HW_BIDIRECTIONAL, &offload->flow->flags)) + flow_offload_tuple_del(offload, FLOW_OFFLOAD_DIR_REPLY); set_bit(NF_FLOW_HW_DEAD, &offload->flow->flags); } @@ -946,7 +948,9 @@ static void flow_offload_work_stats(struct flow_offload_work *offload) u64 lastused; flow_offload_tuple_stats(offload, FLOW_OFFLOAD_DIR_ORIGINAL, &stats[0]); - flow_offload_tuple_stats(offload, FLOW_OFFLOAD_DIR_REPLY, &stats[1]); + if (test_bit(NF_FLOW_HW_BIDIRECTIONAL, &offload->flow->flags)) + flow_offload_tuple_stats(offload, FLOW_OFFLOAD_DIR_REPLY, + &stats[1]); lastused = max_t(u64, stats[0].lastused, stats[1].lastused); offload->flow->timeout = max_t(u64, offload->flow->timeout, From patchwork Tue Jan 10 13:30:20 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13095152 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 100B6C678D9 for ; Tue, 10 Jan 2023 13:32:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238532AbjAJNcH (ORCPT ); Tue, 10 Jan 2023 08:32:07 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56818 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234109AbjAJNbd (ORCPT ); Tue, 10 Jan 2023 08:31:33 -0500 Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on2055.outbound.protection.outlook.com [40.107.96.55]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3E62F38AF9; Tue, 10 Jan 2023 05:31:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mQjMVclVQMqnkxZ2ul3H/c+JmGw5NlpRBFt4+N5v4OG8Gn7yM7bl1XVXuafj1RaAT4sC8nZ1OaSncUNZu4cZfBgEOBJp04HXTfUUNaCKRSFjHUSsuBd+Jyh4061k85vOxYLJhV5AdlxA41dK7o5ycIXx8tXJWG2FEkj0SRaMTRvkcQpRNld0zp4rlCBFN/7+UGNZPDM6DjSsJNk70iiqzaoNjk3ep//vCXLGQgs4Ry+pmQL/guMYh6NeoDfNBNaq/CktW4oyPOCDRcfvTsNUfvSwCORPaP3kAQABJ20EsD0NEYpYotwPOyhKiGyiy9P3jRe3jBOS9cih1rxGMj9l+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/eVt+c+15jGRhcTXeDwGGa8OjjrApn0DRx+nf2W7K2E=; b=f+TnZ6u1nfyV/bLKX/DJ1LDtvzrNlJtQ9e/yKzOU+VRMKiYoLWIyPze7dwkJUP/hrnWgnl+jfdXear376sDE9T6cP0HJB2xOz5/gw8gHqZ4IBqcjX5/Zc42Ap+UO3lEmYyMtLnpGYaQC0dHqDrZi714Al5QHEiEGcWsxCs1V+W7smI+0duaTri6F5uQLHSz7XzC33ptBQL1+R7yqw2IKqpjXBVnUVxHO20uIekX/3xmO4TTA01iYIsaIturLH4bNcL07Jczo5JPT/fKNPJbodTaR/tYc8t9FhDaqIAbQL9sfTBtCvvOudyvDz0PB/B8FEeRa/jtrhfPFK0x3kg6LQA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/eVt+c+15jGRhcTXeDwGGa8OjjrApn0DRx+nf2W7K2E=; b=fcC05QHIi+LERQ5gixLBwa3n+Kd50rXHej5bEpcgfkvXNsVcTPbboBZjAII7955To2OFCaEQ2FmWOlHij5/qqILo1AgJilFwJv+EBtZURw1jBHxTNehkRpumYdZfCo8QgZlkdDcTXp/4jCsKYwmRoOt82rgQNgaVJyUwOBiosFpqBap9jx/Zfk5GnEpvnmKLWN1FvYn6XmpBbaojD3lbnZMqQhgMuvUFJjmuglgeXXnf7DKrqRZOCRFT8W46Y5evPVaWW+xdbjnDiF8zbgypU47+MQx1kmw1I/JdExjMqy18qg9W+chPRhhjbB5+1oj8+oAlIXQWYm09ynOtlWjlag== Received: from DM6PR12CA0025.namprd12.prod.outlook.com (2603:10b6:5:1c0::38) by BL3PR12MB6643.namprd12.prod.outlook.com (2603:10b6:208:38f::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18; Tue, 10 Jan 2023 13:31:30 +0000 Received: from DM6NAM11FT078.eop-nam11.prod.protection.outlook.com (2603:10b6:5:1c0:cafe::ff) by DM6PR12CA0025.outlook.office365.com (2603:10b6:5:1c0::38) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18 via Frontend Transport; Tue, 10 Jan 2023 13:31:30 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by DM6NAM11FT078.mail.protection.outlook.com (10.13.173.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5966.17 via Frontend Transport; Tue, 10 Jan 2023 13:31:29 +0000 Received: from rnnvmail202.nvidia.com (10.129.68.7) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Tue, 10 Jan 2023 05:31:13 -0800 Received: from rnnvmail204.nvidia.com (10.129.68.6) by rnnvmail202.nvidia.com (10.129.68.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Tue, 10 Jan 2023 05:31:13 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.6) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Tue, 10 Jan 2023 05:31:10 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v1 4/7] netfilter: flowtable: allow updating offloaded rules asynchronously Date: Tue, 10 Jan 2023 14:30:20 +0100 Message-ID: <20230110133023.2366381-5-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230110133023.2366381-1-vladbu@nvidia.com> References: <20230110133023.2366381-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DM6NAM11FT078:EE_|BL3PR12MB6643:EE_ X-MS-Office365-Filtering-Correlation-Id: 0e8c0008-6a70-48a2-4db5-08daf30efb19 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 60Uh8tSsHgS0eNuFrah2xn7W1eZ9LZNTz1fSNgAHBqP5M4OAGg12Nwlm7s6suTLJRG8OWZjQUdQ6xy4RflnfvbRKX7pwOm64o+HntKRGcPLiWQ0hWELYBVKssN6BJ0xhUFY95Y5G1uhx9wficZeHGg0uFUIj2uvs1HvgAipZp9hsVh8NRcExVqUoLnhgDj1ob8hPrSipiuA8tSghQwSL1lqkIQwqMdOCBVcPnLfeDxPsU6/D6Qq4+zsAqxHUvCMkDvIHQH0KcJHDCtBhk7QyKauxGU0yWokVBaGAOvWoilm7s9pSJ1vVGhzHEmaipSB4TX/ijSGRPqDaDidrFR2uF0kuT/9+x1AlIACLtpA4C2TZFgodNIilifinG0tdbDNZxyuCdESFC95zApNcv3qMTbstzk1mRQs9be6br2uw29KzEqhIOhw/H5B2WYESD+5AGz3LZJ/h+fvfn4hKEGSAudFdfEFS7gEWQw22W7KtRvhiTCaGilsIRlCwC/ZvMqsKDo1QDysgY+WiYd2XWtevtc0kKHe+Lcq+d+BSZ94Re4FWFb1laVYK/lEwQh6/LygaPvvw9QTtFCHN1D6NhT4QFvjp+qifIoxjM7uJpC4lkq0ZDbaJeP7td0uH5UBOgqBoN7hrEoKyw62xkegROF/PBGDGL00W7oAma3LdEWYFByQaasXr5brXkIJk2EVGyvDttcIfwoYx0/CH2GSWoLif5G1JDFR624L4sW/NvBWU+Ow= X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230022)(4636009)(396003)(39860400002)(346002)(136003)(376002)(451199015)(46966006)(40470700004)(36840700001)(426003)(36860700001)(36756003)(7416002)(5660300002)(6666004)(2906002)(107886003)(86362001)(40460700003)(40480700001)(82740400003)(336012)(356005)(7636003)(82310400005)(41300700001)(83380400001)(2616005)(186003)(70206006)(70586007)(26005)(47076005)(4326008)(8676002)(1076003)(8936002)(54906003)(7696005)(110136005)(316002)(478600001)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Jan 2023 13:31:29.2615 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 0e8c0008-6a70-48a2-4db5-08daf30efb19 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT078.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL3PR12MB6643 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Following patches in series need to update flowtable rule several times during its lifetime in order to synchronize hardware offload with actual ct status. However, reusing existing 'refresh' logic in act_ct would cause data path to potentially schedule significant amount of spurious tasks in 'add' workqueue since it is executed per-packet. Instead, introduce a new flow 'update' flag and use it to schedule async flow refresh in flowtable gc which will only be executed once per gc iteration. Signed-off-by: Vlad Buslov --- include/net/netfilter/nf_flow_table.h | 3 ++- net/netfilter/nf_flow_table_core.c | 20 +++++++++++++++----- net/netfilter/nf_flow_table_offload.c | 5 +++-- 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h index 88ab98ab41d9..e396424e2e68 100644 --- a/include/net/netfilter/nf_flow_table.h +++ b/include/net/netfilter/nf_flow_table.h @@ -165,6 +165,7 @@ enum nf_flow_flags { NF_FLOW_HW_DEAD, NF_FLOW_HW_PENDING, NF_FLOW_HW_BIDIRECTIONAL, + NF_FLOW_HW_UPDATE, }; enum flow_offload_type { @@ -300,7 +301,7 @@ unsigned int nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb, #define MODULE_ALIAS_NF_FLOWTABLE(family) \ MODULE_ALIAS("nf-flowtable-" __stringify(family)) -void nf_flow_offload_add(struct nf_flowtable *flowtable, +bool nf_flow_offload_add(struct nf_flowtable *flowtable, struct flow_offload *flow); void nf_flow_offload_del(struct nf_flowtable *flowtable, struct flow_offload *flow); diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c index 04bd0ed4d2ae..5b495e768655 100644 --- a/net/netfilter/nf_flow_table_core.c +++ b/net/netfilter/nf_flow_table_core.c @@ -316,21 +316,28 @@ int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow) } EXPORT_SYMBOL_GPL(flow_offload_add); +static bool __flow_offload_refresh(struct nf_flowtable *flow_table, + struct flow_offload *flow) +{ + if (likely(!nf_flowtable_hw_offload(flow_table))) + return true; + + return nf_flow_offload_add(flow_table, flow); +} + void flow_offload_refresh(struct nf_flowtable *flow_table, struct flow_offload *flow) { u32 timeout; timeout = nf_flowtable_time_stamp + flow_offload_get_timeout(flow); - if (timeout - READ_ONCE(flow->timeout) > HZ) + if (timeout - READ_ONCE(flow->timeout) > HZ && + !test_bit(NF_FLOW_HW_UPDATE, &flow->flags)) WRITE_ONCE(flow->timeout, timeout); else return; - if (likely(!nf_flowtable_hw_offload(flow_table))) - return; - - nf_flow_offload_add(flow_table, flow); + __flow_offload_refresh(flow_table, flow); } EXPORT_SYMBOL_GPL(flow_offload_refresh); @@ -435,6 +442,9 @@ static void nf_flow_offload_gc_step(struct nf_flowtable *flow_table, } else { flow_offload_del(flow_table, flow); } + } else if (test_and_clear_bit(NF_FLOW_HW_UPDATE, &flow->flags)) { + if (!__flow_offload_refresh(flow_table, flow)) + set_bit(NF_FLOW_HW_UPDATE, &flow->flags); } else if (test_bit(NF_FLOW_HW, &flow->flags)) { nf_flow_offload_stats(flow_table, flow); } diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c index 8b852f10fab4..103b2ca8d123 100644 --- a/net/netfilter/nf_flow_table_offload.c +++ b/net/netfilter/nf_flow_table_offload.c @@ -1036,16 +1036,17 @@ nf_flow_offload_work_alloc(struct nf_flowtable *flowtable, } -void nf_flow_offload_add(struct nf_flowtable *flowtable, +bool nf_flow_offload_add(struct nf_flowtable *flowtable, struct flow_offload *flow) { struct flow_offload_work *offload; offload = nf_flow_offload_work_alloc(flowtable, flow, FLOW_CLS_REPLACE); if (!offload) - return; + return false; flow_offload_queue_work(offload); + return true; } void nf_flow_offload_del(struct nf_flowtable *flowtable, From patchwork Tue Jan 10 13:30:21 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13095156 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4AAA0C678DD for ; Tue, 10 Jan 2023 13:32:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238569AbjAJNcK (ORCPT ); Tue, 10 Jan 2023 08:32:10 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56916 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238476AbjAJNbk (ORCPT ); Tue, 10 Jan 2023 08:31:40 -0500 Received: from NAM04-DM6-obe.outbound.protection.outlook.com (mail-dm6nam04on2079.outbound.protection.outlook.com [40.107.102.79]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6C2403C389; Tue, 10 Jan 2023 05:31:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OM4I6CuBuBtZYnwdt1tJ6flb2JJ4WyfsBvq5KyraWiMY3ecTUd9LP1ZTQr87cNQvbKryXpPqfVoGzKxnZxwt0Fn+ZEtneiR4IQGd7GI8ombAK4T9LFFwTvXEzNLqyPSRvRwJGkclWfx0DDenEltRM5woykax3c/StK2N32I+QLeOtPNofa1+vod7DNdMa7BebdAM3khzfnwERRGe9cpRFE5/cjzjniIyfcvmq3qqW+8jSzR6SeGI0bWs/KFUmN994Vzvu0Xma3RDTqdiVhRt3uNcL5L1AR/CxuRJK2TauJH/+/gRJ88Ey/8LAomGDxQuBwo9bQ9aZ+BBwFBiRab95g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=l5RYK0xo9itxoG503Cnp98JnmWqNNzPa/9Mi27YLsp0=; b=B6fFhzM57H7vj0XaaInInZUbuRnhXuiTplLunjbU5VLI59LIaZ5+R0Iml5P+5V+WO/AQJjPqauE78WRnC6blKpe7vvK+DPzop9cJKRI+zgl2lk2BRbYuNLdP6gd/W3aKNatQWXqG3B1qp7Alfar4TCgH92Jm4kp+VmP0m51k7LDl8Urw8fdflefQ7U5ejD9pM0KxkguJOg3J5tzuA8f0Vwt4f42mApPoh4+ihhcloYeBDUJPKkr+3oUJCML/kOcPcZe2vA2yrMDEcYCs/nvANNi+dti4+7jbWiuNy39ydo1SZ5Ew8jmcLUgtfw+jajpisVKZsGb8eCpX79C5pFAKKA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=l5RYK0xo9itxoG503Cnp98JnmWqNNzPa/9Mi27YLsp0=; b=TVxJqCH63A9zCYhh9oUcveSK2ZD40Bik3ShG+EYLoy6j7EddLD6AhXvDja271lwYhtWoND/yYRzJXgF7Xs1T8m1G+VkxoSRfLyjz/zgn6j/TyhrK8dRVkQyI9QYK2esUnMCF+lpkw34W10NZHthc0bKOrGuTKWXsf6mvkY4a+aQ7CkYylfSPdMDH1WHYNHL6LkWN2lSg+eP69c3U1pP1x5t/Qy8sM5VBptfyXFr4hEt7v3W434X4BoTyzIlG7s3r3NqtzUZK58QRJkMTT/5K3O/4QhPn/0V6xc8buekjWwAe/+IHurBMFOQTCWExx5VBs4HZSkfjV5O2R3LbWyNZRQ== Received: from DM6PR12CA0026.namprd12.prod.outlook.com (2603:10b6:5:1c0::39) by CH2PR12MB4056.namprd12.prod.outlook.com (2603:10b6:610:a5::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18; Tue, 10 Jan 2023 13:31:35 +0000 Received: from DM6NAM11FT078.eop-nam11.prod.protection.outlook.com (2603:10b6:5:1c0:cafe::68) by DM6PR12CA0026.outlook.office365.com (2603:10b6:5:1c0::39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18 via Frontend Transport; Tue, 10 Jan 2023 13:31:35 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by DM6NAM11FT078.mail.protection.outlook.com (10.13.173.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5966.17 via Frontend Transport; Tue, 10 Jan 2023 13:31:34 +0000 Received: from rnnvmail203.nvidia.com (10.129.68.9) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Tue, 10 Jan 2023 05:31:17 -0800 Received: from rnnvmail204.nvidia.com (10.129.68.6) by rnnvmail203.nvidia.com (10.129.68.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Tue, 10 Jan 2023 05:31:16 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.6) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Tue, 10 Jan 2023 05:31:13 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v1 5/7] net/sched: act_ct: set ctinfo in meta action depending on ct state Date: Tue, 10 Jan 2023 14:30:21 +0100 Message-ID: <20230110133023.2366381-6-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230110133023.2366381-1-vladbu@nvidia.com> References: <20230110133023.2366381-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DM6NAM11FT078:EE_|CH2PR12MB4056:EE_ X-MS-Office365-Filtering-Correlation-Id: 1bab28d9-4680-4f36-8e41-08daf30efe73 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: XQF5tM9zuhRo2LUoUaG6Z4Ew1ZL5ZLmuwb70C2Igom/scc6xZYd4e0Y8e/SuUfjrQKOmWbyEvpC4Fhv9iNKlBr/7EDYEpDOWtF4rCJU+i3Wqri4NhuaWa4s+fpYVKx1S3F6wSKxQpWZ6Ii+f/FyT8AslEOk5jU/y3JDvdCdSKO/zyv/6oy2J0oojjf/Y4fOXX0y9VE6Q0LxVTyTlXYxfO2PdO3L3WSKEGiWJHXHJ24pgZdkhuUosOC/ufgHZXpc/SJcpFeHWF9dalk9fxDaWemnxroGquoNbjvXeMGrArl3uxQ0irHtwe8RjNkxP5wjy6+FUJbJvR8x9f2JPpDJy426zx9R4gRNIv7G0XjYmqrVTS+Y8MhD+6ypawgdvplCMEnXuPXaLt6Vtg25HzVPTkm8I1t6uYRKbkTs8MAUE5irksPja/fTYQaFNzTvrA8i09pfHP90AQ6/zE3lyu/9vHqeotvhcTW3Aq+wOWPglyfwUaLs/AU3TXWGklgSYaLn9me4i2mVhJZ/i8a7ZEmHcWfwDEIGrlEsWw3o3OQ/cp+OXpnng8N0/y5NLuOeDBYtqE/Gq+5OP4f6h6US6XJZkpy66kKafqJBZcGY3frjFFP/Y82Hnad5G3Z8RxRnzSMTmnS6VUNEwMu+V4PizsMw7iBFKtHKM+daJS2dBGw8pQEb1K3P4uiQGS8SNeGQysAklxou082PbZW5oSs/b//FFfNIiCYcGsWTkE8H3bnI7rwE= X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230022)(4636009)(136003)(396003)(346002)(376002)(39860400002)(451199015)(46966006)(40470700004)(36840700001)(1076003)(5660300002)(316002)(7416002)(7696005)(186003)(26005)(478600001)(40480700001)(2616005)(70586007)(40460700003)(426003)(47076005)(41300700001)(4326008)(54906003)(336012)(110136005)(70206006)(8676002)(82310400005)(8936002)(36756003)(86362001)(83380400001)(107886003)(6666004)(36860700001)(82740400003)(2906002)(356005)(7636003)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Jan 2023 13:31:34.8861 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 1bab28d9-4680-4f36-8e41-08daf30efe73 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT078.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR12MB4056 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Currently tcf_ct_flow_table_add_action_meta() function assumes that only established connections can be offloaded and always sets ctinfo to either IP_CT_ESTABLISHED or IP_CT_ESTABLISHED_REPLY strictly based on direction without checking actual connection state. To enable UDP NEW connection offload set the ctinfo and metadata cookie based on ct->status value. Signed-off-by: Vlad Buslov --- net/sched/act_ct.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index 515577f913a3..bfddb462d2bc 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -182,8 +182,11 @@ static void tcf_ct_flow_table_add_action_meta(struct nf_conn *ct, #if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) entry->ct_metadata.mark = READ_ONCE(ct->mark); #endif - ctinfo = dir == IP_CT_DIR_ORIGINAL ? IP_CT_ESTABLISHED : - IP_CT_ESTABLISHED_REPLY; + if (dir == IP_CT_DIR_ORIGINAL) + ctinfo = test_bit(IPS_SEEN_REPLY_BIT, &ct->status) ? + IP_CT_ESTABLISHED : IP_CT_NEW; + else + ctinfo = IP_CT_ESTABLISHED_REPLY; /* aligns with the CT reference on the SKB nf_ct_set */ entry->ct_metadata.cookie = (unsigned long)ct | ctinfo; entry->ct_metadata.orig_dir = dir == IP_CT_DIR_ORIGINAL; From patchwork Tue Jan 10 13:30:22 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13095155 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 794C6C678DF for ; Tue, 10 Jan 2023 13:32:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238593AbjAJNcN (ORCPT ); Tue, 10 Jan 2023 08:32:13 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57190 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238603AbjAJNbs (ORCPT ); Tue, 10 Jan 2023 08:31:48 -0500 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on2040.outbound.protection.outlook.com [40.107.236.40]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3F30244350; Tue, 10 Jan 2023 05:31:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DyRRNYipmIaKD7snhP9lPxHdOGu8wK17gty1UhbTuoixaa/QjnsS+z+u52PmM1gshwSrLEQSK9u0+EXrzlKee91dc4+AsZJMDdh/2TVVljA8YOYXWee2lnSJNEACkBIl8C9DL0Lmfvdw8nBkGdf5zQ+8SCiKR8NEZKc/1JujJ6RvFHHj8C4lOacjwf2TXSy7en0+WeGxE0Y4Yt3tmQ4Nh+SJ+DrQONWNZ82SOfsYthEF/Nx2XPTBeZcV/E1YqFeihGWqhsc0uhwbStYjfcspW12IlapP22ruhKkY67TwKIxI4ugC1r025tMZp5Zn71w2Dj5mAn9cEu+T2MyZas+b1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=wM2paC/pUdX6NnkKABrYxLcS03Usi5y6IxiikT2Ul2k=; b=J59IvVLUgVWZ91/e/xq0g9Lax7us/0JFk+2Un99s4NnNlFieDdb2xaAtqrJpnP7uZBKa6m0d4jxFCE6DLRSe3DoI/H0mL0a2lDZ8MoS7IH8vyfcRe+W54Qmx7DCOIZCJhkh+C2N20VVJQWo9JJwhiR5Xi7YWUAV/h0I3uY1qDqHdpv3HxRG5y27m33ocfd9TjAhEslh41PjrqqJeq3RackM7F6LSMsiDUkhRjCOId27zTnQ4Kwp0uJ6mFvz47KLJx0+ot4Wr1s05I+9I6wZystXE8O1raYykz7cabJ9rSZWyeD4Bb3uJ5hAlUcMMJEyiQ5CKHu+WK1YOzbf5sB1kgA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.161) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wM2paC/pUdX6NnkKABrYxLcS03Usi5y6IxiikT2Ul2k=; b=SFkupVxnNFw4cstnyKkbFX9PSiDWU7KIISgAao4cwT08X1jY96HM2vHIQY0VvrSzGmQp9wKs/X7qXarscELSv1mHC22VO0dyPRI4uFkEnVIcRFaUa8EdVwPhkC2zvT2RCXq0mjLYjFV69NmIV9wvCis/kSDXNo3rPsT/sz3UL+QbEB/u+hG21SWd/dYM47llNIQymv/L28u9n7aNMaw1YyUtrdOuKwS859jCPXdZX5eIKS5kAGx1//mZy1i44IENu/KQ7PHb1/3eU3JfjzZccZikuF9YszfuggpKEOELWlzr3NcIKe4k5XriV6xp3bzcSN68QOleApIFhoUeE7SJOw== Received: from BN9PR03CA0310.namprd03.prod.outlook.com (2603:10b6:408:112::15) by DM4PR12MB7695.namprd12.prod.outlook.com (2603:10b6:8:101::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18; Tue, 10 Jan 2023 13:31:44 +0000 Received: from BN8NAM11FT040.eop-nam11.prod.protection.outlook.com (2603:10b6:408:112:cafe::77) by BN9PR03CA0310.outlook.office365.com (2603:10b6:408:112::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18 via Frontend Transport; Tue, 10 Jan 2023 13:31:44 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.161 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.161) by BN8NAM11FT040.mail.protection.outlook.com (10.13.177.166) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18 via Frontend Transport; Tue, 10 Jan 2023 13:31:43 +0000 Received: from rnnvmail203.nvidia.com (10.129.68.9) by mail.nvidia.com (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Tue, 10 Jan 2023 05:31:21 -0800 Received: from rnnvmail204.nvidia.com (10.129.68.6) by rnnvmail203.nvidia.com (10.129.68.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Tue, 10 Jan 2023 05:31:20 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.6) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Tue, 10 Jan 2023 05:31:17 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v1 6/7] net/sched: act_ct: offload UDP NEW connections Date: Tue, 10 Jan 2023 14:30:22 +0100 Message-ID: <20230110133023.2366381-7-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230110133023.2366381-1-vladbu@nvidia.com> References: <20230110133023.2366381-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN8NAM11FT040:EE_|DM4PR12MB7695:EE_ X-MS-Office365-Filtering-Correlation-Id: 5fc31460-ed8b-4ef3-8874-08daf30f035f X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: hqdgXMv34hDol2iUTn0JZgIy3EOR5u/ydkIajKymcVgcAxZ/zuMWFh05p7Moe4/AMa4VVGNPgFuVzkB/fe74ksto9i1zWXEtwSlroBoXYH8+qE7vJBzoMYdRvYoxxuzuZYFFQjhQ1Vanu6j99TkLGMgL3uNOWFmi/ditUd4PznVrdFx//LLl87u/QFg5FaXsTAO+kNPATPD86utcREp2jrPGQDqDSBbndfozAFKj1yYKYiTQiamRHNkLvk3wO7avoFommbXQG+oi5Q1hhJdgtKNXdNufsZefTWtQmDucNYzb4/EY34aDziPWmd2MSn3ev9CwXJaBpyfZOXMPXOyNMxX2Ul4BgZ252eJcv5BXsCCF1/kiH55EZFigfHlshLqByWWpa45L5QXOH2axJcTddHJ+1tJD7GU9o7EX3gdQfzia0qQtlCm3fouLu4MYw1pEvr76c3NeT/EEP7uzRDHJ8N8uG365sSAIlV7ahLhRCl/HqBloQ2XCevqtTeAf4mbVE+In/l/F7F2XvrEcf9lrLMnwvv0vVBWInEgCsQWDu1Dcq6b5bZqtVu9FNGEhf7wbH7++V4QvcdW2pJfVLqKoF7L1aP59cSL+k9sIlzT7PsT0pxegxjMNxKP1OJq/g1bcJQWoJREiT0b8W85JDv1vhane6Q0bqfubrMuOXUYa0sVbdUJoJlZPPwydck8PBMTIwwqidAwzje3wLprOXYgtgRh/Sgoz/F7C3F/ChGbY4Rg= X-Forefront-Antispam-Report: CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230022)(4636009)(396003)(136003)(39860400002)(376002)(346002)(451199015)(46966006)(36840700001)(40470700004)(41300700001)(82310400005)(2906002)(8936002)(36756003)(5660300002)(7416002)(8676002)(70586007)(316002)(70206006)(7696005)(107886003)(54906003)(110136005)(6666004)(478600001)(40480700001)(47076005)(336012)(186003)(4326008)(26005)(1076003)(2616005)(426003)(83380400001)(40460700003)(86362001)(36860700001)(82740400003)(356005)(7636003)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Jan 2023 13:31:43.0966 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 5fc31460-ed8b-4ef3-8874-08daf30f035f X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT040.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR12MB7695 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org When processing connections allow offloading of UDP connections that don't have IPS_ASSURED_BIT set as unidirectional. When performing table lookup for reply packets check the current connection status: If UDP unidirectional connection became assured also promote the corresponding flow table entry to bidirectional and set the 'update' bit, else just set the 'update' bit since reply directional traffic will most likely cause connection status to become 'established' which requires updating the offload state. Signed-off-by: Vlad Buslov --- net/sched/act_ct.c | 48 ++++++++++++++++++++++++++++++++++------------ 1 file changed, 36 insertions(+), 12 deletions(-) diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index bfddb462d2bc..563cbdd8341c 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -369,7 +369,7 @@ static void tcf_ct_flow_tc_ifidx(struct flow_offload *entry, static void tcf_ct_flow_table_add(struct tcf_ct_flow_table *ct_ft, struct nf_conn *ct, - bool tcp) + bool tcp, bool bidirectional) { struct nf_conn_act_ct_ext *act_ct_ext; struct flow_offload *entry; @@ -388,6 +388,8 @@ static void tcf_ct_flow_table_add(struct tcf_ct_flow_table *ct_ft, ct->proto.tcp.seen[0].flags |= IP_CT_TCP_FLAG_BE_LIBERAL; ct->proto.tcp.seen[1].flags |= IP_CT_TCP_FLAG_BE_LIBERAL; } + if (bidirectional) + __set_bit(NF_FLOW_HW_BIDIRECTIONAL, &entry->flags); act_ct_ext = nf_conn_act_ct_ext_find(ct); if (act_ct_ext) { @@ -411,26 +413,34 @@ static void tcf_ct_flow_table_process_conn(struct tcf_ct_flow_table *ct_ft, struct nf_conn *ct, enum ip_conntrack_info ctinfo) { - bool tcp = false; - - if ((ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY) || - !test_bit(IPS_ASSURED_BIT, &ct->status)) - return; + bool tcp = false, bidirectional = true; switch (nf_ct_protonum(ct)) { case IPPROTO_TCP: - tcp = true; - if (ct->proto.tcp.state != TCP_CONNTRACK_ESTABLISHED) + if ((ctinfo != IP_CT_ESTABLISHED && + ctinfo != IP_CT_ESTABLISHED_REPLY) || + !test_bit(IPS_ASSURED_BIT, &ct->status) || + ct->proto.tcp.state != TCP_CONNTRACK_ESTABLISHED) return; + + tcp = true; break; case IPPROTO_UDP: + if (!nf_ct_is_confirmed(ct)) + return; + if (!test_bit(IPS_ASSURED_BIT, &ct->status)) + bidirectional = false; break; #ifdef CONFIG_NF_CT_PROTO_GRE case IPPROTO_GRE: { struct nf_conntrack_tuple *tuple; - if (ct->status & IPS_NAT_MASK) + if ((ctinfo != IP_CT_ESTABLISHED && + ctinfo != IP_CT_ESTABLISHED_REPLY) || + !test_bit(IPS_ASSURED_BIT, &ct->status) || + ct->status & IPS_NAT_MASK) return; + tuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple; /* No support for GRE v1 */ if (tuple->src.u.gre.key || tuple->dst.u.gre.key) @@ -446,7 +456,7 @@ static void tcf_ct_flow_table_process_conn(struct tcf_ct_flow_table *ct_ft, ct->status & IPS_SEQ_ADJUST) return; - tcf_ct_flow_table_add(ct_ft, ct, tcp); + tcf_ct_flow_table_add(ct_ft, ct, tcp, bidirectional); } static bool @@ -625,13 +635,27 @@ static bool tcf_ct_flow_table_lookup(struct tcf_ct_params *p, flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]); ct = flow->ct; + if (dir == FLOW_OFFLOAD_DIR_REPLY && + !test_bit(NF_FLOW_HW_BIDIRECTIONAL, &flow->flags)) { + /* Only offload reply direction after connection became + * assured. + */ + if (test_bit(IPS_ASSURED_BIT, &ct->status)) + set_bit(NF_FLOW_HW_BIDIRECTIONAL, &flow->flags); + set_bit(NF_FLOW_HW_UPDATE, &flow->flags); + return false; + } + if (tcph && (unlikely(tcph->fin || tcph->rst))) { flow_offload_teardown(flow); return false; } - ctinfo = dir == FLOW_OFFLOAD_DIR_ORIGINAL ? IP_CT_ESTABLISHED : - IP_CT_ESTABLISHED_REPLY; + if (dir == FLOW_OFFLOAD_DIR_ORIGINAL) + ctinfo = test_bit(IPS_SEEN_REPLY_BIT, &ct->status) ? + IP_CT_ESTABLISHED : IP_CT_NEW; + else + ctinfo = IP_CT_ESTABLISHED_REPLY; flow_offload_refresh(nf_ft, flow); nf_conntrack_get(&ct->ct_general); From patchwork Tue Jan 10 13:30:23 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13095154 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6A61FC678DC for ; Tue, 10 Jan 2023 13:32:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238585AbjAJNcM (ORCPT ); Tue, 10 Jan 2023 08:32:12 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57172 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238564AbjAJNbq (ORCPT ); Tue, 10 Jan 2023 08:31:46 -0500 Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2071.outbound.protection.outlook.com [40.107.93.71]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 16A9B395EE; Tue, 10 Jan 2023 05:31:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KR2egUJ2sUhjaPsaycKFfm5vPuEj63oS/qINYjdixh7WBrxUsVzjq69ZpuMjIF2+xNp+87z3vsPeprnvyeGsJkpOFQGKiQm+Qlia//idY/flinOQquI3Rt5oPNnXu9VX1JaYeoJHgq3ngdMeEhnaCUBcGXdd3S3GR72JHzmPzQI33uu6/jrT3vDSU1B1oLE9EdWiJlQ0/p9NZNaqJxkj9XT4psiBmgbFGQDGidnMxCdFupbnph/+FR+oG30zQ82W7YPZ8IcatdIUpJm+9NdABegK4Jm2GehceTMlHIMo8pOZZaS4Yt8LaarkzzVSv2ZqLxF+t9N9qouLd+nY76vkqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JLcQDuTm7f0BQbsr+DZXqTDP8Fsw23ph80Ixl7U15/8=; b=geTTWUTIV+v2uahBK7gHliXpeFOQSO+6GqBO0jmkcXc/Vv9sGxJFu168E9z3xTfd3g/5K1tDhgLinoVcWh/YuReUmyqUxmOhjKcly+Jn6nwjVaFuo6vBZeUx6dlCHV8PNQgIAFBufPMWXc1ZgIeqhxOqq5oBfdfmoRxHxzfZS4WF5yU15qgZUDlC/xkHzWf/BM+v377vCRmuRi3CRy+STxmaPx9zV0g3CGuNaFw5mBu6O+MSwl7Puj25O4+A19r2TZYk8DJmTF30p91mSOon9KEB++aLRUQn+Cs59g4DSKp56xpNaXsC6L7wTNjIM81lb9HrYZIuYAHRQZ4Cot+KPQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JLcQDuTm7f0BQbsr+DZXqTDP8Fsw23ph80Ixl7U15/8=; b=gfoPIMDd7z/T7Aq2giIUx7DtSB4X5Ac+5lDHqPTaO9fX5hxQ+x61BCMgFAfDgaTT3/opzWAv3oNx4HCYtom1xC0PSYYEUR7qd1Vz59nYuZs5f85nP4EsGQMld0PlYWPWK/UvsFgsXDmE0c5bCcO6YNOV9ATtAsp9Ph1EJKfaM86ic+EEThdgsFSqIwbQN7bpE24D8pQJNw44Aq3T3cnk7aP/FNfIm0+3Fg/yRlji6HcVerqpJumNtJ4yX/d5G5RGX24nLDoc2tf8E8PYFtpdybD3Cy9N27YM8fxxvUJjSqy03pFaX6wb83cX0lc9pFNu+y20IT/vI1N8oCf3kM1FGQ== Received: from DS7PR05CA0069.namprd05.prod.outlook.com (2603:10b6:8:57::21) by SJ0PR12MB8166.namprd12.prod.outlook.com (2603:10b6:a03:4e2::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18; Tue, 10 Jan 2023 13:31:41 +0000 Received: from DM6NAM11FT011.eop-nam11.prod.protection.outlook.com (2603:10b6:8:57:cafe::2a) by DS7PR05CA0069.outlook.office365.com (2603:10b6:8:57::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.12 via Frontend Transport; Tue, 10 Jan 2023 13:31:41 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by DM6NAM11FT011.mail.protection.outlook.com (10.13.172.108) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18 via Frontend Transport; Tue, 10 Jan 2023 13:31:40 +0000 Received: from rnnvmail202.nvidia.com (10.129.68.7) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Tue, 10 Jan 2023 05:31:24 -0800 Received: from rnnvmail204.nvidia.com (10.129.68.6) by rnnvmail202.nvidia.com (10.129.68.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Tue, 10 Jan 2023 05:31:24 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.6) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Tue, 10 Jan 2023 05:31:21 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v1 7/7] netfilter: nf_conntrack: allow early drop of offloaded UDP conns Date: Tue, 10 Jan 2023 14:30:23 +0100 Message-ID: <20230110133023.2366381-8-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230110133023.2366381-1-vladbu@nvidia.com> References: <20230110133023.2366381-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DM6NAM11FT011:EE_|SJ0PR12MB8166:EE_ X-MS-Office365-Filtering-Correlation-Id: 2ab66c2c-280d-465e-7998-08daf30f01d1 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: LY9Zpw5FBqU+8lLXqNhzbU3pLBJmItt2356MoFq4fxpMz9DoxY6QkEoZszoI1/IXpBlzXgl8sYUcAqF36VP6dRM1q+eodpLt0HPYRJ7nWXAdiqHEGFYmczqKzb54skKeHE9MU9T6mPnrdtBQ3PiqaUnMggX6BJYDQfyVhGWrfDR0ylw+3PRMDDTK82g44pX2xa7F6l855e4Cnso/ZYzXPSaFfial1yC/8Ce+Y23a2ljarQKucE4GcRaCyir22goWTpK1VQH2wF0Pnj3aCWQHOPupQUTmtZ9szC0BC1ZtUSpU3GFguB1elrU8GwNztpHX1Et2dPYTykYabcvAKfvl32kkk2Z1jLp2fqOz3DohoQxBwluhbD+Pu4buOZLBjImWGLJEPn33VbfjurF93ZN6WVhrISJTpOMriMuJKi9s2ldNN7rQ+uHonofVERdBiD9INenJMzRZZ0wquHVgH5n60VGfSaD3YgvIYDZ3G8kkSljtAqP/EP2ZvdVwf5caC5xrzlFDPN1LYaWyHpGuyYBVMOpFnDZJLUCYpUcKzskKzpG4Iag/QclbFYJIyW4B7KIfpyxnYDHHWj3EKd32lttrQOKiltDVM+28yBzRG3Phr/iSvgdYOr0RdqyljHgeJpP5GrXQdDD1wXncJ27TussyWh0Sk29H6pnc9mWvp0iUc4/HEWfrgD/XvVhcMGrmiIPCR6yvB0vmvDMWrswCV+LI9J4JjUZEGfG43zUeqWZJ4zc= X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230022)(4636009)(376002)(39860400002)(136003)(396003)(346002)(451199015)(36840700001)(46966006)(40470700004)(2906002)(82310400005)(47076005)(83380400001)(336012)(36860700001)(426003)(2616005)(1076003)(7696005)(7416002)(5660300002)(40480700001)(107886003)(8936002)(26005)(186003)(36756003)(478600001)(7636003)(70586007)(110136005)(70206006)(54906003)(8676002)(41300700001)(356005)(86362001)(4326008)(316002)(40460700003)(82740400003)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Jan 2023 13:31:40.5348 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 2ab66c2c-280d-465e-7998-08daf30f01d1 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT011.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR12MB8166 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Both synchronous early drop algorithm and asynchronous gc worker completely ignore connections with IPS_OFFLOAD_BIT status bit set. With new functionality that enabled UDP NEW connection offload in action CT malicious user can flood the conntrack table with offloaded UDP connections by just sending a single packet per 5tuple because such connections can no longer be deleted by early drop algorithm. To mitigate the issue allow both early drop and gc to consider offloaded UDP connections for deletion. Signed-off-by: Vlad Buslov --- net/netfilter/nf_conntrack_core.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 496c4920505b..52b824a60176 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -1374,9 +1374,6 @@ static unsigned int early_drop_list(struct net *net, hlist_nulls_for_each_entry_rcu(h, n, head, hnnode) { tmp = nf_ct_tuplehash_to_ctrack(h); - if (test_bit(IPS_OFFLOAD_BIT, &tmp->status)) - continue; - if (nf_ct_is_expired(tmp)) { nf_ct_gc_expired(tmp); continue; @@ -1446,11 +1443,14 @@ static bool gc_worker_skip_ct(const struct nf_conn *ct) static bool gc_worker_can_early_drop(const struct nf_conn *ct) { const struct nf_conntrack_l4proto *l4proto; + u8 protonum = nf_ct_protonum(ct); + if (test_bit(IPS_OFFLOAD_BIT, &ct->status) && protonum != IPPROTO_UDP) + return false; if (!test_bit(IPS_ASSURED_BIT, &ct->status)) return true; - l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct)); + l4proto = nf_ct_l4proto_find(protonum); if (l4proto->can_early_drop && l4proto->can_early_drop(ct)) return true; @@ -1507,7 +1507,8 @@ static void gc_worker(struct work_struct *work) if (test_bit(IPS_OFFLOAD_BIT, &tmp->status)) { nf_ct_offload_timeout(tmp); - continue; + if (!nf_conntrack_max95) + continue; } if (expired_count > GC_SCAN_EXPIRED_MAX) {