From patchwork Fri Jan 13 16:55:42 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13101164 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F2691C54EBE for ; Fri, 13 Jan 2023 16:56:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229794AbjAMQ4r (ORCPT ); Fri, 13 Jan 2023 11:56:47 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45762 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229664AbjAMQ4k (ORCPT ); Fri, 13 Jan 2023 11:56:40 -0500 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on2089.outbound.protection.outlook.com [40.107.223.89]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0ABA338AE3; Fri, 13 Jan 2023 08:56:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=T0ejipIAcwlnqSLCYJYEm9gh0/gGVe6UB6p6tKGhRR8Gq31zDjCpE6BNj8zvD5WDpAYktMcjidjzJD1Ay79sPsS6IGm3T2nkvsLcWP2o45DoHWP3S7g8uUTxduoVls9rDZRYEPTyDwqFJetePt4iUjEhNzl/RWTpMkcATeDnls8xL/xDrGk+Ds4t4d4HpMc96bfBOn18OBQbYwbNuvXlc0aCPi8aQOs3L78jbbCrQb0dZ6iijWpyLXhrfDseY5q+KIO51txiDBme7JhJu1FgYoxsfpCfaKnOKm2Z2aMxTPeijjMcaClx/4y/CW8v1FUW9i1Uf3F9YOcMviI5/aoL0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tEEJgQznU3MBGCUBLRmHdBKj3L9D9g3O21HEOTpLrH4=; b=RexVSx1neH+nXa/uIXtjFP3zhFuO0ADLVIDUAskjLWaPaZXkozM3w70AOweD4COQXhhoQ3AEIreSzikwaMYpssYxSPvVjuG+S1/UAqJM3PGWfkQFid3+4e9trOb7GRQauaVFo24GjPfYTlvRR9D9Teq0wM/xVXWIv3Vlv5SmJ1B5/xQSobZ8NllrWmLizibNaGobY1B1wxuuff2bk61wLPqYXvm/lmwEtjr0l0TtCE+cyepxCL4pdAMDJdYkKaU/koXHiJr6BSv0SWTKb+ewFtdmIQbGVh4fal+/rRZFJcyTssb89kVIfdVY0P82P5lm+mgtOB3mb6ri8kJbsvQvDQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tEEJgQznU3MBGCUBLRmHdBKj3L9D9g3O21HEOTpLrH4=; b=FoPYw1Ru1qGgI/A2sTwDMegbyApVBtEng77Tbd8TJQXnba1T9A53xY6VtVJJtOch9EPFg3hWcUXlbCkGv3hM5vG0izgzgZcXLjdxFvrsHiYug6izcVaF7KRSjBLg/CPgNAmy3lCAz1R/Risdo7Nn2mhW43oFP6hEXSlgXPaEgitfcT7IBKiJN3fWG+unOqiAMib19Bu7h+9hxVlRXiwp5GB6QEyAkm68POYmtRBkrDmeRdv807P+9D+m2kR/9cEIijH1DgWTTnsoPaKeWsM1rzf5KU/F5hgLnezXsCGALvYkivSTme31yqrYErcBOrf2xKn/XzLoK+Y82F24UPB/rw== Received: from DS7PR03CA0291.namprd03.prod.outlook.com (2603:10b6:5:3ad::26) by DS0PR12MB7971.namprd12.prod.outlook.com (2603:10b6:8:14e::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.13; Fri, 13 Jan 2023 16:56:38 +0000 Received: from DM6NAM11FT071.eop-nam11.prod.protection.outlook.com (2603:10b6:5:3ad:cafe::3f) by DS7PR03CA0291.outlook.office365.com (2603:10b6:5:3ad::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.14 via Frontend Transport; Fri, 13 Jan 2023 16:56:38 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by DM6NAM11FT071.mail.protection.outlook.com (10.13.173.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.13 via Frontend Transport; Fri, 13 Jan 2023 16:56:38 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 13 Jan 2023 08:56:27 -0800 Received: from rnnvmail201.nvidia.com (10.129.68.8) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 13 Jan 2023 08:56:26 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.8) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Fri, 13 Jan 2023 08:56:23 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v2 1/7] net: flow_offload: provision conntrack info in ct_metadata Date: Fri, 13 Jan 2023 17:55:42 +0100 Message-ID: <20230113165548.2692720-2-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230113165548.2692720-1-vladbu@nvidia.com> References: <20230113165548.2692720-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DM6NAM11FT071:EE_|DS0PR12MB7971:EE_ X-MS-Office365-Filtering-Correlation-Id: 4519e116-5e36-49f9-5ba8-08daf587230b X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 60/yK3WzxIA2BuDLxsp6jce9KFjjrmYNuQedpCO+AbmBB75KO3Z49fe3RS+WUEeVl0rlEZrD5Fr9BjY9uDBuxixo78wDrnhEXT/W0D+3NYV2TjwJ0laLp+dQ+4wUCcUeO51JmKaEqhAHYEAll4rMfI1VCKJBJfyMrag5lqZKgKQjk2VjMllthvF09ClyYS8ZMz8BK/dE0+3/vRKG/Bmdk0qk8Ffe6QMwB0ivi0IdU6mL+gLWAknXL5yplfgs5NQJfl+ESYgfTZjHsLRkQjSPaTUs8GIzhBMYp0AO8OJ/0MmeeVC20G5pqyDCSnU9gb8KxmUGZY0l/epEDdsHVpd1k3ka1/AgGUKnhX1Wut0s3t0VgQqhwdUywIsr9fCpZQ4CZ9+/i3wzCTph5qGsR7+iEhWbJAg/EW1WgGnQHiRxmPSfCskW4tmTvcQC3lrbRHr/dh6b53Gq+sPu7r1albQOViLUifO83x0Ce9FhsOlTyTn04X97mXiDPi0m42u7Ps1LIX1egMlxGckrcKHE4ZxzboER5twijl3ofwKBlE/feRge/gwKQJXK6ti/KnFY5jwak+Hyv2ZkNbngRxzFgXeh0ZiPOzJ7YXrw0m1rGd2Y9RoKaXeAcalXgF/1BfPWk7S7WxBpzcUq7rNYUtRoFytseQggdvxX6BbuwXG4O4JUDph65DrJHrjXGGgzUJwA+ysxRI9FHUrVJfCeHYCG3VnI89dHUADT0l8bMGp5RLhXzJ4= X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230022)(4636009)(39860400002)(136003)(376002)(396003)(346002)(451199015)(36840700001)(46966006)(40470700004)(8936002)(5660300002)(7416002)(54906003)(41300700001)(4326008)(70206006)(70586007)(316002)(2906002)(110136005)(8676002)(7696005)(7636003)(356005)(82740400003)(478600001)(186003)(107886003)(82310400005)(26005)(36756003)(6666004)(36860700001)(336012)(426003)(47076005)(1076003)(40480700001)(40460700003)(86362001)(2616005)(83380400001)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Jan 2023 16:56:38.1964 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 4519e116-5e36-49f9-5ba8-08daf587230b X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT071.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR12MB7971 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org In order to offload connections in other states besides "established" the driver offload callbacks need to have access to connection conntrack info. Extend flow offload intermediate representation data structure flow_action_entry->ct_metadata with new enum ip_conntrack_info field and fill it in tcf_ct_flow_table_add_action_meta() callback. Reject offloading IP_CT_NEW connections for now by returning an error in relevant driver callbacks based on value of ctinfo. Support for offloading such connections will need to be added to the drivers afterwards. Signed-off-by: Vlad Buslov --- Notes: Changes V1 -> V2: - Add missing include that caused compilation errors on certain configs. - Change naming in nfp driver as suggested by Simon and Baowen. .../ethernet/mellanox/mlx5/core/en/tc_ct.c | 2 +- .../ethernet/netronome/nfp/flower/conntrack.c | 20 +++++++++++++++++++ include/net/flow_offload.h | 2 ++ net/sched/act_ct.c | 1 + 4 files changed, 24 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c index 313df8232db7..8cad5cf3305d 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c @@ -1077,7 +1077,7 @@ mlx5_tc_ct_block_flow_offload_add(struct mlx5_ct_ft *ft, int err; meta_action = mlx5_tc_ct_get_ct_metadata_action(flow_rule); - if (!meta_action) + if (!meta_action || meta_action->ct_metadata.ctinfo == IP_CT_NEW) return -EOPNOTSUPP; spin_lock_bh(&ct_priv->ht_lock); diff --git a/drivers/net/ethernet/netronome/nfp/flower/conntrack.c b/drivers/net/ethernet/netronome/nfp/flower/conntrack.c index f693119541d5..f7569584b9d8 100644 --- a/drivers/net/ethernet/netronome/nfp/flower/conntrack.c +++ b/drivers/net/ethernet/netronome/nfp/flower/conntrack.c @@ -1964,6 +1964,23 @@ int nfp_fl_ct_stats(struct flow_cls_offload *flow, return 0; } +static bool +nfp_fl_ct_offload_nft_supported(struct flow_cls_offload *flow) +{ + struct flow_rule *flow_rule = flow->rule; + struct flow_action *flow_action = + &flow_rule->action; + struct flow_action_entry *act; + int i; + + flow_action_for_each(i, act, flow_action) { + if (act->id == FLOW_ACTION_CT_METADATA) + return act->ct_metadata.ctinfo != IP_CT_NEW; + } + + return false; +} + static int nfp_fl_ct_offload_nft_flow(struct nfp_fl_ct_zone_entry *zt, struct flow_cls_offload *flow) { @@ -1976,6 +1993,9 @@ nfp_fl_ct_offload_nft_flow(struct nfp_fl_ct_zone_entry *zt, struct flow_cls_offl extack = flow->common.extack; switch (flow->command) { case FLOW_CLS_REPLACE: + if (!nfp_fl_ct_offload_nft_supported(flow)) + return -EOPNOTSUPP; + /* Netfilter can request offload multiple times for the same * flow - protect against adding duplicates. */ diff --git a/include/net/flow_offload.h b/include/net/flow_offload.h index 0400a0ac8a29..a6adaffb68fb 100644 --- a/include/net/flow_offload.h +++ b/include/net/flow_offload.h @@ -4,6 +4,7 @@ #include #include #include +#include #include struct flow_match { @@ -288,6 +289,7 @@ struct flow_action_entry { } ct; struct { unsigned long cookie; + enum ip_conntrack_info ctinfo; u32 mark; u32 labels[4]; bool orig_dir; diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index 0ca2bb8ed026..515577f913a3 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -187,6 +187,7 @@ static void tcf_ct_flow_table_add_action_meta(struct nf_conn *ct, /* aligns with the CT reference on the SKB nf_ct_set */ entry->ct_metadata.cookie = (unsigned long)ct | ctinfo; entry->ct_metadata.orig_dir = dir == IP_CT_DIR_ORIGINAL; + entry->ct_metadata.ctinfo = ctinfo; act_ct_labels = entry->ct_metadata.labels; ct_labels = nf_ct_labels_find(ct); From patchwork Fri Jan 13 16:55:43 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13101165 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7CA7EC54EBD for ; Fri, 13 Jan 2023 16:56:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229868AbjAMQ4v (ORCPT ); Fri, 13 Jan 2023 11:56:51 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45818 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229618AbjAMQ4n (ORCPT ); Fri, 13 Jan 2023 11:56:43 -0500 Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2054.outbound.protection.outlook.com [40.107.93.54]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C0FAA10EA; Fri, 13 Jan 2023 08:56:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AIAlB4vSjC1uaJ839PbjVZPNhcnpU1FL6U49R6ii82JK5enyrFoV047p88+hAYjJ+OA8kGMA08SwTOTG5R8tWl3cHPV73FgKSKEkoRvAf1k/JvUZFdd8SzvdlJOoMIKGCKXgrCR7ieCXh5jePGHXwCi7HFAFHUOt3Q6+88ddx1XN+vcmAmJQfSofZ39WshhxJ+Yk61RWcL+okJGYnAza+nLu85IAZ8Y/SjSlLHU6QK/KhHBNaeFUPfqsiyVWn3j2WAJmLUfHknnh9mBBiTzubnNlxa4EBkfPyuQLJ7PfXFImoQiJo5HjOpxOxre3OL+Xhaxrb63N4L9zTAPEJzkcUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Ciq8UUN0gvkcFTVqiQIpLh1OYypUHTPyPDDSQWDbzzE=; b=L3lzRQZ2qBc2y/P8BdE1vXn6bWmkuJP4j3xCWz8njFZ4G/JL2RP4WDXFZHqmdx8iWsHLkvbjGPqo+/97he2+aK0dE/8ganc9xEnx1E35S29unLwYMDlmRFnlMfkFR6yiaUrPjPRT4Sl+M4/+zy91QJY2PC1D59t1CYSYL1whJ/VPkBN4qUmZTI1mCBuGefrrmV3ralc3O8Om/AbBZ8yVkH4ftgPVkLdflNVEi+cyhSXu5+zGlwF9EQXfSxvaYgIZdvsgZvGb6LTHj9nFjqh9UcazmBPCtAwfMAKpO4pMm1BWJWPXmXD5GIEeWZKGN5wod3M49PCN6fooBlpuSCYHMQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ciq8UUN0gvkcFTVqiQIpLh1OYypUHTPyPDDSQWDbzzE=; b=Xi3KTNQVldT3qRVtRDbrUXSiONxs44CDwqfYDiEMUU39taoZrHcpp3G4AmpZmyiMIiKVSUke3w5EjBDcq9d0wBByBMx7iaAwRk1+8dsn34L1P3h3BEiw3n4OCcbiZnVuo6ZC+d/Bcl9JzjzLpmC2sxTaf3/f4FTE9+tvlMduEN3siQkU7jjLOFTaPSTanSPiDeU5VgescDOMuDX/gki8TvPCk4U7961DXGr/2BwnD7JEyNFqv7kiGN6Bs0npDCLSfi3NHl3hlbzJziw1IQlcfGCVoIaSv15+Q4Munf/a+8mD3nVRdlCgwTro0FpfkeihgUiNxJPdKUETYgWGd60mHQ== Received: from DS7PR03CA0277.namprd03.prod.outlook.com (2603:10b6:5:3ad::12) by DM4PR12MB6010.namprd12.prod.outlook.com (2603:10b6:8:6a::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18; Fri, 13 Jan 2023 16:56:40 +0000 Received: from DM6NAM11FT071.eop-nam11.prod.protection.outlook.com (2603:10b6:5:3ad:cafe::2e) by DS7PR03CA0277.outlook.office365.com (2603:10b6:5:3ad::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.16 via Frontend Transport; Fri, 13 Jan 2023 16:56:40 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by DM6NAM11FT071.mail.protection.outlook.com (10.13.173.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.13 via Frontend Transport; Fri, 13 Jan 2023 16:56:40 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 13 Jan 2023 08:56:31 -0800 Received: from rnnvmail201.nvidia.com (10.129.68.8) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 13 Jan 2023 08:56:31 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.8) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Fri, 13 Jan 2023 08:56:27 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v2 2/7] netfilter: flowtable: fixup UDP timeout depending on ct state Date: Fri, 13 Jan 2023 17:55:43 +0100 Message-ID: <20230113165548.2692720-3-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230113165548.2692720-1-vladbu@nvidia.com> References: <20230113165548.2692720-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DM6NAM11FT071:EE_|DM4PR12MB6010:EE_ X-MS-Office365-Filtering-Correlation-Id: e499d453-7477-4246-6dc1-08daf5872448 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: FMC8qE3QujdB6eAnzlA0qOJGTc5WolTn/MyIowNjurSXFTtkvIDyUQzQdZqwPbiGs2WKLZ9anGRdVDB8vZu0/fx+P7UpdXdZOhRebryZEm0zNMMTuUw3OJvmhTG0lIFS7uOtfzJCUz9na9nXd2sfQVC51kiZCZpnJ9TgszsLUf3m0jCqh5n2AZauyMZr8S4o64XMZAK+CF4P+PbH89Qd+I3rlnX2FWhbMx55heS2s2QpLD3bqXf/C5vjEsgH7ybvahw+eCwbyiaXQrTzcpEmVk+zgFmddkz0hCH5Kkl/LzkOcXOr7PfqDOyXYFwsGC8Dxjs7P+n9QWavb3E7RFyy+rCagH5ZIK0TeMt2hoJm2hmrzBl2dJc3M9EUBJnfFkjHfRiH+Pir3vSgR+yvbu6NP75sgMlbB/yejaPRPQQ+tfnwqEfPVfWddxxHa/LAS0IjdzD7jc6suXgIxoqE+h9Acyof2VqhrBUybpM+Xh4sjgVk1zjiv4gTj9+dPY75qsw+JB56AO4AzSVSZpx/Q6045vF/EZl3qly2LtQbq9Unmb7MfFTAkvtJns5hmDhwHXXVmVP2h0U873efT+V3eKwS3tlj/4pTEvbOY76jBkB96r6WzGHJFvSpBqsxpRPnfrVRHv2RYWbfHl2YC9s08bJFPSfWq1BTcQTXOEtz/fhuv7vtSt0LQXODCJv+G8TJWb3iu4Kx0NGmiD6eUUaOzDYtQ4pKS33I5iYznZJdVEv2Qw4= X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230022)(4636009)(376002)(396003)(39860400002)(136003)(346002)(451199015)(36840700001)(40470700004)(46966006)(2906002)(82310400005)(83380400001)(47076005)(336012)(36860700001)(426003)(1076003)(7416002)(40480700001)(5660300002)(186003)(8936002)(107886003)(6666004)(36756003)(26005)(7696005)(2616005)(70586007)(7636003)(41300700001)(70206006)(110136005)(478600001)(86362001)(8676002)(54906003)(356005)(316002)(40460700003)(4326008)(82740400003)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Jan 2023 16:56:40.3056 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: e499d453-7477-4246-6dc1-08daf5872448 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT071.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR12MB6010 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Currently flow_offload_fixup_ct() function assumes that only replied UDP connections can be offloaded and hardcodes UDP_CT_REPLIED timeout value. To enable UDP NEW connection offload in following patches extract the actual connections state from ct->status and set the timeout according to it. Signed-off-by: Vlad Buslov --- net/netfilter/nf_flow_table_core.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c index 81c26a96c30b..04bd0ed4d2ae 100644 --- a/net/netfilter/nf_flow_table_core.c +++ b/net/netfilter/nf_flow_table_core.c @@ -193,8 +193,11 @@ static void flow_offload_fixup_ct(struct nf_conn *ct) timeout -= tn->offload_timeout; } else if (l4num == IPPROTO_UDP) { struct nf_udp_net *tn = nf_udp_pernet(net); + enum udp_conntrack state = + test_bit(IPS_SEEN_REPLY_BIT, &ct->status) ? + UDP_CT_REPLIED : UDP_CT_UNREPLIED; - timeout = tn->timeouts[UDP_CT_REPLIED]; + timeout = tn->timeouts[state]; timeout -= tn->offload_timeout; } else { return; From patchwork Fri Jan 13 16:55:44 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13101166 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 49734C54EBE for ; Fri, 13 Jan 2023 16:56:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229654AbjAMQ44 (ORCPT ); Fri, 13 Jan 2023 11:56:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46060 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229549AbjAMQ4u (ORCPT ); Fri, 13 Jan 2023 11:56:50 -0500 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on2082.outbound.protection.outlook.com [40.107.220.82]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6B76139F85; Fri, 13 Jan 2023 08:56:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ilQtB3COo+8yNH1SMAHwf2bjZyoQubJRoo8wHycDjHXwuBos3ST02XAtpF0YsdWUfXjDl2qaFJ4QFwwVceDFQXMvRpCtvCK8ajSNGmEhZ0iGGSXyV21MHmGDbiJ1vWOXwbd1L+IFTRPNfy3Fn+4KyBgxZ2c+i2Zgq70kIt5/EZvXkQu/iR4B+R9xkYifbPguOfTWvMPqCWT/oZNzOTnRHlHeERmym/LUzn/ChvUcwqla2GIpHTFzPDTJhW/I8kSHozQo0yENbqEen6LSdyAwRS3LscEPtQ3aJDfTH1OyyM6vElRbFImDe8N/a/B+cvuHVApxUlLJdM1TVC2x2hV4sA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9hEkvfNid554/edezqmJkbmWBn+U9LvTjp4jBTLeAy0=; b=lXwErc0E0CbNXPAAS1w37lk52r3deZME551XUZC+UDoVLse6cuPr7kX8CCAYi+5pgRPPKFExJaFC+Y+sVV+iMRhQ2rOSHdrnuGxBUIoUnFY12E+6OChvUK2NMJS+zTOvE5ozDMKtGpwqFAShM61y0hpRmgNfbqp/p9LOj/9EdcRxQhyUBmjqs6UrTIXXqpUqEyurhxTZNztKIZf0rJwqno9RyQl0Yl1p+AUXTcPnaryKc335wOG0fLqXpgeTL3Anl95/ROWjOF+hBSbZ0Wpex4wzP98BJ9u7Zk/9Q+Lxi+aSbxqjfliVcSKLbFppn3+tm1YmMm5IoV/znlvXNrkDSQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.161) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9hEkvfNid554/edezqmJkbmWBn+U9LvTjp4jBTLeAy0=; b=QTyEGKsV73SJ+jjEdG5iio2WTUugHEg/a6vuOeSSmpc40ewy41ySPfA0EJEwh7/H5OqAwGcRApdFbAe8rObZ+F/Qmrfw4zR8Qz9TlS2E/JnFATuSonRasc5UaQMZmR5jDpkbyDdALZGUkmBm36frxS796gQ7gjpOJbUXwMr8TyHOTNJ0D8rvaQZcG5tiND/3F5R/1XqtQ2MFS7OCQ6sDI5S2+BKHxTEQeegbdE9DRPGf5bTBH4cQAe+4KJCgZeICdKVnamA23gJgfWPkd+5vOj2O2bYMr9jY1Yfmg628fVyTNa2Ac59aHzZw3eouMGIlBDlXBBuHpePrjPd6USCLKQ== Received: from DM6PR08CA0057.namprd08.prod.outlook.com (2603:10b6:5:1e0::31) by DM4PR12MB5198.namprd12.prod.outlook.com (2603:10b6:5:395::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.13; Fri, 13 Jan 2023 16:56:46 +0000 Received: from DM6NAM11FT114.eop-nam11.prod.protection.outlook.com (2603:10b6:5:1e0:cafe::75) by DM6PR08CA0057.outlook.office365.com (2603:10b6:5:1e0::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.16 via Frontend Transport; Fri, 13 Jan 2023 16:56:46 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.161 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.161) by DM6NAM11FT114.mail.protection.outlook.com (10.13.172.206) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.13 via Frontend Transport; Fri, 13 Jan 2023 16:56:45 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 13 Jan 2023 08:56:35 -0800 Received: from rnnvmail201.nvidia.com (10.129.68.8) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 13 Jan 2023 08:56:35 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.8) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Fri, 13 Jan 2023 08:56:31 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v2 3/7] netfilter: flowtable: allow unidirectional rules Date: Fri, 13 Jan 2023 17:55:44 +0100 Message-ID: <20230113165548.2692720-4-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230113165548.2692720-1-vladbu@nvidia.com> References: <20230113165548.2692720-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DM6NAM11FT114:EE_|DM4PR12MB5198:EE_ X-MS-Office365-Filtering-Correlation-Id: af3f7665-8562-44db-7018-08daf58727ac X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: F0ymvwPHw67sXDOejmoEnMpj5EaVJl5yldxvKwdyastA3zVAk+KMaLpxQQ5HqhvvEkGIVVuvdBOh8ic8w0V4VHiYujZMUK+lRXVUoXQKskyX2HtreQx3w4Hu77Jjfi5+1rC6kg+wMdBtWiTIjB1vUefkoY9gqoF0bE6zHD3Xl/Y284otN0p2fBjefZyo2PbzAZC+roaacdZyqSVFxGgcMYCFnUDSG1SFhtSyglfl1bYwGdiZpUYEQ16ALAzBUbgv/NXG5L4aQ10i0v5PkGb9//lGias7r96EqEoqXawxDG35kUJN/FGMu1PLaDIcW7ffnb1CIDdbqkRf2dWvzy4dLxta6yVOktPMmHUZ6R6sn+DZxHeCq5ezspOsOICN/1fG/iADu8w+KQf7ME7Z6uWZ40LaPKLV6/VTKp39WX/1yimwAxAobef0eagKjB67S2AR15N4a/JJCFYhDBoZqQzC5ERaz+GAmkoAqbkInH01ccH/DseRNyXvnO4DQMIwGh1xjZaw4+uiow9EBsCX/IQLXg+Sdv1iJYTxvPg1mNQAs0ifbJJYzsylNef3zp3cO6lKoi9iQmY7ZEDUdBx3ATRprqWHCbkZxtrL6Xhl64O/rE50b4AKyA9F1e/qPPaLJDwoRBrKDQ9WumF6RGiiXYGN0NdDK30rz19beFDAblwmpDi5Hg8I3vJOvAfyTBu6abPiAES4RA7TNzDgNTL/FhOJ/yXOXeWgJJXT/UN/I6gLUbA= X-Forefront-Antispam-Report: CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230022)(4636009)(136003)(346002)(396003)(39860400002)(376002)(451199015)(46966006)(36840700001)(40470700004)(107886003)(36860700001)(36756003)(7416002)(6666004)(2906002)(70206006)(5660300002)(83380400001)(4326008)(8936002)(8676002)(82740400003)(426003)(478600001)(41300700001)(356005)(47076005)(7636003)(26005)(336012)(70586007)(40480700001)(82310400005)(186003)(7696005)(1076003)(40460700003)(86362001)(2616005)(316002)(54906003)(110136005)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Jan 2023 16:56:45.9786 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: af3f7665-8562-44db-7018-08daf58727ac X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT114.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR12MB5198 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Modify flow table offload to support unidirectional connections by extending enum nf_flow_flags with new "NF_FLOW_HW_BIDIRECTIONAL" flag. Only offload reply direction when the flag is not set. This infrastructure change is necessary to support offloading UDP NEW connections in original direction in following patches in series. Signed-off-by: Vlad Buslov --- include/net/netfilter/nf_flow_table.h | 1 + net/netfilter/nf_flow_table_offload.c | 12 ++++++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h index cd982f4a0f50..88ab98ab41d9 100644 --- a/include/net/netfilter/nf_flow_table.h +++ b/include/net/netfilter/nf_flow_table.h @@ -164,6 +164,7 @@ enum nf_flow_flags { NF_FLOW_HW_DYING, NF_FLOW_HW_DEAD, NF_FLOW_HW_PENDING, + NF_FLOW_HW_BIDIRECTIONAL, }; enum flow_offload_type { diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c index 4d9b99abe37d..8b852f10fab4 100644 --- a/net/netfilter/nf_flow_table_offload.c +++ b/net/netfilter/nf_flow_table_offload.c @@ -895,8 +895,9 @@ static int flow_offload_rule_add(struct flow_offload_work *offload, ok_count += flow_offload_tuple_add(offload, flow_rule[0], FLOW_OFFLOAD_DIR_ORIGINAL); - ok_count += flow_offload_tuple_add(offload, flow_rule[1], - FLOW_OFFLOAD_DIR_REPLY); + if (test_bit(NF_FLOW_HW_BIDIRECTIONAL, &offload->flow->flags)) + ok_count += flow_offload_tuple_add(offload, flow_rule[1], + FLOW_OFFLOAD_DIR_REPLY); if (ok_count == 0) return -ENOENT; @@ -926,7 +927,8 @@ static void flow_offload_work_del(struct flow_offload_work *offload) { clear_bit(IPS_HW_OFFLOAD_BIT, &offload->flow->ct->status); flow_offload_tuple_del(offload, FLOW_OFFLOAD_DIR_ORIGINAL); - flow_offload_tuple_del(offload, FLOW_OFFLOAD_DIR_REPLY); + if (test_bit(NF_FLOW_HW_BIDIRECTIONAL, &offload->flow->flags)) + flow_offload_tuple_del(offload, FLOW_OFFLOAD_DIR_REPLY); set_bit(NF_FLOW_HW_DEAD, &offload->flow->flags); } @@ -946,7 +948,9 @@ static void flow_offload_work_stats(struct flow_offload_work *offload) u64 lastused; flow_offload_tuple_stats(offload, FLOW_OFFLOAD_DIR_ORIGINAL, &stats[0]); - flow_offload_tuple_stats(offload, FLOW_OFFLOAD_DIR_REPLY, &stats[1]); + if (test_bit(NF_FLOW_HW_BIDIRECTIONAL, &offload->flow->flags)) + flow_offload_tuple_stats(offload, FLOW_OFFLOAD_DIR_REPLY, + &stats[1]); lastused = max_t(u64, stats[0].lastused, stats[1].lastused); offload->flow->timeout = max_t(u64, offload->flow->timeout, From patchwork Fri Jan 13 16:55:45 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13101167 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C7C1DC54EBD for ; Fri, 13 Jan 2023 16:57:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229995AbjAMQ5N (ORCPT ); Fri, 13 Jan 2023 11:57:13 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46060 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229703AbjAMQ4y (ORCPT ); Fri, 13 Jan 2023 11:56:54 -0500 Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2049.outbound.protection.outlook.com [40.107.244.49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 66C7742638; Fri, 13 Jan 2023 08:56:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BvpxK8NKnTcqyv6S6tlf3dL0YTw3YV7+20WJ3gxis2mALmdDZVgoG90+QfcbXYONFDuqfQO6/B+5eqlZcZ6cQIyqApdM/DfnDUWZbf28pFlnOjlzNMBw2MgVSMHGID75iEfRIlnKrvsotD7FDwPIP9LTCyVD2TsHW6cWvo7wJS8PnKY7YrJV4e66SGWfaVsqp/niqaMGemIXMBklqZ5ZZGpajlRrV+aMQ6etY3Rt36Bwrn1bfep2JsKM1XgT1Yu+zvtKYZNA8hSOhM8G71od+bwFejsWoBIKwkY0P8ARUpqxGLUUD/bSlmYdX2a6TdGHRuH6AND0YcxNfJLTBQM8nw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/eVt+c+15jGRhcTXeDwGGa8OjjrApn0DRx+nf2W7K2E=; b=guNdnUW8NBzYpqP+HvyYwH9cWYgovb9g5Rrzv3sVX+8Zz9komWG6dgyySFDqZEMJsA0foywG7aru4nHmjma8gmZsBLZHnL++9qAwZ46lOwnqUXfDugqRzbEgkfEXzlIQQsFbrDJL2mme2HTBYNTpOHPxADElkk5PDT2qXoVrrTwykQbAEHt8Xg0g3MybnpZtJ9tXIp1w9/XyNHSP3c2v4JJl4mtGCaqD7aaHQpYWHAlbmkLo6ndCw90xqFtvYC2uLsKAh/xaYKX5LIjDL77IyjvMAXpoDuhZrWrzKICoLf9SrrBE8ctXQ6hc9M99z1X+zBH6JyXoCzidlNK2+cOJsg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/eVt+c+15jGRhcTXeDwGGa8OjjrApn0DRx+nf2W7K2E=; b=sGUK0pcZVCPDt/sB94v59Gux7B2ADzuZr2RadxY9B9lWPvIovZIFc0envNRHx3dFiIsrjovlZgqL14/rQAD1IZPRvCNgI3S5LZoyaCBNx/fnIFHlrv3wbHUSzqPPG5mm83KTDtJABCX2AYVB2Mc3k7LaqetUnGdXhru/0BR72nGZlVZvohG1+FRrpWd0iVqxGsp6GluUxJKjo/EU4q/XDJUT1g9vYIPfDNmZdPwnJik1pwpxPX1+Lt79BraqMPTA8pJGFXveg1qREtR913Ad7H3Ryhxshd6jME08OFhaKo4LfzKoUC2JpQDTE7JMHBdCv84F3Uwxi1J442vp5G62og== Received: from DS7PR06CA0045.namprd06.prod.outlook.com (2603:10b6:8:54::26) by CY5PR12MB6432.namprd12.prod.outlook.com (2603:10b6:930:38::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.19; Fri, 13 Jan 2023 16:56:51 +0000 Received: from DM6NAM11FT049.eop-nam11.prod.protection.outlook.com (2603:10b6:8:54:cafe::50) by DS7PR06CA0045.outlook.office365.com (2603:10b6:8:54::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.14 via Frontend Transport; Fri, 13 Jan 2023 16:56:50 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by DM6NAM11FT049.mail.protection.outlook.com (10.13.172.188) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.13 via Frontend Transport; Fri, 13 Jan 2023 16:56:50 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 13 Jan 2023 08:56:39 -0800 Received: from rnnvmail201.nvidia.com (10.129.68.8) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 13 Jan 2023 08:56:39 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.8) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Fri, 13 Jan 2023 08:56:35 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v2 4/7] netfilter: flowtable: allow updating offloaded rules asynchronously Date: Fri, 13 Jan 2023 17:55:45 +0100 Message-ID: <20230113165548.2692720-5-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230113165548.2692720-1-vladbu@nvidia.com> References: <20230113165548.2692720-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DM6NAM11FT049:EE_|CY5PR12MB6432:EE_ X-MS-Office365-Filtering-Correlation-Id: 53ec0388-7094-4a1f-df1d-08daf5872a36 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: NxVzCkP+8aNLtHl6mQR8vq/CwDZK/MHI+OJNy8JYWyNM7nAJfQ1ZrZBhGrHgnmki5B5gCjMWH3MAdTivDzTpfb3GDh0dx/MlkznLqx0yGl2yWDZv6/gj2UVEK+P9dDPPUKqPvfpcMqJK98/eObA3In4wVaA9GqmLjgfmLjZu+hzF0+8CJn5bN4Ue2/HDMj4r//Zli8gdU3eJonNTGTHbXUX4mTuHEoqMYaQrFFT82lGrhTB3f5bDJ+DcWam+fKDvNAfx/567hkc29n7ko5gL550l90SVyU5XmmcSMJmbzDUREO+VTTYohON2a1ju4ovsTFcGJtnnhueYlTz5jpLtKj4pMCDLd1AL4r1G4UnWIl1rnU/3f243p6+KaTSyazt3DbonzPOj30BaCMZhnt8xzU0qvYqfxK0uYNL4ox6+WBrWfQ3KfQNBdEFYPXO1YC315HoXn7AdOfnZPyEYGtpJFoBchZv+7mTN7Cr/WbiNHGLtIt8ZRd4s170GdfLgbDhi2jox2Zy4J4IXJBPLwQaUhn8WxLUYimUrQ6iAb6NStd6e6WxPykGKdpLxhjzG23OOxWqLhAnuEKr0fjkN6EO4x2nldyvsmdkjBgRsOpd5KxfiUf9FIWckGtT+oACoAHopJfPDs/q6p5A3u9VjJT8a8eaUugwBNovjsB25zJJrfSqacQbz+1hawosspSXSREBZwEO/jnl6c/VC9oQqhoNHBEorFjyVQs55fCkKT9Xcaxc= X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230022)(4636009)(376002)(39860400002)(346002)(136003)(396003)(451199015)(46966006)(40470700004)(36840700001)(2906002)(110136005)(40460700003)(5660300002)(7416002)(316002)(54906003)(36756003)(2616005)(1076003)(82310400005)(336012)(83380400001)(47076005)(426003)(36860700001)(7696005)(86362001)(26005)(40480700001)(356005)(186003)(7636003)(82740400003)(478600001)(107886003)(6666004)(8936002)(4326008)(8676002)(70586007)(41300700001)(70206006)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Jan 2023 16:56:50.2569 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 53ec0388-7094-4a1f-df1d-08daf5872a36 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT049.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY5PR12MB6432 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Following patches in series need to update flowtable rule several times during its lifetime in order to synchronize hardware offload with actual ct status. However, reusing existing 'refresh' logic in act_ct would cause data path to potentially schedule significant amount of spurious tasks in 'add' workqueue since it is executed per-packet. Instead, introduce a new flow 'update' flag and use it to schedule async flow refresh in flowtable gc which will only be executed once per gc iteration. Signed-off-by: Vlad Buslov --- include/net/netfilter/nf_flow_table.h | 3 ++- net/netfilter/nf_flow_table_core.c | 20 +++++++++++++++----- net/netfilter/nf_flow_table_offload.c | 5 +++-- 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h index 88ab98ab41d9..e396424e2e68 100644 --- a/include/net/netfilter/nf_flow_table.h +++ b/include/net/netfilter/nf_flow_table.h @@ -165,6 +165,7 @@ enum nf_flow_flags { NF_FLOW_HW_DEAD, NF_FLOW_HW_PENDING, NF_FLOW_HW_BIDIRECTIONAL, + NF_FLOW_HW_UPDATE, }; enum flow_offload_type { @@ -300,7 +301,7 @@ unsigned int nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb, #define MODULE_ALIAS_NF_FLOWTABLE(family) \ MODULE_ALIAS("nf-flowtable-" __stringify(family)) -void nf_flow_offload_add(struct nf_flowtable *flowtable, +bool nf_flow_offload_add(struct nf_flowtable *flowtable, struct flow_offload *flow); void nf_flow_offload_del(struct nf_flowtable *flowtable, struct flow_offload *flow); diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c index 04bd0ed4d2ae..5b495e768655 100644 --- a/net/netfilter/nf_flow_table_core.c +++ b/net/netfilter/nf_flow_table_core.c @@ -316,21 +316,28 @@ int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow) } EXPORT_SYMBOL_GPL(flow_offload_add); +static bool __flow_offload_refresh(struct nf_flowtable *flow_table, + struct flow_offload *flow) +{ + if (likely(!nf_flowtable_hw_offload(flow_table))) + return true; + + return nf_flow_offload_add(flow_table, flow); +} + void flow_offload_refresh(struct nf_flowtable *flow_table, struct flow_offload *flow) { u32 timeout; timeout = nf_flowtable_time_stamp + flow_offload_get_timeout(flow); - if (timeout - READ_ONCE(flow->timeout) > HZ) + if (timeout - READ_ONCE(flow->timeout) > HZ && + !test_bit(NF_FLOW_HW_UPDATE, &flow->flags)) WRITE_ONCE(flow->timeout, timeout); else return; - if (likely(!nf_flowtable_hw_offload(flow_table))) - return; - - nf_flow_offload_add(flow_table, flow); + __flow_offload_refresh(flow_table, flow); } EXPORT_SYMBOL_GPL(flow_offload_refresh); @@ -435,6 +442,9 @@ static void nf_flow_offload_gc_step(struct nf_flowtable *flow_table, } else { flow_offload_del(flow_table, flow); } + } else if (test_and_clear_bit(NF_FLOW_HW_UPDATE, &flow->flags)) { + if (!__flow_offload_refresh(flow_table, flow)) + set_bit(NF_FLOW_HW_UPDATE, &flow->flags); } else if (test_bit(NF_FLOW_HW, &flow->flags)) { nf_flow_offload_stats(flow_table, flow); } diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c index 8b852f10fab4..103b2ca8d123 100644 --- a/net/netfilter/nf_flow_table_offload.c +++ b/net/netfilter/nf_flow_table_offload.c @@ -1036,16 +1036,17 @@ nf_flow_offload_work_alloc(struct nf_flowtable *flowtable, } -void nf_flow_offload_add(struct nf_flowtable *flowtable, +bool nf_flow_offload_add(struct nf_flowtable *flowtable, struct flow_offload *flow) { struct flow_offload_work *offload; offload = nf_flow_offload_work_alloc(flowtable, flow, FLOW_CLS_REPLACE); if (!offload) - return; + return false; flow_offload_queue_work(offload); + return true; } void nf_flow_offload_del(struct nf_flowtable *flowtable, From patchwork Fri Jan 13 16:55:46 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13101168 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C5D94C67871 for ; Fri, 13 Jan 2023 16:57:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229885AbjAMQ52 (ORCPT ); Fri, 13 Jan 2023 11:57:28 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46190 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230041AbjAMQ5O (ORCPT ); Fri, 13 Jan 2023 11:57:14 -0500 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on2041.outbound.protection.outlook.com [40.107.236.41]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 281456F94D; Fri, 13 Jan 2023 08:56:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UiV/O8U3FQTkN+QFx4x1iKYtwr4a47YZV9PzmABg1xpJIOrcQEzV4i+y+Tx9dLqeOxtkFdWc6lGnIh02JPzwvzqv3E0zcMtlhixp6ljXy6yY0uBV6JvpGJaeGkPswgDCQtdO7qy3jkvYmU5NuyVZFjErwAMt/cyBaC+8iCiP/MH4pVripo24/JLq02ZnsXoSNU6X/1vJj2wyv2ZndXw8jEHKZzwQpzXrZwk8vO0nSW5+nrO4HzkXGLO3LC3f4f1x3KJL8TJ3vu2M5XxdrgGXQlc4fv4j0I7pd/6nz9T3lD8T7ebiMHQFGa/7zW5E5s8LCJh+9barrC9D1OmBxhA7HQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=l5RYK0xo9itxoG503Cnp98JnmWqNNzPa/9Mi27YLsp0=; b=nEFex+Fv61I5y8NiSmVHIanG3eRUEDfUqMumQ4+aEo6caWVXjGhhLqj//dgdA+tUdfrjaQuhjn1V132Re4Ds7SS8VKA/32W+y4zLJ65Ty8sV9ECzZ5mKRneHiIUc0WTzCao2JNr3Chit6OhFMTrj5CfXa8onkRyXiMHFUXUomfgRge02K2SpAfaeRc0NRjZlz/5STIiEPl4UBxqFWdgtEbmagxeC/4j36NFJ5SBPAiaLd+yUF3dYfuaxQUpVFuaPjXqSxxqQZXjLF9d1LGDH3LAQXX+uUNdNYfz47g0wpCcol5PDO9OpAiMugYL/n25oj8If2trXsEusmJPaacnCng== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=l5RYK0xo9itxoG503Cnp98JnmWqNNzPa/9Mi27YLsp0=; b=h508THYfCf29GWtmVRqv9WFoS7RUvFAuBSWyIwMZLbD7yN/I2hP7JEiZK/boTYw43rZBF1WDzMYMhB3kw9tWvSRQ7i4ghGO073Auwg9f0EsM1hHFY0DlkJw4zAPBrA8UHeTCLE6mJbVMXxYCzuaUekyd8+RDxF0Q7efWVoqG0N04UuWDnVjndXVCNytSIEJna9A6bqswCNirr7W8aSLadXxsXYNdPiGI7nczYb3CNRK7ovzaZW6U1EyA5oB0C4/Ga27lP5KULNKXlTidHjwMi5tr1koMjDFJBZZ8UqqHSbdgOjcfApWnLGYT7NaNqs0Yr3WQqu+L6oN+7UgCucyU9A== Received: from DS7PR06CA0028.namprd06.prod.outlook.com (2603:10b6:8:54::33) by MW4PR12MB6900.namprd12.prod.outlook.com (2603:10b6:303:207::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.13; Fri, 13 Jan 2023 16:56:54 +0000 Received: from DM6NAM11FT049.eop-nam11.prod.protection.outlook.com (2603:10b6:8:54:cafe::69) by DS7PR06CA0028.outlook.office365.com (2603:10b6:8:54::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.16 via Frontend Transport; Fri, 13 Jan 2023 16:56:53 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by DM6NAM11FT049.mail.protection.outlook.com (10.13.172.188) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.13 via Frontend Transport; Fri, 13 Jan 2023 16:56:53 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 13 Jan 2023 08:56:43 -0800 Received: from rnnvmail201.nvidia.com (10.129.68.8) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 13 Jan 2023 08:56:42 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.8) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Fri, 13 Jan 2023 08:56:39 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v2 5/7] net/sched: act_ct: set ctinfo in meta action depending on ct state Date: Fri, 13 Jan 2023 17:55:46 +0100 Message-ID: <20230113165548.2692720-6-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230113165548.2692720-1-vladbu@nvidia.com> References: <20230113165548.2692720-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DM6NAM11FT049:EE_|MW4PR12MB6900:EE_ X-MS-Office365-Filtering-Correlation-Id: 66e4fb40-883f-493c-221e-08daf5872c29 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Omc2wp0vkkUwttGirre0NDSn0zjvfygVTu818uXavt8QqYcRfLVdUbMKKYQpydhzIaMtHKnc8F4XhfjGr1JfiNFKGvDBzQwkn8hgE/iiqqrZq+IqiuHj2lPUoqTdW5j/oPdjtWY1+UsbHWR0z669Qkl6aplsRjRuCWwk8zDy8o8gqLM7CpNcj9v9/OAWiq96pUUDKDf13GXn0W0IzxBDsNmVdOUQ6hqWLmImfLRuk9S5Hw289yF1X+yldtfozg81k2KNPnm+KF/odB2N5G/MBCyDQIPsnCOPArML30k+ueTMjwcYK1sphCcgDk9K0qjm+Qth6SV0HyHFeyBh2jQbUPZjzREauSKFdQ2qE1/279T2U0MickDEkvcajGZcJTL3+Z48YbNM/5fwv1rHUTUcIzSKx5VqlXo5UiXgTZL5ig8dW3PXrWV1bXR885nJbc/C/XDohPE1ZUlOGz4kXgr1S6f29qEFZRP0QtAg4NATZwsDX6suyfLghAIpwvFUptmMyoTgw8+llTkmWC1bLtVmFOMDknNrHQnspFGKkeunzkCgLW2v6Ks0MoFi06Z6Syhz4s/JLOMM0+f0rPdtA5hJGwDIQr1nwpBu/T84dWWLb+AtT//dcOXAoE8Sd4Pnf3/S40uPk+ZBkFQYhP3blE6/yeoo8O26ywgn+J08TMXVyP6mvArAO13H3LSJzwiyO5zhqWf6+16B8TdcKe7XltydInZfkU+gZ/vHm918C0WAmnQ= X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230022)(4636009)(346002)(376002)(136003)(39860400002)(396003)(451199015)(46966006)(36840700001)(40470700004)(26005)(7416002)(5660300002)(36756003)(2906002)(40460700003)(110136005)(336012)(82310400005)(1076003)(2616005)(83380400001)(426003)(47076005)(36860700001)(7696005)(86362001)(186003)(40480700001)(356005)(82740400003)(54906003)(7636003)(316002)(6666004)(8936002)(70206006)(70586007)(107886003)(478600001)(8676002)(4326008)(41300700001)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Jan 2023 16:56:53.5067 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 66e4fb40-883f-493c-221e-08daf5872c29 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT049.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR12MB6900 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Currently tcf_ct_flow_table_add_action_meta() function assumes that only established connections can be offloaded and always sets ctinfo to either IP_CT_ESTABLISHED or IP_CT_ESTABLISHED_REPLY strictly based on direction without checking actual connection state. To enable UDP NEW connection offload set the ctinfo and metadata cookie based on ct->status value. Signed-off-by: Vlad Buslov --- net/sched/act_ct.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index 515577f913a3..bfddb462d2bc 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -182,8 +182,11 @@ static void tcf_ct_flow_table_add_action_meta(struct nf_conn *ct, #if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) entry->ct_metadata.mark = READ_ONCE(ct->mark); #endif - ctinfo = dir == IP_CT_DIR_ORIGINAL ? IP_CT_ESTABLISHED : - IP_CT_ESTABLISHED_REPLY; + if (dir == IP_CT_DIR_ORIGINAL) + ctinfo = test_bit(IPS_SEEN_REPLY_BIT, &ct->status) ? + IP_CT_ESTABLISHED : IP_CT_NEW; + else + ctinfo = IP_CT_ESTABLISHED_REPLY; /* aligns with the CT reference on the SKB nf_ct_set */ entry->ct_metadata.cookie = (unsigned long)ct | ctinfo; entry->ct_metadata.orig_dir = dir == IP_CT_DIR_ORIGINAL; From patchwork Fri Jan 13 16:55:47 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13101169 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B0088C61DB3 for ; Fri, 13 Jan 2023 16:57:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229589AbjAMQ51 (ORCPT ); Fri, 13 Jan 2023 11:57:27 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46534 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230045AbjAMQ5O (ORCPT ); Fri, 13 Jan 2023 11:57:14 -0500 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on2052.outbound.protection.outlook.com [40.107.223.52]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 05541544E7; Fri, 13 Jan 2023 08:56:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nq6LHj80drUmuDRMuL+s0FKtYtHu8lJMylT3jW8WranubsnFnRWZ7HFlMGVIJeHwP7xVUy882ZszjK9riZTqELOVJ3PkvSbkowQmTA3Zhx63xvf+8SQVObwR4JuuUnA+ZR6EMOOzTUgI4CaRIndeEe73fi9Liq0YwHvXLoZRbwyKQUoLy6w4hwTvM+nE1bGOTyN0r+atyj4O85kanglmDHfm1JtvyhQ049BVQ8264M6Lc+Dz7u6ksUHdacDNELF4GMF+gUnUSS+CjCOShO1W9ovNUFAJdbBrIMVnBs+I4llBZvVU8WZ8EHkb6aREzbFxh3MxUBSCjq9wSVPKzZZYAQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=wM2paC/pUdX6NnkKABrYxLcS03Usi5y6IxiikT2Ul2k=; b=O1aR8os+B+KsU23V45CpkYw4WZi1hA1tpN+PX7gU3sehZsH7o6hYaay4k0HzjikkmDM/otbq2p630opFbXo1WDQPkSW7xeJWkTf82pdO1054A3WG8yrcogV8m+sA7JrI1jlM9qSqT+CR5/BHI6N8hHuJ6dpLS5ZYVDmpz08ltKhPgcjjmZuCMLFUmEp0KFHxKxo4+CmzuQ/5OHXzCT/+XG/fe5Tvb9KJuoFCTbDKZGSZQZE8ugZQUXS3+wwN590qPnrxYdbqMB/O5BhpPFxDA+0mgz4Izs3x0MxFcnSddfuD/hz0F7z5EjYdXMzAS+u+Kz3ad3JYfjQ6LlroE8hqzw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wM2paC/pUdX6NnkKABrYxLcS03Usi5y6IxiikT2Ul2k=; b=Vuweuy/G5w8hR/AYfQ9FAbPyGDyZhKHfh4a25v20dM1q7Xh4rA8dwtkLzpQgCkNAocWJe2j0/8qhV+beME9c2xjxEQatYyHSxD3k3SIuP8b13f7pkqwwuXhgreUXqUxYjzyl4TKGrKctUnKCmJP3ubc79KgmFh1SUXbqsdJh5GWbGOoiyF0MnHAgxkOxIDjhWhFg6yXZ0zEUxMd7LPRUaBssk2s0SOnffktNZtNRqOp6uIX5syue263oF/TTTieGleqBQY3dpm/lrwp/Q249jt2mwefZClXDSz2MD2rxz7kiVYWKn+OMC+/02qPl0rENTuCKfcLR4OvsK9DGNesvCQ== Received: from DS7PR05CA0074.namprd05.prod.outlook.com (2603:10b6:8:57::22) by BL1PR12MB5972.namprd12.prod.outlook.com (2603:10b6:208:39b::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18; Fri, 13 Jan 2023 16:56:56 +0000 Received: from DM6NAM11FT089.eop-nam11.prod.protection.outlook.com (2603:10b6:8:57:cafe::14) by DS7PR05CA0074.outlook.office365.com (2603:10b6:8:57::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6023.6 via Frontend Transport; Fri, 13 Jan 2023 16:56:56 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by DM6NAM11FT089.mail.protection.outlook.com (10.13.173.82) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.13 via Frontend Transport; Fri, 13 Jan 2023 16:56:55 +0000 Received: from rnnvmail202.nvidia.com (10.129.68.7) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 13 Jan 2023 08:56:47 -0800 Received: from rnnvmail201.nvidia.com (10.129.68.8) by rnnvmail202.nvidia.com (10.129.68.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 13 Jan 2023 08:56:46 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.8) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Fri, 13 Jan 2023 08:56:43 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v2 6/7] net/sched: act_ct: offload UDP NEW connections Date: Fri, 13 Jan 2023 17:55:47 +0100 Message-ID: <20230113165548.2692720-7-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230113165548.2692720-1-vladbu@nvidia.com> References: <20230113165548.2692720-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DM6NAM11FT089:EE_|BL1PR12MB5972:EE_ X-MS-Office365-Filtering-Correlation-Id: 29a998c4-33a7-4723-095d-08daf5872d6b X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: f8QQcao3AwbbrQKNhD5wuOCmPLbB76enxQQwSygfW+5OUjc22rfiTwiG74psS8EMDhfPnvqupWQ/69KL5EVh1G/3y+OiQkILljZEmNdlyBGMXmRpKKSRhWubw4zWFA34ncnJ5DYHAAZbFDbnFWWwsoy1IUB/1hyRl1a9ucv2nZbbhsByHLB76zRg0knBf9+pQwN1s32xvIUI0c3uM7QUVcMCS0NKb5QhfFEKpz6Fo6CZQRmbksShT3UaLeTCt3LW5qOMH8y3SUwBZFftOQCCSjo7hTTKWE5Cuzl6pZhx+loqnOLcbayhOOrDFHoXF+/GGMpbv2iu8CcXr7d6+Rs28YWDc/FsC8Iec0ljCqWFE1Qbhj0VJY9993gxtmwMu+UyBg+ig4kHO6gsP9ofItUBygnVN7SPJXZ4ueHx/2vgbQjd1wSmLLEnc//HdJcV77xTnHgYXjmYsRpRgChema0nj62Bgd1kSsaVg7CZ119VfpJuYXqFWsZQd3wmirMuJOMeO0VLVSC6U61bR7PXbe5lzkpKfT6jeefEdNfeqGy2N+74gzJcVTaxse6F9w90xXkDn4SSAEwaldX0fURIX03LR6EdC1RQRavL2tM9/1HS6bJgkGHH+5zkpWLojn/Yzs2aCR6Vpa+yw/phz355jjTD3EzeTvpLbSh7xtY/4FfU7hzuIyah+uoo+d/7OLOSkFGbWPQVn8drjCV+QawCno5/XfXo0ltKU8DVoGqwNwcDlaI= X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230022)(4636009)(376002)(396003)(39860400002)(136003)(346002)(451199015)(36840700001)(40470700004)(46966006)(2906002)(82310400005)(83380400001)(47076005)(336012)(36860700001)(426003)(1076003)(7416002)(40480700001)(5660300002)(186003)(8936002)(107886003)(36756003)(26005)(7696005)(2616005)(70586007)(7636003)(41300700001)(70206006)(110136005)(478600001)(86362001)(8676002)(54906003)(356005)(316002)(40460700003)(4326008)(82740400003)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Jan 2023 16:56:55.6319 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 29a998c4-33a7-4723-095d-08daf5872d6b X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT089.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL1PR12MB5972 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org When processing connections allow offloading of UDP connections that don't have IPS_ASSURED_BIT set as unidirectional. When performing table lookup for reply packets check the current connection status: If UDP unidirectional connection became assured also promote the corresponding flow table entry to bidirectional and set the 'update' bit, else just set the 'update' bit since reply directional traffic will most likely cause connection status to become 'established' which requires updating the offload state. Signed-off-by: Vlad Buslov --- net/sched/act_ct.c | 48 ++++++++++++++++++++++++++++++++++------------ 1 file changed, 36 insertions(+), 12 deletions(-) diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index bfddb462d2bc..563cbdd8341c 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -369,7 +369,7 @@ static void tcf_ct_flow_tc_ifidx(struct flow_offload *entry, static void tcf_ct_flow_table_add(struct tcf_ct_flow_table *ct_ft, struct nf_conn *ct, - bool tcp) + bool tcp, bool bidirectional) { struct nf_conn_act_ct_ext *act_ct_ext; struct flow_offload *entry; @@ -388,6 +388,8 @@ static void tcf_ct_flow_table_add(struct tcf_ct_flow_table *ct_ft, ct->proto.tcp.seen[0].flags |= IP_CT_TCP_FLAG_BE_LIBERAL; ct->proto.tcp.seen[1].flags |= IP_CT_TCP_FLAG_BE_LIBERAL; } + if (bidirectional) + __set_bit(NF_FLOW_HW_BIDIRECTIONAL, &entry->flags); act_ct_ext = nf_conn_act_ct_ext_find(ct); if (act_ct_ext) { @@ -411,26 +413,34 @@ static void tcf_ct_flow_table_process_conn(struct tcf_ct_flow_table *ct_ft, struct nf_conn *ct, enum ip_conntrack_info ctinfo) { - bool tcp = false; - - if ((ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY) || - !test_bit(IPS_ASSURED_BIT, &ct->status)) - return; + bool tcp = false, bidirectional = true; switch (nf_ct_protonum(ct)) { case IPPROTO_TCP: - tcp = true; - if (ct->proto.tcp.state != TCP_CONNTRACK_ESTABLISHED) + if ((ctinfo != IP_CT_ESTABLISHED && + ctinfo != IP_CT_ESTABLISHED_REPLY) || + !test_bit(IPS_ASSURED_BIT, &ct->status) || + ct->proto.tcp.state != TCP_CONNTRACK_ESTABLISHED) return; + + tcp = true; break; case IPPROTO_UDP: + if (!nf_ct_is_confirmed(ct)) + return; + if (!test_bit(IPS_ASSURED_BIT, &ct->status)) + bidirectional = false; break; #ifdef CONFIG_NF_CT_PROTO_GRE case IPPROTO_GRE: { struct nf_conntrack_tuple *tuple; - if (ct->status & IPS_NAT_MASK) + if ((ctinfo != IP_CT_ESTABLISHED && + ctinfo != IP_CT_ESTABLISHED_REPLY) || + !test_bit(IPS_ASSURED_BIT, &ct->status) || + ct->status & IPS_NAT_MASK) return; + tuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple; /* No support for GRE v1 */ if (tuple->src.u.gre.key || tuple->dst.u.gre.key) @@ -446,7 +456,7 @@ static void tcf_ct_flow_table_process_conn(struct tcf_ct_flow_table *ct_ft, ct->status & IPS_SEQ_ADJUST) return; - tcf_ct_flow_table_add(ct_ft, ct, tcp); + tcf_ct_flow_table_add(ct_ft, ct, tcp, bidirectional); } static bool @@ -625,13 +635,27 @@ static bool tcf_ct_flow_table_lookup(struct tcf_ct_params *p, flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]); ct = flow->ct; + if (dir == FLOW_OFFLOAD_DIR_REPLY && + !test_bit(NF_FLOW_HW_BIDIRECTIONAL, &flow->flags)) { + /* Only offload reply direction after connection became + * assured. + */ + if (test_bit(IPS_ASSURED_BIT, &ct->status)) + set_bit(NF_FLOW_HW_BIDIRECTIONAL, &flow->flags); + set_bit(NF_FLOW_HW_UPDATE, &flow->flags); + return false; + } + if (tcph && (unlikely(tcph->fin || tcph->rst))) { flow_offload_teardown(flow); return false; } - ctinfo = dir == FLOW_OFFLOAD_DIR_ORIGINAL ? IP_CT_ESTABLISHED : - IP_CT_ESTABLISHED_REPLY; + if (dir == FLOW_OFFLOAD_DIR_ORIGINAL) + ctinfo = test_bit(IPS_SEEN_REPLY_BIT, &ct->status) ? + IP_CT_ESTABLISHED : IP_CT_NEW; + else + ctinfo = IP_CT_ESTABLISHED_REPLY; flow_offload_refresh(nf_ft, flow); nf_conntrack_get(&ct->ct_general); From patchwork Fri Jan 13 16:55:48 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13101170 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DCCA2C678D4 for ; Fri, 13 Jan 2023 16:57:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229947AbjAMQ5a (ORCPT ); Fri, 13 Jan 2023 11:57:30 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46620 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229491AbjAMQ5U (ORCPT ); Fri, 13 Jan 2023 11:57:20 -0500 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2078.outbound.protection.outlook.com [40.107.237.78]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7428D3AB1D; Fri, 13 Jan 2023 08:57:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=X/fd3kjGGmgZKqGVlvsya057rbgx59tXhaMcOqFT2P9dF5QYHGNzw4GinQXug5tazgPAFfcs6SBS04nPy+2YquOBfLXa64wNynUY7fX1fec1/iY3g0ZFrrKyWrKLwXsjAkSuZJke3wCWBV9B/0TUl500dD/96d3u0C8aOH1LtkCoe6DZuoatPLw7xyZxztc4pcftpmQtcEoyck9U1/FRStIgC/E8skIRhwFCRxdrAji5vo4qIQ96q6MVAsMWO17INGhOS/D3lmEReYXoYwbraFwe+GnQxDfBG05IDDUeBgBO4si06SNd6wWzGEd97E85Lq+pY3vKBTd+hXrIL6vWfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JLcQDuTm7f0BQbsr+DZXqTDP8Fsw23ph80Ixl7U15/8=; b=keKxuBxru32qQc5ia6IrqVLYkVUGNb7QmAoK9BnrUzFyCzprv3xybyq9IOx0iIAPIYjxc/f1FHW1LuFTZuxNNMNTQC5DQovVCYCXRI/j8M9bkxCvJHNV02s0LVa9/gY5N7JPDuD8EGBD9PNPIWfDAg174ZS38eJB2jS0cSss5C9APPy4F3zcl4tcKB8mex4ny03x1sjnDpTCGey0XgcCaClQmsjaHYwu6TzRf3p7ZhukKXwR9FUy8rKtKYhM/mYjKnIN2pQ65afHzJ0O9hZs/EobyIcdaHHLR/pTK4xC+Hn4DgErE2VwKBfvw6RjxZRQPezZ/XYou7WnjHUpR8tHpw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JLcQDuTm7f0BQbsr+DZXqTDP8Fsw23ph80Ixl7U15/8=; b=DXlXLO7Bmv6409z5gbpU/XwcU1vW9qtb+iCL9UoEl1bT0NObKZJMK9zOCxfZrqmtaczdhKm5Lto5xAgfaP7gQT6Nd6/Y1XNG4SyU5IrjJ6qTSrj7+HTp0MvFeuJwgdSxGyQuy2C3QZC6A/mAKt8bFtDSEXQYmR+mWMUSBR0hKrSRI5gAOi3VE8KEa1B3zqasDRMKssT4lh0adFlCMrnVRTMp+H2mQj55ei9kKJ0N4KtZYGcjN8fC9JpaKe483jOurBDx/NPGfjreLXflQZ2fFuu2ShH3C9YvFaR5/tcJ+lLuOJzRgZO73QipZhuZjD9F+RNkR3aKZ2/V7kRPGNmCgA== Received: from DS7PR06CA0028.namprd06.prod.outlook.com (2603:10b6:8:54::33) by IA1PR12MB6235.namprd12.prod.outlook.com (2603:10b6:208:3e5::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18; Fri, 13 Jan 2023 16:56:59 +0000 Received: from DM6NAM11FT049.eop-nam11.prod.protection.outlook.com (2603:10b6:8:54:cafe::e0) by DS7PR06CA0028.outlook.office365.com (2603:10b6:8:54::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.16 via Frontend Transport; Fri, 13 Jan 2023 16:56:59 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by DM6NAM11FT049.mail.protection.outlook.com (10.13.172.188) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.13 via Frontend Transport; Fri, 13 Jan 2023 16:56:59 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 13 Jan 2023 08:56:51 -0800 Received: from rnnvmail201.nvidia.com (10.129.68.8) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 13 Jan 2023 08:56:50 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.8) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Fri, 13 Jan 2023 08:56:47 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v2 7/7] netfilter: nf_conntrack: allow early drop of offloaded UDP conns Date: Fri, 13 Jan 2023 17:55:48 +0100 Message-ID: <20230113165548.2692720-8-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230113165548.2692720-1-vladbu@nvidia.com> References: <20230113165548.2692720-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DM6NAM11FT049:EE_|IA1PR12MB6235:EE_ X-MS-Office365-Filtering-Correlation-Id: 215b8433-3deb-44c1-ffc2-08daf5872f80 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: OAA6YB9elCgV6W0cgS+JAIVNw8RmMWQETD4VKpi1psmjYpIME2OB/U+CXBwO7u1lO+kAHr9OQYeMuhLJRdAPgnQwWExY58Hd85/bYSPnPVRiWONYwSAQ1reMPuX0wkF5JSyxNuXUVyCj8UzgseKtUdrBq/ndlZLJg6kZp9c1uvaYlBpIR+7v+1vMysGz6Jvl7hBZTv/mBm2iZXtPQbeL1dcprEoDC+0SeUaN1eov/2CrlY5383q9sz9f5wj6nGX2fqqT2ip2OvW5Hyq+D+hS/ja/vKNdzsetW8hC1hIAfMrdXpx+dXxeYpuEl6WaY1ZqZYcCOVtuvnsGdDbWLfIW2OWXIWGMqeL+g7TOypC8y1rJ12t7FdfsuIEhOCvl+EKruS/sLnMXLX8jCY61xDLnMmQOYe0mMiXm0JxUTtY5VtbsMezNWcxmBnxigHc7+HzOEqkXcZjzfJ3/rUixnFqA97NzT4qekXRrZCj6dN/yryLVVLcwZzLO3hqcv033cTOC6p31MSihYzdl8vlhTZeyYZJWyeY30U5VewEecYYl9SKDL1o5CpejLR1Ms9KSyi7wxn/cS9xFcYDBQO98/Gm8AQPPhjSI5xnBr6MGZBMfuLmcaFpKfPF/WD3E4elUOnOuNN4W6sYq+NXs5i9SITmrWXrnDN7OP7D0Rj/drrrIrejHm0OPROginssR5DmA9nHsZKSD7tZmaposYbwCs5aX0KrYHZFz7r8xvNSWjbFK3bg= X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230022)(4636009)(136003)(39860400002)(396003)(376002)(346002)(451199015)(46966006)(36840700001)(40470700004)(2906002)(107886003)(26005)(7696005)(478600001)(186003)(8676002)(40480700001)(83380400001)(2616005)(70586007)(110136005)(36756003)(1076003)(316002)(54906003)(336012)(70206006)(40460700003)(47076005)(426003)(4326008)(41300700001)(82740400003)(7416002)(7636003)(86362001)(36860700001)(82310400005)(8936002)(5660300002)(356005)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Jan 2023 16:56:59.1313 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 215b8433-3deb-44c1-ffc2-08daf5872f80 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT049.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR12MB6235 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Both synchronous early drop algorithm and asynchronous gc worker completely ignore connections with IPS_OFFLOAD_BIT status bit set. With new functionality that enabled UDP NEW connection offload in action CT malicious user can flood the conntrack table with offloaded UDP connections by just sending a single packet per 5tuple because such connections can no longer be deleted by early drop algorithm. To mitigate the issue allow both early drop and gc to consider offloaded UDP connections for deletion. Signed-off-by: Vlad Buslov --- net/netfilter/nf_conntrack_core.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 496c4920505b..52b824a60176 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -1374,9 +1374,6 @@ static unsigned int early_drop_list(struct net *net, hlist_nulls_for_each_entry_rcu(h, n, head, hnnode) { tmp = nf_ct_tuplehash_to_ctrack(h); - if (test_bit(IPS_OFFLOAD_BIT, &tmp->status)) - continue; - if (nf_ct_is_expired(tmp)) { nf_ct_gc_expired(tmp); continue; @@ -1446,11 +1443,14 @@ static bool gc_worker_skip_ct(const struct nf_conn *ct) static bool gc_worker_can_early_drop(const struct nf_conn *ct) { const struct nf_conntrack_l4proto *l4proto; + u8 protonum = nf_ct_protonum(ct); + if (test_bit(IPS_OFFLOAD_BIT, &ct->status) && protonum != IPPROTO_UDP) + return false; if (!test_bit(IPS_ASSURED_BIT, &ct->status)) return true; - l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct)); + l4proto = nf_ct_l4proto_find(protonum); if (l4proto->can_early_drop && l4proto->can_early_drop(ct)) return true; @@ -1507,7 +1507,8 @@ static void gc_worker(struct work_struct *work) if (test_bit(IPS_OFFLOAD_BIT, &tmp->status)) { nf_ct_offload_timeout(tmp); - continue; + if (!nf_conntrack_max95) + continue; } if (expired_count > GC_SCAN_EXPIRED_MAX) {