From patchwork Thu Jan 19 19:50:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13108741 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 11A5CC678D4 for ; Thu, 19 Jan 2023 19:51:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229967AbjASTvv (ORCPT ); Thu, 19 Jan 2023 14:51:51 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54634 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229926AbjASTvq (ORCPT ); Thu, 19 Jan 2023 14:51:46 -0500 Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2074.outbound.protection.outlook.com [40.107.93.74]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0F6E675A0C; Thu, 19 Jan 2023 11:51:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=R/ISnrUf9kmOe8e9Ze1leWKURvmDX/SznvR3e9lWUbLktK5aPKQ9OgKhI5SNlty6m3/h6B3TL8GRHnYEk/TL9E362L64ty6YVCEd6a/9fVjTSy7AJ6AXvOT7rlRMSCe4vRtbUL9f78U2h/MX6+xSNEoC0PBSpMycHwiG8iRzQzWIks2M6HI8GqU44U9MWsjOKtVSjSBkzz4fCxvneN3d9GlC1uJtpCjLXtkAv1C3enkkKWdPymG5hzibGYdwGOSmXQXNXg+yw9jkK5rHtfsx4bT8+fnmvp9KixwYbgYqSA8kcxeimy23MnbQDuyG7diwO4mws8EUjfsRYoHEd0ajlw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=lfyRg1E6R2JJ5PosP1qE7Ygly7/uRo9xWvo8eA8oduM=; b=jjHaDsVwKPEea7omjMZclkuvOXvVXkWUI0TGip1BSSIBRQwA90K2vvpVMsVNCEhIUBfkBLtW2ZrGSvn/u+T78INnzXvkl3W77XGai96as4Oe8ei2SQlJafz+GRjUT+8+LG64IOyqQMj/Kyp3ugHRh65TjOoZlatBQBFZC905lI5guAIe2VuAdPGtrheWTGoUAuXOVok9ilOydmzsoB8917GdDAMOotX0vj224zceD7Jv/dIZ4u9zSwTt+Agu9Pxe96aTAznTaY4OexQGlmX1mmj1UdOuUkO0bEnBVnJ0g789sNquoJiODVATTT0voK09FfXAIxJJFEovbx6xjlE4Gw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lfyRg1E6R2JJ5PosP1qE7Ygly7/uRo9xWvo8eA8oduM=; b=kmxllsvxNuq5M5veOiXvZjHraQoAXHde/+7eHoopsUAo/F2gn0rZhcLiGK1c8u8MlmFQXiKZEHT/z8vm7pHmqTNK732rbmy4AZ1RBKd143WWy31d1/OmYuDhxvGJ8krKST3NpowyMdlVPyrQu/Hu5TOJbYRGKWIFhttlHdNuhAg8Lj+WPqE5+Az2Ynh3A+yogWaJC2yGrm35deMlGYNOm2tJr5c08vIvuWVBCuVFS7ToelJN0WfIqssfkYC/LrxCauoyGRPTre9grK8eZckNpXCh2RXx7Ibwav0sDRozHpIuV2umghN7FAARz3ijo5h/X/pMNg3K8b+WsWDfcygFNw== Received: from BN8PR04CA0043.namprd04.prod.outlook.com (2603:10b6:408:d4::17) by SN7PR12MB6888.namprd12.prod.outlook.com (2603:10b6:806:260::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.24; Thu, 19 Jan 2023 19:51:43 +0000 Received: from BN8NAM11FT004.eop-nam11.prod.protection.outlook.com (2603:10b6:408:d4:cafe::8) by BN8PR04CA0043.outlook.office365.com (2603:10b6:408:d4::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.24 via Frontend Transport; Thu, 19 Jan 2023 19:51:43 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by BN8NAM11FT004.mail.protection.outlook.com (10.13.176.164) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.24 via Frontend Transport; Thu, 19 Jan 2023 19:51:42 +0000 Received: from rnnvmail205.nvidia.com (10.129.68.10) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Thu, 19 Jan 2023 11:51:27 -0800 Received: from rnnvmail202.nvidia.com (10.129.68.7) by rnnvmail205.nvidia.com (10.129.68.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Thu, 19 Jan 2023 11:51:26 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.7) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Thu, 19 Jan 2023 11:51:23 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v3 1/7] net: flow_offload: provision conntrack info in ct_metadata Date: Thu, 19 Jan 2023 20:50:58 +0100 Message-ID: <20230119195104.3371966-2-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230119195104.3371966-1-vladbu@nvidia.com> References: <20230119195104.3371966-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN8NAM11FT004:EE_|SN7PR12MB6888:EE_ X-MS-Office365-Filtering-Correlation-Id: 2eb855c6-0ef5-45f4-b11c-08dafa5696d6 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: bQajP8LKuzOOOzdwlwLWjRdAbltOKpnoPMOCeYfIg9cj97BUuzhDvccXM3cMr60jH1PMdBiIP5A67IMZOX4lypnKnFh+aCxs2fScF+PXDwnavXoNbQNzUWIaSWCZ23xFFP1INOSKwf6SipFNyqM89gwoiTQXIdbi155Wt9fGu2cRiBIVs27JTK7m7w2Z1mselptogXQ+zarfA2cMbRVrgcBRoRCvdiUYPRdFXEsZ4D7xN4aYLoETq36guqs1d6sB4rmbU16SFIzpKu3u+bzQIh6e1I69fcvyfXlSUYK6+OJwqkOr6fVERnRfCCWRxIEIIb/+Gk1A/d6xyaS9uGOYw3rKjA9HXbwxcXd/SUup1QkTjzX9YueNfiTO5xslFiXlQYwLX9g8bk3zjLDuuL0H1MmpozrdNBOCOalp+vQjiVvPqyiBr/08L163dVB/nHttghTMWUkmnnZL0GoADT2vdHlr2OzM110sMt0eTPeY4GjINYYMWZH5pbeTTjGZYmKw3D6s1QLMpdR+L2tSirkP7Atr2vlK/b8ykkh84zG6dd+EQWsVzhEXfWljITccCBbIv5YN+GeS0SR1BlztgBwVa+kMr/myUnJ0/rJ8uAGDoD5Yyakb5Kc8aYyTDda/ZbAxWylnLPUQGsXFJkkawJV7vEb56M5VaceqGLJ5PLuUmEKNAJwdIlOlqERLhxBk/icOp7aeLr8tC6IFnpEJinNZdRKyePJDF7AvW/nSUSaknEw= X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230022)(4636009)(376002)(39860400002)(396003)(136003)(346002)(451199015)(46966006)(36840700001)(40470700004)(47076005)(82740400003)(83380400001)(36860700001)(86362001)(426003)(7636003)(5660300002)(356005)(82310400005)(8936002)(7416002)(2906002)(41300700001)(4326008)(1076003)(2616005)(40460700003)(6666004)(107886003)(336012)(186003)(316002)(478600001)(26005)(54906003)(110136005)(70586007)(70206006)(7696005)(40480700001)(8676002)(36756003)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Jan 2023 19:51:42.9099 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 2eb855c6-0ef5-45f4-b11c-08dafa5696d6 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT004.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR12MB6888 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org In order to offload connections in other states besides "established" the driver offload callbacks need to have access to connection conntrack info. Flow offload intermediate representation data structure already contains that data encoded in 'cookie' field, so just reuse it in the drivers. Reject offloading IP_CT_NEW connections for now by returning an error in relevant driver callbacks based on value of ctinfo. Support for offloading such connections will need to be added to the drivers afterwards. Signed-off-by: Vlad Buslov --- Notes: Changes V2 -> V3: - Reuse existing meta action 'cookie' field to obtain ctinfo instead of introducing a new field as suggested by Marcelo. Changes V1 -> V2: - Add missing include that caused compilation errors on certain configs. - Change naming in nfp driver as suggested by Simon and Baowen. .../ethernet/mellanox/mlx5/core/en/tc_ct.c | 4 +++- .../ethernet/netronome/nfp/flower/conntrack.c | 24 +++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c index 313df8232db7..6774e441f490 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c @@ -1073,11 +1073,13 @@ mlx5_tc_ct_block_flow_offload_add(struct mlx5_ct_ft *ft, struct mlx5_tc_ct_priv *ct_priv = ft->ct_priv; struct flow_action_entry *meta_action; unsigned long cookie = flow->cookie; + enum ip_conntrack_info ctinfo; struct mlx5_ct_entry *entry; int err; meta_action = mlx5_tc_ct_get_ct_metadata_action(flow_rule); - if (!meta_action) + ctinfo = meta_action->ct_metadata.cookie & NFCT_INFOMASK; + if (!meta_action || ctinfo == IP_CT_NEW) return -EOPNOTSUPP; spin_lock_bh(&ct_priv->ht_lock); diff --git a/drivers/net/ethernet/netronome/nfp/flower/conntrack.c b/drivers/net/ethernet/netronome/nfp/flower/conntrack.c index f693119541d5..d23830b5bcb8 100644 --- a/drivers/net/ethernet/netronome/nfp/flower/conntrack.c +++ b/drivers/net/ethernet/netronome/nfp/flower/conntrack.c @@ -1964,6 +1964,27 @@ int nfp_fl_ct_stats(struct flow_cls_offload *flow, return 0; } +static bool +nfp_fl_ct_offload_nft_supported(struct flow_cls_offload *flow) +{ + struct flow_rule *flow_rule = flow->rule; + struct flow_action *flow_action = + &flow_rule->action; + struct flow_action_entry *act; + int i; + + flow_action_for_each(i, act, flow_action) { + if (act->id == FLOW_ACTION_CT_METADATA) { + enum ip_conntrack_info ctinfo = + act->ct_metadata.cookie & NFCT_INFOMASK; + + return ctinfo != IP_CT_NEW; + } + } + + return false; +} + static int nfp_fl_ct_offload_nft_flow(struct nfp_fl_ct_zone_entry *zt, struct flow_cls_offload *flow) { @@ -1976,6 +1997,9 @@ nfp_fl_ct_offload_nft_flow(struct nfp_fl_ct_zone_entry *zt, struct flow_cls_offl extack = flow->common.extack; switch (flow->command) { case FLOW_CLS_REPLACE: + if (!nfp_fl_ct_offload_nft_supported(flow)) + return -EOPNOTSUPP; + /* Netfilter can request offload multiple times for the same * flow - protect against adding duplicates. */ From patchwork Thu Jan 19 19:50:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13108742 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 120BEC678D6 for ; Thu, 19 Jan 2023 19:51:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230116AbjASTvw (ORCPT ); Thu, 19 Jan 2023 14:51:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54686 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229941AbjASTvr (ORCPT ); Thu, 19 Jan 2023 14:51:47 -0500 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on2048.outbound.protection.outlook.com [40.107.223.48]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 817469CB84; Thu, 19 Jan 2023 11:51:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lfMxwZRLPuIAl77XnVjk3U4EfeL21a8VmW9cDtpTlVbNBjNGOjLd/gTP0kTWzq0hhFOy3uYF/TUQPs4B8haaldr/kO/R+HCXo3PukAEBFqo1YyksnZrnrRRM2XG84rfpInyHMCZ3wthG6ROp8pPSYv2rfEC0Tu+ba2rSkkF8XW2BsBJV/jYpO23hvyVFK1U6eF1k21r0vWmC6UJSoJ7C9BsEYkakYInpFV+qwMRaxvGtTu3PHxGZDhebMrV1yTh8NI9iRdZESDBB1/0GeQvz2LusLHcxfn9OpyPEUsw6bwU1QHheLL8oG7/qeQR5/eyxbhfGIlK1E4u2xOGDNhFzcw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Ciq8UUN0gvkcFTVqiQIpLh1OYypUHTPyPDDSQWDbzzE=; b=eb1DNZX4nYAbw8jfD0NiaZUrHWa1EO79r5tht0ZYigVG5exWlM6qCDADoFJ4Rrn8I4LvFqiV/iYYoAWKSVM6KY1dwfuHihFq054mxiofhjLsHydUE9UdQOhxEoKwE0Cl7iBFLpvPJde6UPOia3s2Dei+URXLjX7qmtjWGOvBfR+fnDrM3Vo9WJhmAHiMwUn56PXDWbCKo63lNydpTlvBtK2D0PVfRLppIatAYwO7hC2Nn6GCq/5PsQpbvhLyVGTewMhv/68ZYPTxos9eJHjCJCQnwb+9+r7W0SvniqROiaXMCHSHKEIfFDmnpad2YJIS4GpbD6qkwwyAjN0v3HGEvQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ciq8UUN0gvkcFTVqiQIpLh1OYypUHTPyPDDSQWDbzzE=; b=deSbhCf3qj0MOff7kRJa6JL0j0fBKK3m/2rgXsXrhaOkMTZ79zJaRHSV+mKeLcAbv7gIZiFwXjho6AhBSvXTtUOq2l/7jHi9e9ahZ+vLarnbXUnzcG/5oAM/hTZ6yzi1YtTrCRDd6i/p47FqB8lblesG497xWAA45ivQeeb96P13/GpsnE4U3OacU/jGlxFArt/gNREyRlIE2pQFZeSCvp5bwPiAqjC89i1CumNAJcoJ9BbcsWC3VSLkhqQZQni/LQmK+Y9FGUgozu1s5T6X+HEASL4nJNW8j6j2u2pMdA1rOTKpuM56/IWftGWrYkKuAJyAmqgnZBGG9E2AXqByQw== Received: from BN9PR03CA0618.namprd03.prod.outlook.com (2603:10b6:408:106::23) by CH0PR12MB8531.namprd12.prod.outlook.com (2603:10b6:610:181::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.13; Thu, 19 Jan 2023 19:51:44 +0000 Received: from BN8NAM11FT087.eop-nam11.prod.protection.outlook.com (2603:10b6:408:106:cafe::15) by BN9PR03CA0618.outlook.office365.com (2603:10b6:408:106::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.26 via Frontend Transport; Thu, 19 Jan 2023 19:51:44 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by BN8NAM11FT087.mail.protection.outlook.com (10.13.177.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6023.16 via Frontend Transport; Thu, 19 Jan 2023 19:51:44 +0000 Received: from rnnvmail205.nvidia.com (10.129.68.10) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Thu, 19 Jan 2023 11:51:31 -0800 Received: from rnnvmail202.nvidia.com (10.129.68.7) by rnnvmail205.nvidia.com (10.129.68.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Thu, 19 Jan 2023 11:51:30 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.7) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Thu, 19 Jan 2023 11:51:27 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v3 2/7] netfilter: flowtable: fixup UDP timeout depending on ct state Date: Thu, 19 Jan 2023 20:50:59 +0100 Message-ID: <20230119195104.3371966-3-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230119195104.3371966-1-vladbu@nvidia.com> References: <20230119195104.3371966-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN8NAM11FT087:EE_|CH0PR12MB8531:EE_ X-MS-Office365-Filtering-Correlation-Id: cb6a561c-6f07-477e-3948-08dafa5697bd X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 0iF1ZtZJnNWgySCdBdVs5EYl7hnPJYa0OZ2UrtnMoifz1oO5hPH/wJVtGawlr++ko8W25gS9ZngEYbhD9+hMtJkfz3pzEvC2V5rj8dxnp1gtzu6TZrVbLpA/gefnpQSypT+WyckaCpBvXOhlv+bBGfxkGe1xgWpk5UuF1NiMBLFNn1EAs6AgKak1RUAW1eZEzflbyJZOWBHCe05bHGIixin9Hygo/PlyEpCdN8cfKl+Yh1LXoka5rRnOCZoe5V+tIHHpsgP+AbKKVqbUxW3S1YMowHGMViPXpzgthQ2mCAjCPWwQ1oJOikbI45Tl+MeYxwY/RQOW4NoQhUZhjYM4xepwd4MTDH7785+fIHmNvDryKx5Q2cvOhpjTOUQaUiXhIcVvHSsFoDEU6bX5xI6N6mVQKrdpUDwvMOSFzJcZMQatOW/MdcEgqP/FMrLGXGpV2rviZcMIkIG0vkYIvnu70dhIiG6in6PoKdxMLwzSsm7mt6pdyuGNcRFj4giTWHzaxvZWjMTAaqBYCzgPw/b6J9a/YaVDEoxxpXJsk63SSDo4I+Utv4dNqmSNeVgQGauKoOAv24PMTtD/XjCUoz9HYPjgsuOwo6u5r5X8Fdp9mYLK1qbHnlWSprEwTIdbGKryZg1U2AprAgQP3RJL34KF3jms48bSzJZNOzrVT+zn3fvHx+CK8j061Vxcu6C4YrlUs2cWmnwEuHHz/v9GnHEv4ysY/BWypzxbobsU+aR/qNY= X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230022)(4636009)(39860400002)(396003)(376002)(346002)(136003)(451199015)(46966006)(36840700001)(40470700004)(107886003)(26005)(186003)(7696005)(40480700001)(36860700001)(6666004)(478600001)(316002)(110136005)(54906003)(336012)(426003)(70586007)(70206006)(8676002)(4326008)(47076005)(36756003)(41300700001)(2616005)(83380400001)(8936002)(1076003)(7416002)(2906002)(5660300002)(40460700003)(82740400003)(7636003)(356005)(82310400005)(86362001)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Jan 2023 19:51:44.4207 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: cb6a561c-6f07-477e-3948-08dafa5697bd X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT087.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR12MB8531 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Currently flow_offload_fixup_ct() function assumes that only replied UDP connections can be offloaded and hardcodes UDP_CT_REPLIED timeout value. To enable UDP NEW connection offload in following patches extract the actual connections state from ct->status and set the timeout according to it. Signed-off-by: Vlad Buslov --- net/netfilter/nf_flow_table_core.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c index 81c26a96c30b..04bd0ed4d2ae 100644 --- a/net/netfilter/nf_flow_table_core.c +++ b/net/netfilter/nf_flow_table_core.c @@ -193,8 +193,11 @@ static void flow_offload_fixup_ct(struct nf_conn *ct) timeout -= tn->offload_timeout; } else if (l4num == IPPROTO_UDP) { struct nf_udp_net *tn = nf_udp_pernet(net); + enum udp_conntrack state = + test_bit(IPS_SEEN_REPLY_BIT, &ct->status) ? + UDP_CT_REPLIED : UDP_CT_UNREPLIED; - timeout = tn->timeouts[UDP_CT_REPLIED]; + timeout = tn->timeouts[state]; timeout -= tn->offload_timeout; } else { return; From patchwork Thu Jan 19 19:51:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13108743 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0F715C46467 for ; Thu, 19 Jan 2023 19:52:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229561AbjASTwA (ORCPT ); Thu, 19 Jan 2023 14:52:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54914 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230119AbjASTv4 (ORCPT ); Thu, 19 Jan 2023 14:51:56 -0500 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on2040.outbound.protection.outlook.com [40.107.236.40]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 296757C875; Thu, 19 Jan 2023 11:51:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IVEGTfwM5lvCpgbh4iqpXLj5zQEUyXp7cnVVPMOATpLZspz8amMvJOjeDAHSm6R3MgB8V3kZNQmebusWjspjhTSMF5wEzCWcH7HAP1wChensF/r7kO+V0w9zHIAqI//+bzIE33q8PW4JCc0yMjRqqdCDvw3AenEwiZWrgXlG0dEZCFcd10MlveA7EUCqVEVxq1bzGoMA6UcAPOIi6ntqmhdnXNdNbAWjREcBlGczIzlkMRtjnT+CJoOKC/qSGBgU5sstiFhkcHrwUtAINNc35vxD4L/KN3+cMa14Ok1eWG0mW1+49vC43GN0/e8jUUQm/vCpt+Ef0V9f4U6Zi98wdA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=RJeW/5XL6gYeYwPc2MxzVrvJZqcGbC83ng9KlEa7AGs=; b=Th6wrl8vZ80mTlQz3k1GrVLimnGgsAXeVOjdv/8sm9Ufc7BEuLGsaOJmbuHejSg4urIX1lvDZWiwWKVxh2yLieP33WEeATCagzA6sknSSYV7yW3dCkkLTcWuhCQS8WctI2Kgb4mOvMAHnNDHHojp9ab857gNGBmVVTvwwKWEIKhkh+32bEvvgIC/cMUsrLa4ysCDSPhiVeqBNAGLME2PWjubBOqkYVqOgxUGquz1F3l+yK45s0BkDk+GAAGypypadDKTlVA0pVBUY/ez2NzdT2MM7W/AraMHPe+03DTshYorUeb89kXw4I0ogwXta8cS0UfP2SqiPywqztFM0BfUNg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RJeW/5XL6gYeYwPc2MxzVrvJZqcGbC83ng9KlEa7AGs=; b=bp5uMxBlCmPYkV5NTzXViKXJcavMbg0W06Tzxq1tQTRCuJJipDFjdgvy1hSKUpMywuiRqpEdebm4DjiQHDowYWtzENkgF4gjoTMJ46PiwZORzcy7V9wrzO0n8yH2ZfY20KZyuXBUUenZ1KFyE0y77G6FbJLmdR9x3V/ppf+D2sdNk5O1MXN5maTqS0n2/judFuWGOTZtJZIrq1N2BuQbTPVI1iKX6hRORboijjPMEN59N6/a9lufKNqQvOFx+xZ4sH8+R9L+U86/aeHH33FjGFgE1mBPAtOvoSjxdJV7fXczgswncoe+lmrnvm2msDDNn2iiFhGoczwYSUO2fWDMLA== Received: from BN0PR03CA0013.namprd03.prod.outlook.com (2603:10b6:408:e6::18) by CH2PR12MB4277.namprd12.prod.outlook.com (2603:10b6:610:ae::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.24; Thu, 19 Jan 2023 19:51:50 +0000 Received: from BN8NAM11FT031.eop-nam11.prod.protection.outlook.com (2603:10b6:408:e6:cafe::88) by BN0PR03CA0013.outlook.office365.com (2603:10b6:408:e6::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.25 via Frontend Transport; Thu, 19 Jan 2023 19:51:50 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by BN8NAM11FT031.mail.protection.outlook.com (10.13.177.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.13 via Frontend Transport; Thu, 19 Jan 2023 19:51:49 +0000 Received: from rnnvmail204.nvidia.com (10.129.68.6) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Thu, 19 Jan 2023 11:51:34 -0800 Received: from rnnvmail202.nvidia.com (10.129.68.7) by rnnvmail204.nvidia.com (10.129.68.6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Thu, 19 Jan 2023 11:51:34 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.7) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Thu, 19 Jan 2023 11:51:31 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v3 3/7] netfilter: flowtable: allow unidirectional rules Date: Thu, 19 Jan 2023 20:51:00 +0100 Message-ID: <20230119195104.3371966-4-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230119195104.3371966-1-vladbu@nvidia.com> References: <20230119195104.3371966-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN8NAM11FT031:EE_|CH2PR12MB4277:EE_ X-MS-Office365-Filtering-Correlation-Id: 41c4b67e-9264-41bd-f98b-08dafa569ae5 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 8IFPxh5pWc2Fesssr2Hw1652PqyZPJ9Et2PMgmoTt5I4Qi1/ODPxCMu7CGjmtCut3wFahZsDO9TpQf0Vj9Yf5uK6MaZTAZKBs6e1AEqyUp6pI9jhe1zMa6GSZTYWbzyJAcVFjH/IvVpEzjqEEbn5zyqWsT6fUwxeS7hRz1j6Tp8fVIc5V0LniH+zWwzjEKjBKIbRLudWWyxnx1tRRPsGTgOjrn7isnVMc2vS66Zwt68E1KjcBOhxiW/KHoGrg/QGIvdJuWLkvDXoVqSzQtBRTTwx1hUeSXEkR8lNMpuw/y69Q+lkD2T1rYkmIW58Nqiw8IBBamy9wK3lOMKaUGBhBdnyvtBjftmZ6JIBlbOI0bpEJ2BjtpaKzhEdvChhlbbs5+m26+9EFbYa2E+lFoxRNMM/eEPiQyT26HHCTp3/hL7yv08SVChJ/wMRu2KyP6KqxOURy6BqnyKK1fKxnrzMfi2rPo3X3j7Xg2waETZGYLlLUU0W93jU/nrVt+fv4OhrKvlZeTLeAvbP1Tqbt5TzkoKZR6aMoUDrFfi/pXBqDvDBPtyBwjthpSyA68hB8dFPeWaf8lM3YG/fLiSqwNa47jMyiwxI9DNdB+qo1E8DwCPERek6bBfJxKyeHEYawzYMyKzjmBqkFj+vJvQZHltBqCV27LG4Vq0zateR2xm1I1J7JU4f+dOCf9gYIFbtfM+n72KdtNEWpmZVZOeqUdrqdq94A8B+DsqC/xvdCiRHQtU= X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230022)(4636009)(396003)(136003)(39860400002)(376002)(346002)(451199015)(46966006)(36840700001)(40470700004)(2616005)(36860700001)(82740400003)(107886003)(110136005)(54906003)(6666004)(1076003)(26005)(186003)(7636003)(40480700001)(478600001)(7696005)(86362001)(82310400005)(356005)(36756003)(40460700003)(83380400001)(41300700001)(7416002)(426003)(8936002)(47076005)(8676002)(4326008)(70206006)(2906002)(5660300002)(316002)(336012)(70586007)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Jan 2023 19:51:49.7209 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 41c4b67e-9264-41bd-f98b-08dafa569ae5 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT031.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR12MB4277 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Modify flow table offload to support unidirectional connections by extending enum nf_flow_flags with new "NF_FLOW_HW_BIDIRECTIONAL" flag. Only offload reply direction when the flag is set. This infrastructure change is necessary to support offloading UDP NEW connections in original direction in following patches in series. Signed-off-by: Vlad Buslov --- Notes: Changes V2 -> V3: - Fix error in commit message (spotted by Marcelo). include/net/netfilter/nf_flow_table.h | 1 + net/netfilter/nf_flow_table_offload.c | 12 ++++++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h index cd982f4a0f50..88ab98ab41d9 100644 --- a/include/net/netfilter/nf_flow_table.h +++ b/include/net/netfilter/nf_flow_table.h @@ -164,6 +164,7 @@ enum nf_flow_flags { NF_FLOW_HW_DYING, NF_FLOW_HW_DEAD, NF_FLOW_HW_PENDING, + NF_FLOW_HW_BIDIRECTIONAL, }; enum flow_offload_type { diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c index 4d9b99abe37d..8b852f10fab4 100644 --- a/net/netfilter/nf_flow_table_offload.c +++ b/net/netfilter/nf_flow_table_offload.c @@ -895,8 +895,9 @@ static int flow_offload_rule_add(struct flow_offload_work *offload, ok_count += flow_offload_tuple_add(offload, flow_rule[0], FLOW_OFFLOAD_DIR_ORIGINAL); - ok_count += flow_offload_tuple_add(offload, flow_rule[1], - FLOW_OFFLOAD_DIR_REPLY); + if (test_bit(NF_FLOW_HW_BIDIRECTIONAL, &offload->flow->flags)) + ok_count += flow_offload_tuple_add(offload, flow_rule[1], + FLOW_OFFLOAD_DIR_REPLY); if (ok_count == 0) return -ENOENT; @@ -926,7 +927,8 @@ static void flow_offload_work_del(struct flow_offload_work *offload) { clear_bit(IPS_HW_OFFLOAD_BIT, &offload->flow->ct->status); flow_offload_tuple_del(offload, FLOW_OFFLOAD_DIR_ORIGINAL); - flow_offload_tuple_del(offload, FLOW_OFFLOAD_DIR_REPLY); + if (test_bit(NF_FLOW_HW_BIDIRECTIONAL, &offload->flow->flags)) + flow_offload_tuple_del(offload, FLOW_OFFLOAD_DIR_REPLY); set_bit(NF_FLOW_HW_DEAD, &offload->flow->flags); } @@ -946,7 +948,9 @@ static void flow_offload_work_stats(struct flow_offload_work *offload) u64 lastused; flow_offload_tuple_stats(offload, FLOW_OFFLOAD_DIR_ORIGINAL, &stats[0]); - flow_offload_tuple_stats(offload, FLOW_OFFLOAD_DIR_REPLY, &stats[1]); + if (test_bit(NF_FLOW_HW_BIDIRECTIONAL, &offload->flow->flags)) + flow_offload_tuple_stats(offload, FLOW_OFFLOAD_DIR_REPLY, + &stats[1]); lastused = max_t(u64, stats[0].lastused, stats[1].lastused); offload->flow->timeout = max_t(u64, offload->flow->timeout, From patchwork Thu Jan 19 19:51:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13108744 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2950FC678D6 for ; Thu, 19 Jan 2023 19:52:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230133AbjASTwC (ORCPT ); Thu, 19 Jan 2023 14:52:02 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54948 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230140AbjASTwB (ORCPT ); Thu, 19 Jan 2023 14:52:01 -0500 Received: from NAM04-BN8-obe.outbound.protection.outlook.com (mail-bn8nam04on2080.outbound.protection.outlook.com [40.107.100.80]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E70159DC91; Thu, 19 Jan 2023 11:51:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RAilxmzDREoSAAiRsxf51dfROn8XDq1srPN9Z1OCEvOJYIPNiZVHqFng8mEobftODqbp0yC/eunE9+IScROp547F4u83utniZ4TiHxrlhhmG0fAmndZwP1ar3SrkSfH6+faX7hcm5aLGiSlotLA4oMyX2IOHEg5EUidhe94STVYXeycMPDXW9loG0FIYRXK0SMocpWu2foYObhgkOfB9eKK9j4j1LaslJpeJY0j7umHOotL7doRC9roGZBmK1GrEDjuPl6wDTloM04ckAikayQVPdlC4kORvqdDJvV/uB4668+w/w2mQHwlVkkXn5LmELw+kvKV8jdo2vYQQbvXXiQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/eVt+c+15jGRhcTXeDwGGa8OjjrApn0DRx+nf2W7K2E=; b=jHh93vcsGDQ9rLSC1vvLGwEwAFDGLOllJ+7pR3Ec+1uX/q1NydsRpnqtz9Q6vjV+f1ANILhGIVqISiOJy23px3BzBa27Lt0sJOBlXum64rBcwlY/2fZV9w18ikX8S1uTnEZ11pWb4epvHOZZYXG3wQfensn/ndWIUbPCY2jQcTbITrTtiEhAUVPnG019usTux8DXnQAMIoawe+vTRGOeYKniLJwZCz5cgE5qnd0wUv0nSoHvbw3obYYOThrdQ/PojkQRCM989VSCMJw56vX4pIzxoj/Z+BAtlnTcRzO2PdAgDJznBHJypL9siYBQHxo1ui1XHnHXrHzZJiv1+J3xcA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.161) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/eVt+c+15jGRhcTXeDwGGa8OjjrApn0DRx+nf2W7K2E=; b=oz9V9jKxruLb+4BNxg0cpcacKNVv1jv0Yl5zth1fLHiW329CHlaQEFOQ8WMDY1ptRP7gOIMH49CprBXr+rXIw1rrLwfvlyz0nWtZ1oLXpsb5d9erGPcPKVs1aSvXPUUkM+cVSOWQlFUF7jvJIFbF9zbpoeVR+q6rfr34qN8IXVjx15Jf+a647J9DtZSjttfFSHKWcnCXPqohxrIvvUYfzng1YcXRyXaOH20x6GX1oYMglpdpvamWHKpAbBiaCfTgfMeIGIegl3yTHo5trNSXhASCbkHEfRAp4PwSClxa1X/o4WjhrfDi8GRw7odfJ2dtbzhXnvHQGBAElAkrpueYOA== Received: from MW4PR04CA0235.namprd04.prod.outlook.com (2603:10b6:303:87::30) by MW5PR12MB5681.namprd12.prod.outlook.com (2603:10b6:303:19e::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.24; Thu, 19 Jan 2023 19:51:54 +0000 Received: from CO1NAM11FT111.eop-nam11.prod.protection.outlook.com (2603:10b6:303:87:cafe::d) by MW4PR04CA0235.outlook.office365.com (2603:10b6:303:87::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.26 via Frontend Transport; Thu, 19 Jan 2023 19:51:54 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.161 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.161) by CO1NAM11FT111.mail.protection.outlook.com (10.13.174.61) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6023.16 via Frontend Transport; Thu, 19 Jan 2023 19:51:53 +0000 Received: from rnnvmail203.nvidia.com (10.129.68.9) by mail.nvidia.com (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Thu, 19 Jan 2023 11:51:38 -0800 Received: from rnnvmail202.nvidia.com (10.129.68.7) by rnnvmail203.nvidia.com (10.129.68.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Thu, 19 Jan 2023 11:51:37 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.7) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Thu, 19 Jan 2023 11:51:34 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v3 4/7] netfilter: flowtable: allow updating offloaded rules asynchronously Date: Thu, 19 Jan 2023 20:51:01 +0100 Message-ID: <20230119195104.3371966-5-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230119195104.3371966-1-vladbu@nvidia.com> References: <20230119195104.3371966-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CO1NAM11FT111:EE_|MW5PR12MB5681:EE_ X-MS-Office365-Filtering-Correlation-Id: 6155e195-aab3-4308-0e46-08dafa569d35 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 6NYk2aJC5SM28IRmq7cdL1Z7nmAfeHg1Uh4MxAfymugsi/zxtexP1pbc0g5A3Px6lfb/OnGmv53rd9xTdbb653ouwSuzbGE+xFSC/V+B1NO8FEwm2jdDnRkA+SrQwndYo6z9Ls+g368DH9huzNBm+/zzrusGO7YpNrLnz/I54dPWgCZCICdDUS4If/tBGnucSJjfIEN4xsAZzmdSM9D58ktgNrfQkaolM8HXziyeLHoKGLkY8Qo+oxAsG+yxZ+2LyiIbHPU7+c9kLscXtCy66PHaRBlIo+PFz5gwIRGiO6mYM9HRGmkKAQSq2zQKpzUFbiKI4oX90qXNpoUmof2ZQoQdVcfpBp5c7E+E+Q7Ry0MoTUhOd9gR8Bn/wZS8SBEiSV+veudI5vvhPIgyo1dWHXieTGMU9EgoDf4fpeS6mLS7YZU8/DjaFybgWnM2nUCLFDDn+CVxzUgo8yIP1NEettLBfaeE7lTD5Ukqk/umDaZKEDaznIONDwFkRwJckM7gDgXIZqOs+ekUQPZy1tmBM7bGPNOIYGDV+ma89qmeZse/Zh7tZkrcc2qDrqHiAcpdIFiPOra8aG+oNTMK6GlG/d9KObLreXAieT9FSqaNpURJfeICK03rJR8Qlj5PShfVi/Xk6Iu5eTUiexbHo1w9xxh32EuQV7Y/5nfR9MAedBxpHuNTvtOUOGuBY9xKwQMnUCbaaU83+J/B/poG5Y8tbCnPatXRFCfKEzPGSA6NmZ8= X-Forefront-Antispam-Report: CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230022)(4636009)(39860400002)(376002)(346002)(136003)(396003)(451199015)(40470700004)(36840700001)(46966006)(36756003)(356005)(86362001)(82740400003)(2906002)(70206006)(7416002)(8936002)(5660300002)(70586007)(36860700001)(7636003)(478600001)(316002)(6666004)(110136005)(426003)(54906003)(107886003)(7696005)(47076005)(40480700001)(8676002)(4326008)(82310400005)(41300700001)(186003)(1076003)(83380400001)(26005)(336012)(40460700003)(2616005)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Jan 2023 19:51:53.6571 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 6155e195-aab3-4308-0e46-08dafa569d35 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT111.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW5PR12MB5681 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Following patches in series need to update flowtable rule several times during its lifetime in order to synchronize hardware offload with actual ct status. However, reusing existing 'refresh' logic in act_ct would cause data path to potentially schedule significant amount of spurious tasks in 'add' workqueue since it is executed per-packet. Instead, introduce a new flow 'update' flag and use it to schedule async flow refresh in flowtable gc which will only be executed once per gc iteration. Signed-off-by: Vlad Buslov --- include/net/netfilter/nf_flow_table.h | 3 ++- net/netfilter/nf_flow_table_core.c | 20 +++++++++++++++----- net/netfilter/nf_flow_table_offload.c | 5 +++-- 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h index 88ab98ab41d9..e396424e2e68 100644 --- a/include/net/netfilter/nf_flow_table.h +++ b/include/net/netfilter/nf_flow_table.h @@ -165,6 +165,7 @@ enum nf_flow_flags { NF_FLOW_HW_DEAD, NF_FLOW_HW_PENDING, NF_FLOW_HW_BIDIRECTIONAL, + NF_FLOW_HW_UPDATE, }; enum flow_offload_type { @@ -300,7 +301,7 @@ unsigned int nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb, #define MODULE_ALIAS_NF_FLOWTABLE(family) \ MODULE_ALIAS("nf-flowtable-" __stringify(family)) -void nf_flow_offload_add(struct nf_flowtable *flowtable, +bool nf_flow_offload_add(struct nf_flowtable *flowtable, struct flow_offload *flow); void nf_flow_offload_del(struct nf_flowtable *flowtable, struct flow_offload *flow); diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c index 04bd0ed4d2ae..5b495e768655 100644 --- a/net/netfilter/nf_flow_table_core.c +++ b/net/netfilter/nf_flow_table_core.c @@ -316,21 +316,28 @@ int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow) } EXPORT_SYMBOL_GPL(flow_offload_add); +static bool __flow_offload_refresh(struct nf_flowtable *flow_table, + struct flow_offload *flow) +{ + if (likely(!nf_flowtable_hw_offload(flow_table))) + return true; + + return nf_flow_offload_add(flow_table, flow); +} + void flow_offload_refresh(struct nf_flowtable *flow_table, struct flow_offload *flow) { u32 timeout; timeout = nf_flowtable_time_stamp + flow_offload_get_timeout(flow); - if (timeout - READ_ONCE(flow->timeout) > HZ) + if (timeout - READ_ONCE(flow->timeout) > HZ && + !test_bit(NF_FLOW_HW_UPDATE, &flow->flags)) WRITE_ONCE(flow->timeout, timeout); else return; - if (likely(!nf_flowtable_hw_offload(flow_table))) - return; - - nf_flow_offload_add(flow_table, flow); + __flow_offload_refresh(flow_table, flow); } EXPORT_SYMBOL_GPL(flow_offload_refresh); @@ -435,6 +442,9 @@ static void nf_flow_offload_gc_step(struct nf_flowtable *flow_table, } else { flow_offload_del(flow_table, flow); } + } else if (test_and_clear_bit(NF_FLOW_HW_UPDATE, &flow->flags)) { + if (!__flow_offload_refresh(flow_table, flow)) + set_bit(NF_FLOW_HW_UPDATE, &flow->flags); } else if (test_bit(NF_FLOW_HW, &flow->flags)) { nf_flow_offload_stats(flow_table, flow); } diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c index 8b852f10fab4..103b2ca8d123 100644 --- a/net/netfilter/nf_flow_table_offload.c +++ b/net/netfilter/nf_flow_table_offload.c @@ -1036,16 +1036,17 @@ nf_flow_offload_work_alloc(struct nf_flowtable *flowtable, } -void nf_flow_offload_add(struct nf_flowtable *flowtable, +bool nf_flow_offload_add(struct nf_flowtable *flowtable, struct flow_offload *flow) { struct flow_offload_work *offload; offload = nf_flow_offload_work_alloc(flowtable, flow, FLOW_CLS_REPLACE); if (!offload) - return; + return false; flow_offload_queue_work(offload); + return true; } void nf_flow_offload_del(struct nf_flowtable *flowtable, From patchwork Thu Jan 19 19:51:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13108745 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 064BFC6379F for ; Thu, 19 Jan 2023 19:52:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230051AbjASTwL (ORCPT ); Thu, 19 Jan 2023 14:52:11 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55064 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230140AbjASTwD (ORCPT ); Thu, 19 Jan 2023 14:52:03 -0500 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2051.outbound.protection.outlook.com [40.107.237.51]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 82AF09CBA9; Thu, 19 Jan 2023 11:51:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HtlNfbban7CV+Oank0GhTYRjbykDoK42Of0K8EEcG/xIH2/FbhTAnfI9qTAWa+gEJ6px8Bv3/41pvZIcBvWEUY4AT/AM0coY6HNdExWTxJEBo0wq4XllL/vFnDhxXATrsbI/+by5vQKE4javAKK0zUk8Yrn3kK980TfyNEAXOpMHkECokb3STfwnF/AZhPDYMic50GuBzBoELcwF1wLNczBHOKJA/IK24jz4beEGfqXqd62nbgPJn/3+H9sybrT/RViYJZ7BjsDemLbflaSLA0hrs9UKQ8UCNtha2xFpmMTaeII3WQzUYhVOxpy8WNAdCMe28yIV5/zdhaeC4gIAMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=paj5fTHzzwb+0m3T3j0sZC3s5JYBPwV7zFv6hU3/mh8=; b=lqt/xT7sHww/7RhP04+nqafKAvI+tGks4P6PXX9jrffPvj1sm5hOL6RNCfiZClRltMFkXkULOApOYMQHHr7PqLNVIMrqExP1VJkX5mJLwCJAm1nIJL+zxQy4RRNookHfL1i/iiDkmGItHMQDjAAYdpMmuNjzdLD6M7eLMhuJTzqWjrLjvy5WhIQ+9i8dtDcum4p3QfusZOaMWGKpWU+V8ElniKeIjDlp9/BimhuC+g6e2SxpLY4T5kKioDdve8VCn8mURxacEOq4y1cuZVJ1RlDNjF3lnuZwK3xRiWC/krQFBRdAOgyrmv70D5kwJnUkJB190JuSUR6dFe7+U2R8Xw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=paj5fTHzzwb+0m3T3j0sZC3s5JYBPwV7zFv6hU3/mh8=; b=TidB3gU5CzMvEyckyOJ6hgw8z8PBr5nw3TGI0S69YkcNQlyn/fpx62+HY7LPlHt0jilbuPcYdy9MqmCQFIiKk426N6UbOJPJC/GtaY9XxuFQXYE5UJqKNyG/F0aVXHkU55NgMct1VjVxgQXY9MX0xb053MXzNV3k+8reyT7Fi6H03dRb1xpW6zx/8l77Pbk87+U5rQMUd8tV8SxbmzEQfsZzsadeB7IHhPsq1If1kH6W0HvSYSUqmnXrifpAEZ2Fe4XK14ViH1aUCEFFa07oGRvX3b3Rkwdi4ZinhjIgkGEnqcm/xw4mUz6bkEOFTMHKbLSPJSlh/b1c1pyZeuSYEQ== Received: from BN7PR02CA0008.namprd02.prod.outlook.com (2603:10b6:408:20::21) by DS7PR12MB6005.namprd12.prod.outlook.com (2603:10b6:8:7c::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.24; Thu, 19 Jan 2023 19:51:56 +0000 Received: from BN8NAM11FT019.eop-nam11.prod.protection.outlook.com (2603:10b6:408:20:cafe::5) by BN7PR02CA0008.outlook.office365.com (2603:10b6:408:20::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.25 via Frontend Transport; Thu, 19 Jan 2023 19:51:56 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by BN8NAM11FT019.mail.protection.outlook.com (10.13.176.158) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.24 via Frontend Transport; Thu, 19 Jan 2023 19:51:56 +0000 Received: from rnnvmail205.nvidia.com (10.129.68.10) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Thu, 19 Jan 2023 11:51:41 -0800 Received: from rnnvmail202.nvidia.com (10.129.68.7) by rnnvmail205.nvidia.com (10.129.68.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Thu, 19 Jan 2023 11:51:41 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.7) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Thu, 19 Jan 2023 11:51:38 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v3 5/7] net/sched: act_ct: set ctinfo in meta action depending on ct state Date: Thu, 19 Jan 2023 20:51:02 +0100 Message-ID: <20230119195104.3371966-6-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230119195104.3371966-1-vladbu@nvidia.com> References: <20230119195104.3371966-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN8NAM11FT019:EE_|DS7PR12MB6005:EE_ X-MS-Office365-Filtering-Correlation-Id: e71ebd7a-0d0d-445b-afa8-08dafa569eaa X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Z90m4L37GtRBdq1hDNuOkxH8tT4mJRfkxCO9Mfs1y0T7rp/AKdbVDUKI23RcYffzxNcXSc31wLHBnueKzF7DVFAGXBTJBEE0IZJ6iNciuEC4CGt3u90tgP0XmjvgEtY/zejuNE1Co6Yhc4mMlNPgygR7gpjoSlW4w4YKVjEHcp2moKhxpc2iGEr2hNpgkSGbexhHL3QsBhB3iMtuTo6FBIZFoHilpnNay7IY68anfijWIfiVUKlWC6WqvZU3mE+TfyImut+uK3duQP//0mf2ETBdAUvfSi+qvi66vi+FYmNPm4tUVWkslbklGGq0BgNjDdB0AQTcoGpBUUgwgA7dCdWG+wDSCU1IFB1RsouwjEKZ3Lffy5Zlrsrqu2G7HkslrU3mtKoivXXeLxixpJvNGVQcb9K/V1tKCOteRZzj4nbVv52lU/pqf0iX6VSZ5AK6HX9a3YwYjdiwFsV+KsJaNrcqUDtIqZqdf2vgow5nA21qxOSC/ojS3+AjgzHegROuH++8KsUV/Mq+P3qviD9rVww3R9f9phXaVDcUwozJBLcRhcvLtbYJsYLpUoFANTWZhWw+jkExzkA3nlYGXDsGVzVMQf6JucN22fDG+mV95XY7kO8gnZ4E0ss/dNbpVd3+qS6pH41CAoVxqOtepljMCa5pMGoSAzAnhcQgDumkOuy3MwZYnDn6v/ooBFgOFAc03iViT6zph5iUaCmg/zAxi9B3eMCwn3bxcXdA/Ir57Ig= X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230022)(4636009)(396003)(136003)(346002)(376002)(39860400002)(451199015)(36840700001)(46966006)(40470700004)(7636003)(36860700001)(70206006)(40480700001)(316002)(5660300002)(86362001)(110136005)(82740400003)(2906002)(8936002)(7416002)(70586007)(6666004)(8676002)(26005)(41300700001)(1076003)(40460700003)(2616005)(186003)(83380400001)(336012)(82310400005)(36756003)(47076005)(7696005)(107886003)(426003)(54906003)(478600001)(4326008)(356005)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Jan 2023 19:51:56.0276 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: e71ebd7a-0d0d-445b-afa8-08dafa569eaa X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT019.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR12MB6005 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Currently tcf_ct_flow_table_add_action_meta() function assumes that only established connections can be offloaded and always sets ctinfo to either IP_CT_ESTABLISHED or IP_CT_ESTABLISHED_REPLY strictly based on direction without checking actual connection state. To enable UDP NEW connection offload set the ctinfo and metadata cookie based on ct->status value. Signed-off-by: Vlad Buslov --- net/sched/act_ct.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index 0ca2bb8ed026..52e392de05a4 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -182,8 +182,11 @@ static void tcf_ct_flow_table_add_action_meta(struct nf_conn *ct, #if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) entry->ct_metadata.mark = READ_ONCE(ct->mark); #endif - ctinfo = dir == IP_CT_DIR_ORIGINAL ? IP_CT_ESTABLISHED : - IP_CT_ESTABLISHED_REPLY; + if (dir == IP_CT_DIR_ORIGINAL) + ctinfo = test_bit(IPS_SEEN_REPLY_BIT, &ct->status) ? + IP_CT_ESTABLISHED : IP_CT_NEW; + else + ctinfo = IP_CT_ESTABLISHED_REPLY; /* aligns with the CT reference on the SKB nf_ct_set */ entry->ct_metadata.cookie = (unsigned long)ct | ctinfo; entry->ct_metadata.orig_dir = dir == IP_CT_DIR_ORIGINAL; From patchwork Thu Jan 19 19:51:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13108746 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 51B11C6379F for ; Thu, 19 Jan 2023 19:52:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230221AbjASTwV (ORCPT ); Thu, 19 Jan 2023 14:52:21 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55426 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230212AbjASTwM (ORCPT ); Thu, 19 Jan 2023 14:52:12 -0500 Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2088.outbound.protection.outlook.com [40.107.93.88]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4E3859DCB5; Thu, 19 Jan 2023 11:52:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dcLXOwQw25y7H1fVDSRA9PZsEPH9yRoHY1NUrZVcpE4ACwbrHfIFyAVxBiW/MIQf3WWgmShAv9l0fXtNhfD5zR0T1O6NY3PD1mCah6Zo9KK0WhwHCuOZmt8tF6q0eaYP2GjOXOCl18FiOaZcbt8wjKiDkV91wkT4v2BflUisGVW3nO4WjhGAUfCq7yCdGi/i/spWwl5oTdAeutwxRmXTDPCQP/tuzU3gtZXgOUPTpTFgvoXNsKAijPwxYhYWC9UEdUHO0Kglkacu2QPU9j8qZLfm94a/Pu3DRhPLkB0C+zVeHlXL7C+cECYqScz6ttZMgX46MEvTFXxxgQTpZqNKVQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=iEPOi1pksZf2VdFK2YD5/ZdJQ110wCkTe4yf3yKGfqg=; b=JlDpvqqAYtOYprlXRrqhu642mzBhsAtETI0/Tf3PtDvHUcfRMOtiOpHcRIQ3U7gQIvsvyVjuFCVy/h+fEN9LuFqWpyiwtPRlhEJU6If1iaH0yaAfd/yeXrGqEeFf/+K6NvzB7jEi5La1t/lCb9u6I/7TyAHdmoEbuBKkqXrVOq8vDxOaj/xStM5kQkBbnjnAo1wLG0H8Zd+184au85csSM/pJXJrzAzZzee1hPrqfYljHjPq7fUkpyyVlTZGzBIgnlxBx714Ei8o+pMPz7VmrfEZK8lgri/yAEmC4mR/bZVsUkWa/7bcpn7uazn5WpXEsEwp+kTSGXxP1DUTze3zsQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iEPOi1pksZf2VdFK2YD5/ZdJQ110wCkTe4yf3yKGfqg=; b=GPmCbSg6ZsF481tnAuV2OVDDvvZYdNKp/8vEoCt6mIvnxRjYF66iBsvfCopdp7I303XXcH7ZSvsR3WcIHqpPggObOT8EAs8nvHvisgQFE7dihAdzmpxByCiJQmTdsuj5n6TUKjsUrt4mgQ7IdGHtLheJ8BXjFAnjYH6EZNB77cHVPO6c2i+kXvCwcuUgJY+rIjxEdxsm0jobZb0HRyaN+O6T7wyllPWjjjO1Vpcl85qSjjRne8Lln8t7qWIE+7CQuvCbEOQ1vPVwHHUOnLWoVjqo5RH1zuzWLB1/CYpK8phA3W/8RCvgDD4QGPwHKxnZBLP5PZ71pK6ybgjeLBfNPA== Received: from BN9PR03CA0630.namprd03.prod.outlook.com (2603:10b6:408:106::35) by IA1PR12MB6386.namprd12.prod.outlook.com (2603:10b6:208:38a::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18; Thu, 19 Jan 2023 19:52:01 +0000 Received: from BN8NAM11FT101.eop-nam11.prod.protection.outlook.com (2603:10b6:408:106:cafe::4a) by BN9PR03CA0630.outlook.office365.com (2603:10b6:408:106::35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.24 via Frontend Transport; Thu, 19 Jan 2023 19:52:01 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by BN8NAM11FT101.mail.protection.outlook.com (10.13.177.126) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.13 via Frontend Transport; Thu, 19 Jan 2023 19:52:01 +0000 Received: from rnnvmail204.nvidia.com (10.129.68.6) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Thu, 19 Jan 2023 11:51:45 -0800 Received: from rnnvmail202.nvidia.com (10.129.68.7) by rnnvmail204.nvidia.com (10.129.68.6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Thu, 19 Jan 2023 11:51:45 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.7) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Thu, 19 Jan 2023 11:51:42 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v3 6/7] net/sched: act_ct: offload UDP NEW connections Date: Thu, 19 Jan 2023 20:51:03 +0100 Message-ID: <20230119195104.3371966-7-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230119195104.3371966-1-vladbu@nvidia.com> References: <20230119195104.3371966-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN8NAM11FT101:EE_|IA1PR12MB6386:EE_ X-MS-Office365-Filtering-Correlation-Id: 4f78a5d8-5890-40dc-759a-08dafa56a1b2 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: MhNUMw/NkqV6o2jKw6zFy1b7JOjEC/JAKmm4l9k/7NCmjtuoFbkH6DiPFpBhk3EgnIBaQp6XGngodCZAX7nAZpkHHnUQ2LTdEJ684R0iu092iFh23jDc2SbcsemgbSgPWMrsUZw7qyWhzTKMioAfSK22C7t7W6gPq1WjiIi24yG2YELBa4M8KpUU+GB/d3Axn5XOizlHoaLFg/2FMqxrENiS80q/LESvImH8dBUvTPgcV775ifYMIvhowAn5uTGXi9A6KItQoEYt/kTY90MtWTvJLPdQbYSV3JRvRkM51MsVg0WR9cauHAKNZqLlQEGVHpOhmh5dwfBtmxFJeUbA9EkGF18iqVDwqXXaOLS0iqZW9zfGFcj3nbtoJWbOdG/RFMHvRRsuNLFZRGTTsoWe4W5oG8wj4XD13v6dsKbc9Q2Vxbqs9zczbk33zDHlIhO5wLFuoRFD3wFkbAK3yPzwG9M5i5Vp9T0CnwmtTWS4qRRcNnz3psTZOZjHBpiTepcDGHcMyk/OulJO/szcwwmROVDfcnxizilADiTjPD2x1odHlFQsywtjBwqElB9WiJ0mptzLIt3IyZvodw4JJ36llqJHGyVp9YRvep8uZsKY38zrb5mTdoyHzzaO1PPcexhcLeAA98cJ3Q+D7jDt7aFGbgQcVevKgmPq3JSq4BzTbK7hI5XPVb4Esl2lHwlj05XUKdJtniZ3a2s0pUvDXj+GeBoprjiyFkzQkf8R/a7xRH8= X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230022)(4636009)(39860400002)(396003)(136003)(346002)(376002)(451199015)(46966006)(36840700001)(40470700004)(2906002)(426003)(83380400001)(47076005)(82740400003)(36860700001)(8676002)(5660300002)(7636003)(7696005)(41300700001)(8936002)(356005)(6666004)(40460700003)(82310400005)(478600001)(107886003)(2616005)(316002)(336012)(186003)(26005)(4326008)(1076003)(70206006)(110136005)(86362001)(7416002)(40480700001)(54906003)(70586007)(36756003)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Jan 2023 19:52:01.1430 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 4f78a5d8-5890-40dc-759a-08dafa56a1b2 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT101.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR12MB6386 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org When processing connections allow offloading of UDP connections that don't have IPS_ASSURED_BIT set as unidirectional. When performing table lookup for reply packets check the current connection status: If UDP unidirectional connection became assured also promote the corresponding flow table entry to bidirectional and set the 'update' bit, else just set the 'update' bit since reply directional traffic will most likely cause connection status to become 'established' which requires updating the offload state. Signed-off-by: Vlad Buslov --- net/sched/act_ct.c | 48 ++++++++++++++++++++++++++++++++++------------ 1 file changed, 36 insertions(+), 12 deletions(-) diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index 52e392de05a4..dca492eb0e22 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -368,7 +368,7 @@ static void tcf_ct_flow_tc_ifidx(struct flow_offload *entry, static void tcf_ct_flow_table_add(struct tcf_ct_flow_table *ct_ft, struct nf_conn *ct, - bool tcp) + bool tcp, bool bidirectional) { struct nf_conn_act_ct_ext *act_ct_ext; struct flow_offload *entry; @@ -387,6 +387,8 @@ static void tcf_ct_flow_table_add(struct tcf_ct_flow_table *ct_ft, ct->proto.tcp.seen[0].flags |= IP_CT_TCP_FLAG_BE_LIBERAL; ct->proto.tcp.seen[1].flags |= IP_CT_TCP_FLAG_BE_LIBERAL; } + if (bidirectional) + __set_bit(NF_FLOW_HW_BIDIRECTIONAL, &entry->flags); act_ct_ext = nf_conn_act_ct_ext_find(ct); if (act_ct_ext) { @@ -410,26 +412,34 @@ static void tcf_ct_flow_table_process_conn(struct tcf_ct_flow_table *ct_ft, struct nf_conn *ct, enum ip_conntrack_info ctinfo) { - bool tcp = false; - - if ((ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY) || - !test_bit(IPS_ASSURED_BIT, &ct->status)) - return; + bool tcp = false, bidirectional = true; switch (nf_ct_protonum(ct)) { case IPPROTO_TCP: - tcp = true; - if (ct->proto.tcp.state != TCP_CONNTRACK_ESTABLISHED) + if ((ctinfo != IP_CT_ESTABLISHED && + ctinfo != IP_CT_ESTABLISHED_REPLY) || + !test_bit(IPS_ASSURED_BIT, &ct->status) || + ct->proto.tcp.state != TCP_CONNTRACK_ESTABLISHED) return; + + tcp = true; break; case IPPROTO_UDP: + if (!nf_ct_is_confirmed(ct)) + return; + if (!test_bit(IPS_ASSURED_BIT, &ct->status)) + bidirectional = false; break; #ifdef CONFIG_NF_CT_PROTO_GRE case IPPROTO_GRE: { struct nf_conntrack_tuple *tuple; - if (ct->status & IPS_NAT_MASK) + if ((ctinfo != IP_CT_ESTABLISHED && + ctinfo != IP_CT_ESTABLISHED_REPLY) || + !test_bit(IPS_ASSURED_BIT, &ct->status) || + ct->status & IPS_NAT_MASK) return; + tuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple; /* No support for GRE v1 */ if (tuple->src.u.gre.key || tuple->dst.u.gre.key) @@ -445,7 +455,7 @@ static void tcf_ct_flow_table_process_conn(struct tcf_ct_flow_table *ct_ft, ct->status & IPS_SEQ_ADJUST) return; - tcf_ct_flow_table_add(ct_ft, ct, tcp); + tcf_ct_flow_table_add(ct_ft, ct, tcp, bidirectional); } static bool @@ -624,13 +634,27 @@ static bool tcf_ct_flow_table_lookup(struct tcf_ct_params *p, flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]); ct = flow->ct; + if (dir == FLOW_OFFLOAD_DIR_REPLY && + !test_bit(NF_FLOW_HW_BIDIRECTIONAL, &flow->flags)) { + /* Only offload reply direction after connection became + * assured. + */ + if (test_bit(IPS_ASSURED_BIT, &ct->status)) + set_bit(NF_FLOW_HW_BIDIRECTIONAL, &flow->flags); + set_bit(NF_FLOW_HW_UPDATE, &flow->flags); + return false; + } + if (tcph && (unlikely(tcph->fin || tcph->rst))) { flow_offload_teardown(flow); return false; } - ctinfo = dir == FLOW_OFFLOAD_DIR_ORIGINAL ? IP_CT_ESTABLISHED : - IP_CT_ESTABLISHED_REPLY; + if (dir == FLOW_OFFLOAD_DIR_ORIGINAL) + ctinfo = test_bit(IPS_SEEN_REPLY_BIT, &ct->status) ? + IP_CT_ESTABLISHED : IP_CT_NEW; + else + ctinfo = IP_CT_ESTABLISHED_REPLY; flow_offload_refresh(nf_ft, flow); nf_conntrack_get(&ct->ct_general); From patchwork Thu Jan 19 19:51:04 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13108747 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 97EF8C6379F for ; Thu, 19 Jan 2023 19:52:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230157AbjASTwa (ORCPT ); Thu, 19 Jan 2023 14:52:30 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55318 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230261AbjASTwW (ORCPT ); Thu, 19 Jan 2023 14:52:22 -0500 Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12on2051.outbound.protection.outlook.com [40.107.243.51]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A325F9DCA3; Thu, 19 Jan 2023 11:52:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AD2cFSom8jiF1XLBYtxwqyAYknw/xq8ssvsWR2eD/FeKJJwYyTMOO5s1/DyQTJnIHfB68ub7vJOnScLdGZy+Ry972E8POKDoE8sLqL+jfyjPsDy7aUhhmAHGdVMl84vVRq0xHWMxYZsqUOw8NZKV6ZApphCKzDiSH9A9YoXgLzvrAS4TF52idULa9chf6fVwO7AKFpku2uQzezHsAnC+aV4ncytfRK4/p78vVjGY1v/n8LF3jNuYB9WtBrR4bt1Cn62GQV6FK3QiNZKfwYdQ00LwYbinKqs3MbPizrpdavchZ1HXqoy6DBS53soQyWgS5YZJi7NwBukFeYL93Zi+cQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JLcQDuTm7f0BQbsr+DZXqTDP8Fsw23ph80Ixl7U15/8=; b=ilmVo4QzqWfvAkuEUr758AGgJnIZPdF3FfkFyrC993SYmStv48LFdS69xW8k4q6ISdrkw48Mez9FvsGoImmHc3RnC2qXK3+BG9PzTi6v+YmY8hd3Ol2XsEc6GcGziNLo3ksrYct6g5fAal7ukcOWn7PNzHpO7ba7zjKzE5fZSJY0RS6xe7GO838Ba84p+yDW8SV5ZMjnWR2CDwjGqz9ROOwPtZneQedX8dMDU2UwWdqXuXAR2cbsE91PDQqE5JJUY/8Gckgbzb3s9pXX2fHYFPrVdNr5luuLguzDmAIK+cyOxeoD4IbJjGa03D+ni238w9y7oXrJw7UByR3OvyeoBQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JLcQDuTm7f0BQbsr+DZXqTDP8Fsw23ph80Ixl7U15/8=; b=WC9vUY1EWguxWjrZPpVa0VrlmxEPAjuuoGcwNkYigvkOG7dV9xxV2fftkAxzysGLYFebZ1+QovmLGpCES4ZOTMkWEAJAW/MQpzxDgFDHoNzHYicmbirsjyz4MOHRq5/qNIWE32/rt8xmCjM24TV+V5/tYTU+CHo9DQJ75y84jKq29w05KqYHxXk11lhZk4e0H0SCkvACvR43KDCtmSD/YiSIdu6uNv0Gt0vKB93XUAyoIm7Oqh6WUUncthncPzWoczoE2EZEvG8GGVSFq4OZdM+WScdTVGPDvigY7Cj9k9gh5dYsM3AixzMyLom7p1C8bzWQ7+U1qCz5EVhe5jH3GA== Received: from BN0PR04CA0084.namprd04.prod.outlook.com (2603:10b6:408:ea::29) by PH7PR12MB7305.namprd12.prod.outlook.com (2603:10b6:510:209::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.23; Thu, 19 Jan 2023 19:52:07 +0000 Received: from BN8NAM11FT013.eop-nam11.prod.protection.outlook.com (2603:10b6:408:ea:cafe::9d) by BN0PR04CA0084.outlook.office365.com (2603:10b6:408:ea::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.26 via Frontend Transport; Thu, 19 Jan 2023 19:52:06 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by BN8NAM11FT013.mail.protection.outlook.com (10.13.176.182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.24 via Frontend Transport; Thu, 19 Jan 2023 19:52:06 +0000 Received: from rnnvmail203.nvidia.com (10.129.68.9) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Thu, 19 Jan 2023 11:51:49 -0800 Received: from rnnvmail202.nvidia.com (10.129.68.7) by rnnvmail203.nvidia.com (10.129.68.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Thu, 19 Jan 2023 11:51:48 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.129.68.7) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Thu, 19 Jan 2023 11:51:45 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v3 7/7] netfilter: nf_conntrack: allow early drop of offloaded UDP conns Date: Thu, 19 Jan 2023 20:51:04 +0100 Message-ID: <20230119195104.3371966-8-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230119195104.3371966-1-vladbu@nvidia.com> References: <20230119195104.3371966-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN8NAM11FT013:EE_|PH7PR12MB7305:EE_ X-MS-Office365-Filtering-Correlation-Id: 65938be8-7ee6-43e9-9c17-08dafa56a4a1 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: l6/OwtQf3fFzy8oJAcbvzhkiw1eLe7J/nwaYA0XBtm+aIh1Xwes3tcxOk7TamOs1pyLTW7V20tDQM6II4jHoNLRCXHM/C1YQzx/dqakVi30Xc3YdGxwpPZKy//1B6UQ5AYvvaWtjkwMN3isyiYardyf9CSxXN+kMZj3xr4GwaT4xf5ueYn+IJB2ctz4zpExJ0SWRBqPMhu/7xAK8yzoiNdX3RNTardb4Ofzpj4tzOxO7tv+fVxxWVblVd0/DppRba80xPs4ZUL5iqfsjCsGBw9fW6cB0e4v+gtj5G/Z374eMiKi4IACJlWtnqMygHYqxHs05ooukNa1NYZNfYs1nU67R1s+z4Nz2PGLHnR6DHA+ha4tyBtV1uvjD3rurUJv5G68wHRjW0XvdDEsw2CIHGx5kfHMqyNHbSUO3hGkFI/C9yXpZWFxrCDO3W3DeXKOVIWut1VpldonlE7RsiQHdZA3Q+uDS+JNPlYD+o0H3A/aTJ0Xdc5lEEFMf9PyzRx6cmDORQbiEWroNFDcXDxQc7YMVYbqVr2eH0OLZwRc2eg3bezS3vYDGfI5omVQwMgWvBtvQ24S9uzaJ5mM4Q6MhdtZre8KQyeiFuDSacHS6q9vmpffWbwcIo17xw8ku0QU54f5doum7YkcqtBPDCo+ABsb8HnCr1rZ7R1VlzWhyFFNokZD+4ZdPUe2bbLkmzMPVpVBuGfYl4YTpnFUEWKp7W2/tRAmV9TeXdI+l1Hc6zoM= X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230022)(4636009)(39860400002)(376002)(396003)(136003)(346002)(451199015)(46966006)(40470700004)(36840700001)(7696005)(70206006)(107886003)(41300700001)(426003)(47076005)(8936002)(36860700001)(2906002)(36756003)(8676002)(4326008)(70586007)(7416002)(186003)(316002)(26005)(6666004)(478600001)(1076003)(40460700003)(5660300002)(82310400005)(356005)(336012)(54906003)(7636003)(83380400001)(82740400003)(110136005)(2616005)(86362001)(40480700001)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Jan 2023 19:52:06.0501 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 65938be8-7ee6-43e9-9c17-08dafa56a4a1 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT013.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR12MB7305 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Both synchronous early drop algorithm and asynchronous gc worker completely ignore connections with IPS_OFFLOAD_BIT status bit set. With new functionality that enabled UDP NEW connection offload in action CT malicious user can flood the conntrack table with offloaded UDP connections by just sending a single packet per 5tuple because such connections can no longer be deleted by early drop algorithm. To mitigate the issue allow both early drop and gc to consider offloaded UDP connections for deletion. Signed-off-by: Vlad Buslov --- net/netfilter/nf_conntrack_core.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 496c4920505b..52b824a60176 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -1374,9 +1374,6 @@ static unsigned int early_drop_list(struct net *net, hlist_nulls_for_each_entry_rcu(h, n, head, hnnode) { tmp = nf_ct_tuplehash_to_ctrack(h); - if (test_bit(IPS_OFFLOAD_BIT, &tmp->status)) - continue; - if (nf_ct_is_expired(tmp)) { nf_ct_gc_expired(tmp); continue; @@ -1446,11 +1443,14 @@ static bool gc_worker_skip_ct(const struct nf_conn *ct) static bool gc_worker_can_early_drop(const struct nf_conn *ct) { const struct nf_conntrack_l4proto *l4proto; + u8 protonum = nf_ct_protonum(ct); + if (test_bit(IPS_OFFLOAD_BIT, &ct->status) && protonum != IPPROTO_UDP) + return false; if (!test_bit(IPS_ASSURED_BIT, &ct->status)) return true; - l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct)); + l4proto = nf_ct_l4proto_find(protonum); if (l4proto->can_early_drop && l4proto->can_early_drop(ct)) return true; @@ -1507,7 +1507,8 @@ static void gc_worker(struct work_struct *work) if (test_bit(IPS_OFFLOAD_BIT, &tmp->status)) { nf_ct_offload_timeout(tmp); - continue; + if (!nf_conntrack_max95) + continue; } if (expired_count > GC_SCAN_EXPIRED_MAX) {