From patchwork Wed Feb 1 16:30:54 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13124690 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3E5ECC38142 for ; Wed, 1 Feb 2023 16:31:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231576AbjBAQbf (ORCPT ); Wed, 1 Feb 2023 11:31:35 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36714 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229849AbjBAQbe (ORCPT ); Wed, 1 Feb 2023 11:31:34 -0500 Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12on2067.outbound.protection.outlook.com [40.107.243.67]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 462657922B; Wed, 1 Feb 2023 08:31:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VssNsV3Jcwl1ukT2ZXjSFA6pCAobedE/IXbb9PT5wpdUYf007qe8hPo5XLwxH7RJitut57ILVbNnqm4dNC5D0YlK/r0z9LpG2Ur0WO27sQt0xe2gu0tO7//nDECkx0AHJyPE1xCjL00tBHyseDEQoP4VID4WFj8vkPZxozrwWRNguX3PEqfSaELsJyabdRgTEF9NGsVvv5X58EIRMUCnQQhA5Q4bf4FlMgtWX+uLptlVn9tqBghPll1eaDONnsFTocLdkzYoauHUBpU0x6Y+5maAY9sUCKOKrDRr7YUqC416an8yX9aFdW2pbEeMP/DrFQkfcAvcH7oW22Knzwm2ng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5yCSI090vdvvgrXiokyByxwXHMggpZF2LwKEnNUtykU=; b=SUoxpB0c3wjcFkdgg0WaQAzdbAyUlFIHL2p6mXkZXmjqpmljxv2HNRcPi5uj9ka4MvCsvMqJ35CHz8XbYZEXjjjecWauTx1gLyR7wXKF+ZSkLufxZMor2wd/pBIvyGF7id0Oqbt2DITGIIIzZpL/ql9dpOQiFD4PQA/fwYgeccYdyORAZJMnkhkht2dv+uj6qgJiZdLO12vgd/Rh3ryHgaDwDfG0zzjAd9ZuYmdCpV3kcTyu2Q7mE4jFSuEMYkBcJyD0MmbMbpWzfxp/16zCGXMXP55dTwLZ2Chc8n/4Kgt7wSupGTZszi7wwmbs9pHA2OWiunXstdwzeUS3A9r+/w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.118.232) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5yCSI090vdvvgrXiokyByxwXHMggpZF2LwKEnNUtykU=; b=hZyGo083Bb9ZQ0hkO9qkvhkz4IFhuXL7EVsg0MtKXrQuWvtReU6wj+DkNt4GOlUYsg6p0a5081p6TKDmbl+5rRjBmHHuhajUDNEASppgugGmKM53NGq5d7ZsV2F6wE44T1/JF6AmQXRNsRJuJY1mHX/Y0YyypBJC5y6pz5TNwntGggvqUfmGN5BcitnCXb3w+ATZKCIjtpCG+CKQj1+Sp3Hx1qy0Cf1JA2ppIwa/6aE8I+hTzO8Ws+jE0N78Iv5Qxfabzush0eX0oacy75KaoDSUqmJEpNqn5qCM7EWOnlMug2Br6z1UMCkqvzUNzRheMx972n5dbHirBgQ00emjiQ== Received: from MW4PR04CA0198.namprd04.prod.outlook.com (2603:10b6:303:86::23) by SA1PR12MB6701.namprd12.prod.outlook.com (2603:10b6:806:251::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.38; Wed, 1 Feb 2023 16:31:31 +0000 Received: from CO1NAM11FT058.eop-nam11.prod.protection.outlook.com (2603:10b6:303:86:cafe::27) by MW4PR04CA0198.outlook.office365.com (2603:10b6:303:86::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.38 via Frontend Transport; Wed, 1 Feb 2023 16:31:31 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.118.232) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.118.232 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.118.232; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.118.232) by CO1NAM11FT058.mail.protection.outlook.com (10.13.174.164) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.22 via Frontend Transport; Wed, 1 Feb 2023 16:31:31 +0000 Received: from drhqmail202.nvidia.com (10.126.190.181) by mail.nvidia.com (10.127.129.5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Wed, 1 Feb 2023 08:31:22 -0800 Received: from drhqmail202.nvidia.com (10.126.190.181) by drhqmail202.nvidia.com (10.126.190.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Wed, 1 Feb 2023 08:31:21 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.126.190.181) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Wed, 1 Feb 2023 08:31:18 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v6 1/7] net: flow_offload: provision conntrack info in ct_metadata Date: Wed, 1 Feb 2023 17:30:54 +0100 Message-ID: <20230201163100.1001180-2-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230201163100.1001180-1-vladbu@nvidia.com> References: <20230201163100.1001180-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CO1NAM11FT058:EE_|SA1PR12MB6701:EE_ X-MS-Office365-Filtering-Correlation-Id: 1d11e31c-48b1-4dcd-3e03-08db0471c6b8 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Kxn38RQA0gZZTnPtPflrZHU6RLktRyDTbZIe2P5CMwlCL1rILq0UW+0QQ19/nx2P7wP5eWyk4k0Z/pCouxzU2t8Eke7Ww4mr5DwGj7cPYlULZ46vOgPvnWNch9SE6WkA7y388cx9llVBB/2tOaQBwZdaVppIP91wIZTGK9zqNkaWtZR5HZfi20hLd9UmxhThxcBpm1kR9T1Rn5vBxmRXzZCQD3vfBDKledXS54pWMal9AqjRLOGRRS05M7ozBdD47eGc5L3TODI8Jv6TboFzBA6OOMQ05oWzMCkExzQhWiLkg4DIgTYuW9Ez2yzgajdWbay72fMOeHZosudGhxE9OL3b/fJJgD88v+Y0Hf+VUF6PVgwiW2N2jRyEEujSE1YLOAwoGddPs2Kbh4dPX8bKVOm2FF7dwLIw/odJOHLgJeN2+fvr1zpSaSSvoCRC6fcyopwwVXkQFlFruREsdnKcKyYsx0MtDAnJHUWni2YRkA1jDypr7kDb5V2TFLws6Qwdxx8IVjjc98O3V8WQAXiZ4M0n4OmiQhHAMf3YsKwH/L7JatVe0lVk/bVn8fy4smq/KyRAytBOWJckFUclyDpimQb2UbUOcXYmamJnLJaB+ytxhylchKStJv6F8LjesbOhXyIXvdeEezAOIT11eRrKJALiZ286dgZ9+VdtqdEVmtJboPnnOCGvGw+cAJBVD+aaKR5sfO71nw5gWLajpqu2TiYpNNJ0mP+LULmfK89AW2w= X-Forefront-Antispam-Report: CIP:216.228.118.232;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc7edge1.nvidia.com;CAT:NONE;SFS:(13230025)(4636009)(136003)(346002)(376002)(39860400002)(396003)(451199018)(46966006)(36840700001)(40470700004)(2906002)(8936002)(8676002)(4326008)(336012)(478600001)(36756003)(6666004)(40460700003)(426003)(5660300002)(186003)(2616005)(107886003)(47076005)(26005)(86362001)(40480700001)(7416002)(1076003)(7696005)(41300700001)(356005)(82310400005)(83380400001)(70206006)(70586007)(7636003)(82740400003)(316002)(36860700001)(54906003)(110136005)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Feb 2023 16:31:31.3898 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 1d11e31c-48b1-4dcd-3e03-08db0471c6b8 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.118.232];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT058.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR12MB6701 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org In order to offload connections in other states besides "established" the driver offload callbacks need to have access to connection conntrack info. Flow offload intermediate representation data structure already contains that data encoded in 'cookie' field, so just reuse it in the drivers. Reject offloading IP_CT_NEW connections for now by returning an error in relevant driver callbacks based on value of ctinfo. Support for offloading such connections will need to be added to the drivers afterwards. Signed-off-by: Vlad Buslov --- Notes: Changes V3 -> V4: - Only obtain ctinfo in mlx5 after checking the meta action pointer. Changes V2 -> V3: - Reuse existing meta action 'cookie' field to obtain ctinfo instead of introducing a new field as suggested by Marcelo. Changes V1 -> V2: - Add missing include that caused compilation errors on certain configs. - Change naming in nfp driver as suggested by Simon and Baowen. .../ethernet/mellanox/mlx5/core/en/tc_ct.c | 4 ++++ .../ethernet/netronome/nfp/flower/conntrack.c | 24 +++++++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c index 313df8232db7..193562c14c44 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c @@ -1073,12 +1073,16 @@ mlx5_tc_ct_block_flow_offload_add(struct mlx5_ct_ft *ft, struct mlx5_tc_ct_priv *ct_priv = ft->ct_priv; struct flow_action_entry *meta_action; unsigned long cookie = flow->cookie; + enum ip_conntrack_info ctinfo; struct mlx5_ct_entry *entry; int err; meta_action = mlx5_tc_ct_get_ct_metadata_action(flow_rule); if (!meta_action) return -EOPNOTSUPP; + ctinfo = meta_action->ct_metadata.cookie & NFCT_INFOMASK; + if (ctinfo == IP_CT_NEW) + return -EOPNOTSUPP; spin_lock_bh(&ct_priv->ht_lock); entry = rhashtable_lookup_fast(&ft->ct_entries_ht, &cookie, cts_ht_params); diff --git a/drivers/net/ethernet/netronome/nfp/flower/conntrack.c b/drivers/net/ethernet/netronome/nfp/flower/conntrack.c index f693119541d5..d23830b5bcb8 100644 --- a/drivers/net/ethernet/netronome/nfp/flower/conntrack.c +++ b/drivers/net/ethernet/netronome/nfp/flower/conntrack.c @@ -1964,6 +1964,27 @@ int nfp_fl_ct_stats(struct flow_cls_offload *flow, return 0; } +static bool +nfp_fl_ct_offload_nft_supported(struct flow_cls_offload *flow) +{ + struct flow_rule *flow_rule = flow->rule; + struct flow_action *flow_action = + &flow_rule->action; + struct flow_action_entry *act; + int i; + + flow_action_for_each(i, act, flow_action) { + if (act->id == FLOW_ACTION_CT_METADATA) { + enum ip_conntrack_info ctinfo = + act->ct_metadata.cookie & NFCT_INFOMASK; + + return ctinfo != IP_CT_NEW; + } + } + + return false; +} + static int nfp_fl_ct_offload_nft_flow(struct nfp_fl_ct_zone_entry *zt, struct flow_cls_offload *flow) { @@ -1976,6 +1997,9 @@ nfp_fl_ct_offload_nft_flow(struct nfp_fl_ct_zone_entry *zt, struct flow_cls_offl extack = flow->common.extack; switch (flow->command) { case FLOW_CLS_REPLACE: + if (!nfp_fl_ct_offload_nft_supported(flow)) + return -EOPNOTSUPP; + /* Netfilter can request offload multiple times for the same * flow - protect against adding duplicates. */ From patchwork Wed Feb 1 16:30:55 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13124692 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EDB21C64EC3 for ; Wed, 1 Feb 2023 16:31:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232083AbjBAQbu (ORCPT ); Wed, 1 Feb 2023 11:31:50 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36934 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231479AbjBAQbp (ORCPT ); Wed, 1 Feb 2023 11:31:45 -0500 Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on2046.outbound.protection.outlook.com [40.107.96.46]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5234D7921C; Wed, 1 Feb 2023 08:31:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PHBw+wPh5gZgNsuCjX/8PFzH9e9TdfB0GzyS3HUqRPu64sZMeP57x4id2JOms4icBXbtAgy6bKEPJC58Neh4hwvfx9QmlaLz0u1p7T/hTN509ujkFHmnJ+qIISsa7AQ5BkQpv1LHqpUusH46v0eqNz3/XDWffzYFDZfTRywAcEdzy9rBVrL07dPpWrBYp+IJZMbG4WHvxldrHcZ0yV1kCd6yOyKu5HYtu0lrB8zX/6vvbjDEcsF9bk9kSG6y7ekJbC5KBK9cxKcFJAoBP42lyQdoe9/JxXexDcgWjuOJdCPihxHyXMo/HWGoGnbNHdPzRdc3r8IVXCZgbAZDi6nXXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DzQTIwY1V1d3OR26yee/gQ4zp73ZHR9EKI7KwtaVvM4=; b=i8OoDOWsdlSy+3Yrw15QsYzwIFwHXSjGN6SgbuT4dTg9p0jSvZJVFRxvfp41zcjYbxHz3kf0LfGzsvcFbzlYKHZ+XlADzIP6fx+AC1EBa2xJk9LCMGpGqSmQzGn1zVL1HcyvAy5sfHpcbi+TA9Q4Ju/tXKUco06hvK2/EjsKkuJEBWip+s8JlBvBc9k9tZTPZw11iKarKzw850xJkvRVAn4yzcAj8l/KYB+L7T/tpXCwqogKsoE7AAuvmqy26SQl9cT5ALN1aqB9k6uo7pS7cY1FTx853wDdv30zGzQxLtrh37hT+HGB7L5Iw4pTaLRbYh3Km5ASSNdkeOddBzHgNw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.118.233) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DzQTIwY1V1d3OR26yee/gQ4zp73ZHR9EKI7KwtaVvM4=; b=P85CNIBfgl0sRbD5zxN7zhNKNzHgK84S6WtQf5gvhSFf0sw4eKFIRWyFwagpc4BBlDt+81WE1gzz4vgAD2nMuKnylw8An23HmN6p+IoGeV4sjc5wrxwUsvbUNDYSMKwAMsMBXOnGTYxKGKZ1O8+E5a9m5I2UYPk1brkqbuhDWqDH+X9YlArDmxN5WPh+VqXTvUOIc9MfPL6YQ/8J3Hf9FZ6funvCE81LAzKncBStE1m444fjlnaDYRVBdMshoV1NUIzbaJpNfTxQ8wbGVldQ9o+hr7ta+OMIss9jmUiSoIABT+BNEsPkPIJBiRbI9cOI6QVDHb5o7coPdY+fb1Sstw== Received: from MW4PR03CA0152.namprd03.prod.outlook.com (2603:10b6:303:8d::7) by BL1PR12MB5077.namprd12.prod.outlook.com (2603:10b6:208:310::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6064.24; Wed, 1 Feb 2023 16:31:38 +0000 Received: from CO1NAM11FT072.eop-nam11.prod.protection.outlook.com (2603:10b6:303:8d:cafe::9a) by MW4PR03CA0152.outlook.office365.com (2603:10b6:303:8d::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.38 via Frontend Transport; Wed, 1 Feb 2023 16:31:38 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.118.233) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.118.233 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.118.233; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.118.233) by CO1NAM11FT072.mail.protection.outlook.com (10.13.174.106) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6064.25 via Frontend Transport; Wed, 1 Feb 2023 16:31:38 +0000 Received: from drhqmail201.nvidia.com (10.126.190.180) by mail.nvidia.com (10.127.129.6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Wed, 1 Feb 2023 08:31:25 -0800 Received: from drhqmail202.nvidia.com (10.126.190.181) by drhqmail201.nvidia.com (10.126.190.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Wed, 1 Feb 2023 08:31:25 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.126.190.181) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Wed, 1 Feb 2023 08:31:22 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v6 2/7] netfilter: flowtable: fixup UDP timeout depending on ct state Date: Wed, 1 Feb 2023 17:30:55 +0100 Message-ID: <20230201163100.1001180-3-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230201163100.1001180-1-vladbu@nvidia.com> References: <20230201163100.1001180-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CO1NAM11FT072:EE_|BL1PR12MB5077:EE_ X-MS-Office365-Filtering-Correlation-Id: 9d197593-0dad-4cfb-c7c6-08db0471cabc X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: h1NRV4WqCvPO7B3jqjrOY3IfsJiZGzXyEaPADF826UXjuFdEemQp9+el+48J6pSX1dOq3jdq4v2GQ9zHEEwJD0ZBCf9oH9wfz4WYtWLoEqrDwy4EnFYjWChIJh+TW5xoJw9xmAfmlzl6NNlc7dX2Ca8ndwqNHWvzcPdoZM7kYrGx9B+IfhwAvOShi/zIBcZRtkqETo/lGFDYf+rDlEDL6muIONN2TC9JZS66XR+0MPMhudMOoFq3/mJDjcV0eCDXtQOvhNRtrzkBawMGxZqNYHvmeBhdEMjGcE9VVOSNh/uqPx9szXw28likhgyhQKpYQN2oADCuR4CuBRq9sdQsMAJbtJh2CJPVruNTyrVnkwIn4p/An/CyBa0SxiCyXT8WIO8c/RTtL66ZbXJd8ZRmo4d3qV11xGPyT6K4K1NjFNvwYw4uFL6Nlx+uxizDl4KxjK3d1QP668MJlp/IDrz5XXaJuX0wyfEnS69xY1+k8vr7OA9vCDSCiOfZMDMH8nStAn8VMqXUVDIMlCxPJlJo6WkjCYbH6PgXglYtNV1XxFZkhQT7pQ2YVpur1rL19CYdQAlqFDlRCNb1usXjqvlpKtnS/5uW5TLc1GMTcvhItgWryE+4Op2D5JYNRMcJxkmkkX2kSEVmsQjLfjhgVrgbL4V1Z+9R/Thxj++uOoYPKZ8n6hY30BApV5BlCI/4YgNRwVLdCGYb0lA9C3S47/ONz9o9RxRblFKZMb50GR3LBzs= X-Forefront-Antispam-Report: CIP:216.228.118.233;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc7edge2.nvidia.com;CAT:NONE;SFS:(13230025)(4636009)(396003)(346002)(39860400002)(136003)(376002)(451199018)(40470700004)(46966006)(36840700001)(70586007)(70206006)(4326008)(41300700001)(8936002)(47076005)(8676002)(7416002)(36860700001)(316002)(426003)(83380400001)(110136005)(5660300002)(336012)(54906003)(40460700003)(82740400003)(7636003)(36756003)(2906002)(2616005)(82310400005)(186003)(40480700001)(478600001)(356005)(7696005)(26005)(6666004)(86362001)(107886003)(1076003)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Feb 2023 16:31:38.1304 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 9d197593-0dad-4cfb-c7c6-08db0471cabc X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.118.233];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT072.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL1PR12MB5077 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Currently flow_offload_fixup_ct() function assumes that only replied UDP connections can be offloaded and hardcodes UDP_CT_REPLIED timeout value. To enable UDP NEW connection offload in following patches extract the actual connections state from ct->status and set the timeout according to it. Signed-off-by: Vlad Buslov --- Notes: Changes V5 -> V6: - Revert the patch to V2 version. Pablo is going to fix the issue of netfilter's flow table not updating ct->status flags. Changes V3 -> V4: - Rework the patch to decouple netfilter and act_ct timeout fixup algorithms. net/netfilter/nf_flow_table_core.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c index 81c26a96c30b..04bd0ed4d2ae 100644 --- a/net/netfilter/nf_flow_table_core.c +++ b/net/netfilter/nf_flow_table_core.c @@ -193,8 +193,11 @@ static void flow_offload_fixup_ct(struct nf_conn *ct) timeout -= tn->offload_timeout; } else if (l4num == IPPROTO_UDP) { struct nf_udp_net *tn = nf_udp_pernet(net); + enum udp_conntrack state = + test_bit(IPS_SEEN_REPLY_BIT, &ct->status) ? + UDP_CT_REPLIED : UDP_CT_UNREPLIED; - timeout = tn->timeouts[UDP_CT_REPLIED]; + timeout = tn->timeouts[state]; timeout -= tn->offload_timeout; } else { return; From patchwork Wed Feb 1 16:30:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13124691 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0B63BC636D7 for ; Wed, 1 Feb 2023 16:31:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231712AbjBAQbt (ORCPT ); Wed, 1 Feb 2023 11:31:49 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36930 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231863AbjBAQbp (ORCPT ); Wed, 1 Feb 2023 11:31:45 -0500 Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2046.outbound.protection.outlook.com [40.107.244.46]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3DAC179225; Wed, 1 Feb 2023 08:31:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gvCa578uYGgIe9ExAOTyDd7RRjEac2MqdgU2XCpf7hPny+kNQ26e/Tqr1H0L9D9SMnEXUpIL4vwM3GpgcxlG8q5r7EKHr7UopdX205vYeWZDLCM7+I8YXTr38eFZffjzn72Cf5QjM2593OUqrxTAWRjWu+lSEV1YX/K1Zdx1tw6i7QiyuGDsnyfwDzNhjegndo4pXS4iUNFKEGXdTcLwA9QQik0Anb9gooQvCaQSTHkZJkQKxmi7Akq5BSh8kql/eFPPg7jSg/PQe6ETRtbtR8Sd5phKz33IO8GmZgV28bcJi61QVa4PlPYaLR9Q5Ohprnggsri2BRv0XrCYFdwjug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=RJeW/5XL6gYeYwPc2MxzVrvJZqcGbC83ng9KlEa7AGs=; b=eTFS7Z/3OPyWDHghxqws9W+q0AfDVvy8lfTXx8jHoBsKPsRTpPWHQTDhCR2nWuD4ow/HhH7gDiGMEgPTYA51r031F/dVXfpIplOvSxssznbchxsf0rj7b/ZNSOMtGruRIFqVA6ibrghoj21cTS9+s+2GpnQOV8xxEdFsfqXbFzYQ46d+reGzHOg2BsLId68Na6HGdsIYqLRsoNH/K4cOMV5hgQHPa4c3bDRO0jGObM6x+K+aYu84AC/ROUhBires/kEFmwelkRz5+aKK2OMdceQLOOewpF7VQfdJKS1GpM1v2MkRYi5ApsMDuUAf54m5VafA0Dvya5T3WhP8LQU6AA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.118.232) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RJeW/5XL6gYeYwPc2MxzVrvJZqcGbC83ng9KlEa7AGs=; b=t7Sw8niOKCAu9pGurZMiRR+p3hraV6XQaCth9l1TCL3aa0+ru2jlXvd2AoxlQ360cadeCc/qy1t4F/b9JWW3MP4nTKQ5bjKcuGt/0ue5JJ0ZfC2iD6IfWxkCSxVFU5b5tm5FUrK1inZNQCvepxRHTbgeYawsoJFRxN6QJJjBQcFZsHyYpKcE3lUg9y1S8sskjPxpPl1dpnaUBwo+dUyZ9QoyWIessW/Fv97guJVeQIgTMPPwQNcYky/lZy20OQVrXvAURyEeewe5GuUjP+erYuPRuWc76CIcaxDSFsvY3yrIHJiMwdIeAJgtUvO8kMBs1Xns1H6wNgPXteq+KPXFgg== Received: from MW4PR04CA0189.namprd04.prod.outlook.com (2603:10b6:303:86::14) by IA1PR12MB7709.namprd12.prod.outlook.com (2603:10b6:208:423::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6064.22; Wed, 1 Feb 2023 16:31:37 +0000 Received: from CO1NAM11FT058.eop-nam11.prod.protection.outlook.com (2603:10b6:303:86:cafe::d4) by MW4PR04CA0189.outlook.office365.com (2603:10b6:303:86::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6064.24 via Frontend Transport; Wed, 1 Feb 2023 16:31:37 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.118.232) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.118.232 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.118.232; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.118.232) by CO1NAM11FT058.mail.protection.outlook.com (10.13.174.164) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.22 via Frontend Transport; Wed, 1 Feb 2023 16:31:36 +0000 Received: from drhqmail202.nvidia.com (10.126.190.181) by mail.nvidia.com (10.127.129.5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Wed, 1 Feb 2023 08:31:29 -0800 Received: from drhqmail202.nvidia.com (10.126.190.181) by drhqmail202.nvidia.com (10.126.190.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Wed, 1 Feb 2023 08:31:28 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.126.190.181) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Wed, 1 Feb 2023 08:31:25 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v6 3/7] netfilter: flowtable: allow unidirectional rules Date: Wed, 1 Feb 2023 17:30:56 +0100 Message-ID: <20230201163100.1001180-4-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230201163100.1001180-1-vladbu@nvidia.com> References: <20230201163100.1001180-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CO1NAM11FT058:EE_|IA1PR12MB7709:EE_ X-MS-Office365-Filtering-Correlation-Id: 9bc6c5b7-6335-4590-f26a-08db0471ca08 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: n7+hOQOYUFm4WNEuj9+cgFs0R3wykV2eMjrR88SWTSESXBwJZNqtHy1StXRMG/Ukl+/6ru7wDFiaHfCNBQlDAx9svrX946Fj83eF3fW+ayexFtFqJcvLaczSMj+cfA74AHNNllbZKj6NqH+qzjrZCIK2yD2VXmJNd4/qUHu7wm5+5A8WyVI2pLEBi7sXGEaweKswdCUIHEfC17XarcYox8nZPY0fcpM4POm9Nocz5lK56s91FNaRjtk/KAvcQuk3fdxTI2XHtVqndT0jsEpe79EPsXMJiiOjbSnZQKrZPYo+zzVQjWMZ1VJi6Bz+I5UkfjtDCMXjgbCGBWZ7Fh/E+fax4SSJGqtJuL2F2uwoaNjv7zfmrSD5TXTsqgT9csrR5nMo0ZvPnrmwuEK3lm9ej3IcOeRnHNVwmxSjj0OqR9S694IQDf6twe0wb6KXkVNVgKQqYTifuwp2vhJKsPKOklMNHjO0PSDFcidQ7Z2Q2f1hFgVLJA+Sr8un1jkUs8jqoAky6uRxpz4ddwRHzJ+G3KrMbV9Zj98YHA2NylRDWlhJQ//0KU++FR/4Xp+44h1PbtoPDpZxmPUGeQpZsEviGhEJj2uZUUSZ16n1vS9A/vkoU4BXzVM4fS/hObB877+NPTUXyKbI2qCJV5b9u57YEDgH9n86pZXatsqAdEu9ZuIo9jBXC8ZbDtVYble2zzqwcNO/mZ6g9tihCASZ0Nwfdxa2Mq+Zal227vJBKNJu/oI= X-Forefront-Antispam-Report: CIP:216.228.118.232;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc7edge1.nvidia.com;CAT:NONE;SFS:(13230025)(4636009)(346002)(396003)(136003)(39860400002)(376002)(451199018)(46966006)(36840700001)(40470700004)(8676002)(54906003)(110136005)(7696005)(40480700001)(478600001)(2906002)(316002)(40460700003)(41300700001)(8936002)(4326008)(70206006)(70586007)(7416002)(5660300002)(86362001)(356005)(36756003)(82310400005)(47076005)(26005)(186003)(2616005)(426003)(1076003)(6666004)(83380400001)(107886003)(7636003)(82740400003)(336012)(36860700001)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Feb 2023 16:31:36.9519 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 9bc6c5b7-6335-4590-f26a-08db0471ca08 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.118.232];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT058.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR12MB7709 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Modify flow table offload to support unidirectional connections by extending enum nf_flow_flags with new "NF_FLOW_HW_BIDIRECTIONAL" flag. Only offload reply direction when the flag is set. This infrastructure change is necessary to support offloading UDP NEW connections in original direction in following patches in series. Signed-off-by: Vlad Buslov --- Notes: Changes V2 -> V3: - Fix error in commit message (spotted by Marcelo). include/net/netfilter/nf_flow_table.h | 1 + net/netfilter/nf_flow_table_offload.c | 12 ++++++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h index cd982f4a0f50..88ab98ab41d9 100644 --- a/include/net/netfilter/nf_flow_table.h +++ b/include/net/netfilter/nf_flow_table.h @@ -164,6 +164,7 @@ enum nf_flow_flags { NF_FLOW_HW_DYING, NF_FLOW_HW_DEAD, NF_FLOW_HW_PENDING, + NF_FLOW_HW_BIDIRECTIONAL, }; enum flow_offload_type { diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c index 4d9b99abe37d..8b852f10fab4 100644 --- a/net/netfilter/nf_flow_table_offload.c +++ b/net/netfilter/nf_flow_table_offload.c @@ -895,8 +895,9 @@ static int flow_offload_rule_add(struct flow_offload_work *offload, ok_count += flow_offload_tuple_add(offload, flow_rule[0], FLOW_OFFLOAD_DIR_ORIGINAL); - ok_count += flow_offload_tuple_add(offload, flow_rule[1], - FLOW_OFFLOAD_DIR_REPLY); + if (test_bit(NF_FLOW_HW_BIDIRECTIONAL, &offload->flow->flags)) + ok_count += flow_offload_tuple_add(offload, flow_rule[1], + FLOW_OFFLOAD_DIR_REPLY); if (ok_count == 0) return -ENOENT; @@ -926,7 +927,8 @@ static void flow_offload_work_del(struct flow_offload_work *offload) { clear_bit(IPS_HW_OFFLOAD_BIT, &offload->flow->ct->status); flow_offload_tuple_del(offload, FLOW_OFFLOAD_DIR_ORIGINAL); - flow_offload_tuple_del(offload, FLOW_OFFLOAD_DIR_REPLY); + if (test_bit(NF_FLOW_HW_BIDIRECTIONAL, &offload->flow->flags)) + flow_offload_tuple_del(offload, FLOW_OFFLOAD_DIR_REPLY); set_bit(NF_FLOW_HW_DEAD, &offload->flow->flags); } @@ -946,7 +948,9 @@ static void flow_offload_work_stats(struct flow_offload_work *offload) u64 lastused; flow_offload_tuple_stats(offload, FLOW_OFFLOAD_DIR_ORIGINAL, &stats[0]); - flow_offload_tuple_stats(offload, FLOW_OFFLOAD_DIR_REPLY, &stats[1]); + if (test_bit(NF_FLOW_HW_BIDIRECTIONAL, &offload->flow->flags)) + flow_offload_tuple_stats(offload, FLOW_OFFLOAD_DIR_REPLY, + &stats[1]); lastused = max_t(u64, stats[0].lastused, stats[1].lastused); offload->flow->timeout = max_t(u64, offload->flow->timeout, From patchwork Wed Feb 1 16:30:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13124694 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E49F9C636CD for ; Wed, 1 Feb 2023 16:32:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232063AbjBAQb6 (ORCPT ); Wed, 1 Feb 2023 11:31:58 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36930 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231630AbjBAQbx (ORCPT ); Wed, 1 Feb 2023 11:31:53 -0500 Received: from NAM04-DM6-obe.outbound.protection.outlook.com (mail-dm6nam04on2042.outbound.protection.outlook.com [40.107.102.42]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C172F79613; Wed, 1 Feb 2023 08:31:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NtMAJhRb0D6xS9wjRt6yyAcecak6A+4jCzsPRXy0L2R8ShAxRHZOxdwCEePY1MRvEgORSdsRKBwvOJe3lmiRCkugi3/jYBgigvhcG/D9kw5n/0E0BwVRoYEigLrzdbBaNk+BmwGlcQ5S29BOkppkVOwmIuah9SpwBER33DtbFbvEX//+i9PkL+h9zlEdXq5PchARlj/qMceGCMCPzfyqK57SdGOTM6zHZHWeFzsA59e91j3K5hdgp/CGQTGEkFWkpMD1OPyDNwrBbEbKbKP6yaM/78JRRVNq8w7Bxg7fNgrhIrVRpqLj98qP0h1aW4nAAJw3DFPB+6hDWT3Ro2RtaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7yw8iysmAzf7U1K7YO7uEYZwafeQzoXEnRG7RqpZfpw=; b=k4usnCdo60moxyE6D/QZKuzuqXF23ylhikAJQ04jJTgWxEXBzN7ZRyon0oTps3xh8DVOUw9iePQxwqzrsMzhxcP/I1HQHxQA+dl+NOFY3dK1gq2ngXHaYFkItBXaULTeMb6Y1ojMxnoxSoFqWDM1JQosPcDe0zeGyMCFsL4McOvi+wVkSsVgSRlkjvMhUg3jMSIidpOAawFEncMCLNIY/uWAbntNINDO41ZfSaNyOQRkiFApf9tCUh25LVSBG/M3DznSdee5D912rqHnkB4mzTiJYZQazH+r+mj2w0sBMvcZdHoM+tUSVhB45YXtHXt/QK6+B684gbk7c0rpcMW/ew== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.118.232) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7yw8iysmAzf7U1K7YO7uEYZwafeQzoXEnRG7RqpZfpw=; b=l04s4zmdZIyZV0LCBTeAMlTU/Ig1aYb0fyu2BisyrGDaUw+AmElfA1wmzhK7yosVvSOYyNoqFr/1W36xtSft8UCBaclrK0il9uGhJ64AAcmZklknB0la740Ll7kKcsN3FwI8UbYBSPBcx7zcN8Q7tX8e1QKYq+43VfTbfGoedI8tdeb6/35mZRM/OwVsOhtvwPN95zWCt10r5efApvPjLxdWzu591yxIagzQMLeJIuU0eUIkQlNgLB8l/6+o7ss1RRDHiaEGPBwLhECZoRIKbhrK0LHXZWgM/FBtUk7/xCGlmSABRanZIoTkj/Di8HDOShFHlOUaEImtgsMDfDKqsw== Received: from MW4P223CA0026.NAMP223.PROD.OUTLOOK.COM (2603:10b6:303:80::31) by BN9PR12MB5083.namprd12.prod.outlook.com (2603:10b6:408:134::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6064.25; Wed, 1 Feb 2023 16:31:47 +0000 Received: from CO1NAM11FT105.eop-nam11.prod.protection.outlook.com (2603:10b6:303:80:cafe::bb) by MW4P223CA0026.outlook.office365.com (2603:10b6:303:80::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.36 via Frontend Transport; Wed, 1 Feb 2023 16:31:46 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.118.232) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.118.232 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.118.232; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.118.232) by CO1NAM11FT105.mail.protection.outlook.com (10.13.175.159) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.22 via Frontend Transport; Wed, 1 Feb 2023 16:31:45 +0000 Received: from drhqmail202.nvidia.com (10.126.190.181) by mail.nvidia.com (10.127.129.5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Wed, 1 Feb 2023 08:31:32 -0800 Received: from drhqmail202.nvidia.com (10.126.190.181) by drhqmail202.nvidia.com (10.126.190.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Wed, 1 Feb 2023 08:31:32 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.126.190.181) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Wed, 1 Feb 2023 08:31:29 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v6 4/7] netfilter: flowtable: cache info of last offload Date: Wed, 1 Feb 2023 17:30:57 +0100 Message-ID: <20230201163100.1001180-5-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230201163100.1001180-1-vladbu@nvidia.com> References: <20230201163100.1001180-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CO1NAM11FT105:EE_|BN9PR12MB5083:EE_ X-MS-Office365-Filtering-Correlation-Id: cf9573a8-efbf-4abd-0a1c-08db0471cf54 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: DHgXHHzhjyZRFSo4a7KKd9iYpbJlGhIq30Yd5thYhdwT3J7M4pBLo/nBLkomvYzqpWlCBifzfOiEUMiA40no5p8oq5pcOLnmDfyLgWLR10Mp3+ZV/FJP1VUTcoJ1qgcwc1NnKEelgwA1aLJyLiK7pDE/e4hOv6GPayXI4SxToOkgq+TVLCujIaYwQRFwYDi0Xrl9BZRJlJT+d/vU+Yhc/AfKFT7u5W6DpPdhZ0YpM84u8tGrd6rDduY8jfrOL8SSFhwgo8wsgPB6uETSWgfQSEofiBg69jS/VNoLEgco2bChFBOYQ9/r9eRfFuySsg/n3nvg2Y4xy2M0WRXmX1X+khWwhZLiQOmwnzjX2vA2WD+S6f8PgIHKWwh9Hb+ZPvhFT9N2Vbs/MGlcX2UhHCbHjda3WzdNDA6AE5gJ+UC1y4hD0xOnRh9TOAEyb9XDpfb6RJtmLQKL3WS4vtwF2pUKFXwKuPxdb5NmDhsIFz1CI8/lP/vD5em6TaMmgJ8JkQ5v2KUp9TR7AMPypmWidPDKQNCAEnar5kGl1QqyfQ1bGjT3nqx4SJ3+se65wcmlb1RZtfUAY/AOVGrfJ+kfCj8PJgQGVvPMz3d8dhM+xaWD7nZVNIeLEyqVoSWsJdBN1jRYaYcxYK14y8wjPF0+egUuFVXHMRO+GikrDHoNRyCaIOBeB1yySgkjj4xxe5GO0KHdfxgBwogBhgjzpCz2oCS8aS3s1SYVw02Q/3MknsVq8Hc= X-Forefront-Antispam-Report: CIP:216.228.118.232;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc7edge1.nvidia.com;CAT:NONE;SFS:(13230025)(4636009)(136003)(396003)(39860400002)(376002)(346002)(451199018)(46966006)(40470700004)(36840700001)(107886003)(6666004)(478600001)(82310400005)(36756003)(36860700001)(47076005)(83380400001)(86362001)(426003)(40480700001)(356005)(82740400003)(40460700003)(7636003)(1076003)(336012)(2616005)(26005)(186003)(8936002)(41300700001)(2906002)(5660300002)(7416002)(54906003)(110136005)(7696005)(70586007)(70206006)(4326008)(8676002)(316002)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Feb 2023 16:31:45.8326 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: cf9573a8-efbf-4abd-0a1c-08db0471cf54 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.118.232];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT105.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN9PR12MB5083 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Modify flow table offload to cache the last ct info status that was passed to the driver offload callbacks by extending enum nf_flow_flags with new "NF_FLOW_HW_ESTABLISHED" flag. Set the flag if ctinfo was 'established' during last act_ct meta actions fill call. This infrastructure change is necessary to optimize promoting of UDP connections from 'new' to 'established' in following patches in this series. Signed-off-by: Vlad Buslov --- Notes: Changes V5 -> V6: - Rework the patch to only set flow_offload NF_FLOW_HW_ESTABLISHED flag instead of caching whole ctinfo in dedicated field. Changes V3 -> V4: - New patch replaces gc async update that is no longer needed after refactoring of following act_ct patches. include/net/netfilter/nf_flow_table.h | 7 ++++--- net/netfilter/nf_flow_table_inet.c | 2 +- net/netfilter/nf_flow_table_offload.c | 6 +++--- net/sched/act_ct.c | 12 +++++++----- 4 files changed, 15 insertions(+), 12 deletions(-) diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h index 88ab98ab41d9..ebb28ec5b6fa 100644 --- a/include/net/netfilter/nf_flow_table.h +++ b/include/net/netfilter/nf_flow_table.h @@ -57,7 +57,7 @@ struct nf_flowtable_type { struct net_device *dev, enum flow_block_command cmd); int (*action)(struct net *net, - const struct flow_offload *flow, + struct flow_offload *flow, enum flow_offload_tuple_dir dir, struct nf_flow_rule *flow_rule); void (*free)(struct nf_flowtable *ft); @@ -165,6 +165,7 @@ enum nf_flow_flags { NF_FLOW_HW_DEAD, NF_FLOW_HW_PENDING, NF_FLOW_HW_BIDIRECTIONAL, + NF_FLOW_HW_ESTABLISHED, }; enum flow_offload_type { @@ -313,10 +314,10 @@ void nf_flow_table_offload_flush_cleanup(struct nf_flowtable *flowtable); int nf_flow_table_offload_setup(struct nf_flowtable *flowtable, struct net_device *dev, enum flow_block_command cmd); -int nf_flow_rule_route_ipv4(struct net *net, const struct flow_offload *flow, +int nf_flow_rule_route_ipv4(struct net *net, struct flow_offload *flow, enum flow_offload_tuple_dir dir, struct nf_flow_rule *flow_rule); -int nf_flow_rule_route_ipv6(struct net *net, const struct flow_offload *flow, +int nf_flow_rule_route_ipv6(struct net *net, struct flow_offload *flow, enum flow_offload_tuple_dir dir, struct nf_flow_rule *flow_rule); diff --git a/net/netfilter/nf_flow_table_inet.c b/net/netfilter/nf_flow_table_inet.c index 0ccabf3fa6aa..9505f9d188ff 100644 --- a/net/netfilter/nf_flow_table_inet.c +++ b/net/netfilter/nf_flow_table_inet.c @@ -39,7 +39,7 @@ nf_flow_offload_inet_hook(void *priv, struct sk_buff *skb, } static int nf_flow_rule_route_inet(struct net *net, - const struct flow_offload *flow, + struct flow_offload *flow, enum flow_offload_tuple_dir dir, struct nf_flow_rule *flow_rule) { diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c index 8b852f10fab4..1c26f03fc661 100644 --- a/net/netfilter/nf_flow_table_offload.c +++ b/net/netfilter/nf_flow_table_offload.c @@ -679,7 +679,7 @@ nf_flow_rule_route_common(struct net *net, const struct flow_offload *flow, return 0; } -int nf_flow_rule_route_ipv4(struct net *net, const struct flow_offload *flow, +int nf_flow_rule_route_ipv4(struct net *net, struct flow_offload *flow, enum flow_offload_tuple_dir dir, struct nf_flow_rule *flow_rule) { @@ -704,7 +704,7 @@ int nf_flow_rule_route_ipv4(struct net *net, const struct flow_offload *flow, } EXPORT_SYMBOL_GPL(nf_flow_rule_route_ipv4); -int nf_flow_rule_route_ipv6(struct net *net, const struct flow_offload *flow, +int nf_flow_rule_route_ipv6(struct net *net, struct flow_offload *flow, enum flow_offload_tuple_dir dir, struct nf_flow_rule *flow_rule) { @@ -735,7 +735,7 @@ nf_flow_offload_rule_alloc(struct net *net, { const struct nf_flowtable *flowtable = offload->flowtable; const struct flow_offload_tuple *tuple, *other_tuple; - const struct flow_offload *flow = offload->flow; + struct flow_offload *flow = offload->flow; struct dst_entry *other_dst = NULL; struct nf_flow_rule *flow_rule; int err = -ENOMEM; diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index 0ca2bb8ed026..5837f6258b17 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -170,11 +170,11 @@ tcf_ct_flow_table_add_action_nat_udp(const struct nf_conntrack_tuple *tuple, static void tcf_ct_flow_table_add_action_meta(struct nf_conn *ct, enum ip_conntrack_dir dir, + enum ip_conntrack_info ctinfo, struct flow_action *action) { struct nf_conn_labels *ct_labels; struct flow_action_entry *entry; - enum ip_conntrack_info ctinfo; u32 *act_ct_labels; entry = tcf_ct_flow_table_flow_action_get_next(action); @@ -182,8 +182,6 @@ static void tcf_ct_flow_table_add_action_meta(struct nf_conn *ct, #if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) entry->ct_metadata.mark = READ_ONCE(ct->mark); #endif - ctinfo = dir == IP_CT_DIR_ORIGINAL ? IP_CT_ESTABLISHED : - IP_CT_ESTABLISHED_REPLY; /* aligns with the CT reference on the SKB nf_ct_set */ entry->ct_metadata.cookie = (unsigned long)ct | ctinfo; entry->ct_metadata.orig_dir = dir == IP_CT_DIR_ORIGINAL; @@ -237,22 +235,26 @@ static int tcf_ct_flow_table_add_action_nat(struct net *net, } static int tcf_ct_flow_table_fill_actions(struct net *net, - const struct flow_offload *flow, + struct flow_offload *flow, enum flow_offload_tuple_dir tdir, struct nf_flow_rule *flow_rule) { struct flow_action *action = &flow_rule->rule->action; int num_entries = action->num_entries; struct nf_conn *ct = flow->ct; + enum ip_conntrack_info ctinfo; enum ip_conntrack_dir dir; int i, err; switch (tdir) { case FLOW_OFFLOAD_DIR_ORIGINAL: dir = IP_CT_DIR_ORIGINAL; + ctinfo = IP_CT_ESTABLISHED; + set_bit(NF_FLOW_HW_ESTABLISHED, &flow->flags); break; case FLOW_OFFLOAD_DIR_REPLY: dir = IP_CT_DIR_REPLY; + ctinfo = IP_CT_ESTABLISHED_REPLY; break; default: return -EOPNOTSUPP; @@ -262,7 +264,7 @@ static int tcf_ct_flow_table_fill_actions(struct net *net, if (err) goto err_nat; - tcf_ct_flow_table_add_action_meta(ct, dir, action); + tcf_ct_flow_table_add_action_meta(ct, dir, ctinfo, action); return 0; err_nat: From patchwork Wed Feb 1 16:30:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13124693 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0AEA8C636CD for ; Wed, 1 Feb 2023 16:31:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232000AbjBAQbw (ORCPT ); Wed, 1 Feb 2023 11:31:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36928 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229849AbjBAQbs (ORCPT ); Wed, 1 Feb 2023 11:31:48 -0500 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on2041.outbound.protection.outlook.com [40.107.236.41]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 39FE17963A; Wed, 1 Feb 2023 08:31:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dXsxL2UFsfQsLDp4mjr/t8cArm+ov78r/ZqyMiJmOA77WPE0LBzLhLyS4RPV/s3Ya9QbGCEvSq6J20AM/H7yO5DpuIkUDJam4vyYufuAL1CpCwY4MrLRM8PeNqnGRA0bap2805Q1o8bgIjU4qmP9DTCUe5TKVrQWThM9PBjIqNpzROenILt/mkBnb3uAXa98gg8AVQdmg2JqiHtplz775odBME73Ag7BoazMf9+Ttea7Hi6Ng2dCqYjnvob1qFMz9WobRYF/XHtWd9WETQ79aYlETBzZAwGAc5Tes9DDcJX9OQmdn4KJrmufg8TUigiwFcg46U1HK2OHInVDHCHGXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=RMHH0At7TvL8tnKix1ZU13BrTUvWcccam1fmltu7nII=; b=jsLlxA/qQThUqfKwRGaZZtOGFUePzb4ymhDCNdVfm7dwVkbJIg+u8ES4j3l2kmqd3aiwqWgJuXhSvFrgog2Z/jMnHT/Qj3olygrY/bOuYpuS0mBIL+wtf1RYlqNP2hPpwGY9FaupIjz4NcBc97rvWG1JE3SR5T5vo5y8uzltxZ1wtaBJDnQMHc5qX6L/D5DH3uG8g731n3mpZzo/mR7txSmtwkEzeufZAjnNZeJa50uF4kxG2bhfUenkyScP4E0TEq5WaMAZg2iIkHaaVEhHag7U0hB39llAJKBDENcx58NL2uAYdzXg1CiWCF0j/+5Ybb7l/B2gAuamotiTwr8qMA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.118.233) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RMHH0At7TvL8tnKix1ZU13BrTUvWcccam1fmltu7nII=; b=QK0q6NGcBfYlgjLh/FpESyN7bMJcn786bVM+TIviiRhwM7j9Ltc/MOnLnmaJQOKBERAbQKl+NLA46rzb0g2E6x4+qvRDfICMHpejyNFWwNxXvrGeIsJFW9ZrVULr6+8jVhBWMXMQ8fJV/86neNEP2wFOfAK3xKkwzrI/Hd1vxt1rTitiQ3+Vl+40x6t4iVlPxXYPcPaUtbbdgVXXCk7M1yYUItLZ8mHoYx6REah+xgoL/6kQmfcPnLZ24nYRQolSbJQm7Q5LFMIr6aT331f4oanNRvtkf2zyHRrhUkDO3MH0qD2khM5Wam64WpXQwIrUQPA+Es/b+ASEchmwCeM0fg== Received: from MW4PR03CA0180.namprd03.prod.outlook.com (2603:10b6:303:8d::35) by BN9PR12MB5050.namprd12.prod.outlook.com (2603:10b6:408:133::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.38; Wed, 1 Feb 2023 16:31:43 +0000 Received: from CO1NAM11FT072.eop-nam11.prod.protection.outlook.com (2603:10b6:303:8d:cafe::34) by MW4PR03CA0180.outlook.office365.com (2603:10b6:303:8d::35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6064.22 via Frontend Transport; Wed, 1 Feb 2023 16:31:43 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.118.233) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.118.233 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.118.233; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.118.233) by CO1NAM11FT072.mail.protection.outlook.com (10.13.174.106) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6064.25 via Frontend Transport; Wed, 1 Feb 2023 16:31:43 +0000 Received: from drhqmail201.nvidia.com (10.126.190.180) by mail.nvidia.com (10.127.129.6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Wed, 1 Feb 2023 08:31:36 -0800 Received: from drhqmail202.nvidia.com (10.126.190.181) by drhqmail201.nvidia.com (10.126.190.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Wed, 1 Feb 2023 08:31:35 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.126.190.181) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Wed, 1 Feb 2023 08:31:32 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v6 5/7] net/sched: act_ct: set ctinfo in meta action depending on ct state Date: Wed, 1 Feb 2023 17:30:58 +0100 Message-ID: <20230201163100.1001180-6-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230201163100.1001180-1-vladbu@nvidia.com> References: <20230201163100.1001180-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CO1NAM11FT072:EE_|BN9PR12MB5050:EE_ X-MS-Office365-Filtering-Correlation-Id: a39a0223-33b2-45e3-f6a6-08db0471cde4 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 0D0FB6El+t+qzPbbsBXRLWX/Ai03wmFwQGJyfwVQQXC46lHLCRz24duaZBno5JLiNxeKgyu3LIoLyJQ5M4W85h5VNvioIaMytQS6W7cMAL9hG1yDqoOPB2FbvfCtHSYy2HtTFCdxywujV4HedeXdeUYKvY+gPxvl6MDs+RckjVIEiGxwZdkVVCW8TLw/8tIV14cEaMSc4lPb7sXcDR84hxgPl+O7vxzqc4ZXDKG0zxeMryvYrf1Dtqf/nfwNccEWeDhmWyV7lb3vr7e76xgVcP9zjdHpXS3+prl15gZfz9sPi3aOSE5J0Ty5KmB/+NOZH/jrKwqxeaYHO8hySFBztcL/tIhyNcxzrZAvd7a6Zp/SBD+L5GXPUasKorcwkvUCMR0XeOAnVTfBc1lwSHsBeSsHJ8IVsR1ELzV7Lydc2wg1opUOK7E/KW6qSJGSOGc3AxMMdtrRxMT8aVz7sa2nUg8FvBHttPnD2pHPZd6haXFLerfIjPIxQxaVYtYrg0vi3wiaDDpq2dfRwSjM4t6t1hkX2IVd95gwzlnE0GnKYtRqE5HvgC3syIXZwZvjR74phgFQ17JP2zY/UZyq7q9qQ8ju4Ztcds5YlOf+id/yl+PS5H8WKwYZPhdYdZv7hYKsfF3CazopMQK1As2ZveGJJKzApzrZL+9SG0r1KLKNm1MJdZQcQDc2oa3w2NW5axXZQPsBSfKzSsJisUxRGZlrZQ2sj6fw1mXehnZC0PxN9+Y= X-Forefront-Antispam-Report: CIP:216.228.118.233;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc7edge2.nvidia.com;CAT:NONE;SFS:(13230025)(4636009)(376002)(136003)(346002)(39860400002)(396003)(451199018)(46966006)(40470700004)(36840700001)(1076003)(316002)(54906003)(4326008)(8676002)(110136005)(8936002)(41300700001)(40480700001)(70586007)(70206006)(356005)(7636003)(82740400003)(86362001)(36860700001)(36756003)(107886003)(7696005)(186003)(26005)(5660300002)(40460700003)(2906002)(7416002)(82310400005)(336012)(478600001)(6666004)(47076005)(2616005)(426003)(83380400001)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Feb 2023 16:31:43.4269 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: a39a0223-33b2-45e3-f6a6-08db0471cde4 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.118.233];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT072.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN9PR12MB5050 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Currently tcf_ct_flow_table_fill_actions() function assumes that only established connections can be offloaded and always sets ctinfo to either IP_CT_ESTABLISHED or IP_CT_ESTABLISHED_REPLY strictly based on direction without checking actual connection state. To enable UDP NEW connection offload set the ctinfo, metadata cookie and NF_FLOW_HW_ESTABLISHED flow_offload flags bit based on ct->status value. Signed-off-by: Vlad Buslov --- Notes: Changes V5 -> V6: - Update to use flow_offload NF_FLOW_HW_ESTABLISHED bit instead of ext_data pointer. net/sched/act_ct.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index 5837f6258b17..4dad7bf64b14 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -249,8 +249,10 @@ static int tcf_ct_flow_table_fill_actions(struct net *net, switch (tdir) { case FLOW_OFFLOAD_DIR_ORIGINAL: dir = IP_CT_DIR_ORIGINAL; - ctinfo = IP_CT_ESTABLISHED; - set_bit(NF_FLOW_HW_ESTABLISHED, &flow->flags); + ctinfo = test_bit(IPS_SEEN_REPLY_BIT, &ct->status) ? + IP_CT_ESTABLISHED : IP_CT_NEW; + if (ctinfo == IP_CT_ESTABLISHED) + set_bit(NF_FLOW_HW_ESTABLISHED, &flow->flags); break; case FLOW_OFFLOAD_DIR_REPLY: dir = IP_CT_DIR_REPLY; From patchwork Wed Feb 1 16:30:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13124695 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0C5A2C38142 for ; Wed, 1 Feb 2023 16:32:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232135AbjBAQcQ (ORCPT ); Wed, 1 Feb 2023 11:32:16 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37434 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232116AbjBAQb7 (ORCPT ); Wed, 1 Feb 2023 11:31:59 -0500 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on2062.outbound.protection.outlook.com [40.107.220.62]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 51DBB79CB2; Wed, 1 Feb 2023 08:31:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JPwTQCxSoWWEyWqHawK+UmffKJ5buPDaFMh8FPCetsraZxNEP1qC5iBTt/NvjfmP6yDPYl0+kShAIgYQShGZc/LTcAFu+gb9uM51gA11uIVohg2z6VEjOb5lYj9YGMTZdpmMKTgvRxgTGl8BQkmqIprOosdF8uQrinbO2C3kfV0IvEgugK8HHwzkZ3NoAYp9KNvhXvKd5KqLM4dSvOIMylKzsF+XCYzW4PVJmwh+CUh3PwDhtE5fvDhnmzbBW+zgCu3lqz54TvLqLmSdeaIGkv3CWloPc4s4rTIQIQk3hqbIbf8eH4rgy9HsOOknx0ThjlyZcMyvLU3Z/P160qV1sQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BDAw9eo0GbfLw3OiOJNjmjnZyypHYbmdswfjx3MAkbk=; b=lR+tM4lOEZjEeFEsI1AsETVPQlv3Al8zUQ1Xnev54Ods2sjRO+fbw0naIWZWAfp9JcWkVht6YDfwxg8BfjTzIYLKBRxjhXmha/imkK/nY9ectLnpY3S+ulokRv7AVpdfSqS06i2d897bw+H6jFEE0Uk7hM314V5cOVx8I9xC092OaCydAnGgSrdudy5wnjqfQn714jg2y+juuf36/bc21hpbJqFAeMC4iL27TwQYUMZ4SkYlW/u5CJedaTYfhBBtH2tfLtTNcdkblJJ5Vt22Q4U8zyvzEF/TyNCwXdVFNlglGzfFNhH/7/fA2uVuhCMPVNJwHq4KPELNy4iB0amhFA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.118.232) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BDAw9eo0GbfLw3OiOJNjmjnZyypHYbmdswfjx3MAkbk=; b=cwnHFBwScvklrVxMgUwhY6UH5RbtPmyTAft0l9f7LyAzmC2+MX99hoDElZIEpY83vGi7EI3woYnNSaaONJRTTKvb6Qr4qOV9v2dhXbMG8lUEWoc/18waQrusmA4c4H9jyKYSofd7O9iKSE+WhsOGYnQYMTzHvKqgrNZMcuo2i4Gq2blI6Yo4sR/fVH+ly2/bzUHL7crK6BosEI/r9s7R3+3T3SdCGJB2lU5nlC0ZY3RxKbf6BmFNOX2K6EKx1LBGOr1FR+fcx9FlxmNvalezy2HA0we4vTKEXGzLzuVKyl3hWqBV1SIBaaTMG2oegZu1k3v4JdzQPZGUMohK4rWntA== Received: from MW4P223CA0007.NAMP223.PROD.OUTLOOK.COM (2603:10b6:303:80::12) by IA1PR12MB7638.namprd12.prod.outlook.com (2603:10b6:208:426::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.38; Wed, 1 Feb 2023 16:31:50 +0000 Received: from CO1NAM11FT105.eop-nam11.prod.protection.outlook.com (2603:10b6:303:80:cafe::d3) by MW4P223CA0007.outlook.office365.com (2603:10b6:303:80::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6064.22 via Frontend Transport; Wed, 1 Feb 2023 16:31:50 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.118.232) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.118.232 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.118.232; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.118.232) by CO1NAM11FT105.mail.protection.outlook.com (10.13.175.159) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.22 via Frontend Transport; Wed, 1 Feb 2023 16:31:50 +0000 Received: from drhqmail202.nvidia.com (10.126.190.181) by mail.nvidia.com (10.127.129.5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Wed, 1 Feb 2023 08:31:39 -0800 Received: from drhqmail202.nvidia.com (10.126.190.181) by drhqmail202.nvidia.com (10.126.190.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Wed, 1 Feb 2023 08:31:39 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.126.190.181) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Wed, 1 Feb 2023 08:31:36 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v6 6/7] net/sched: act_ct: offload UDP NEW connections Date: Wed, 1 Feb 2023 17:30:59 +0100 Message-ID: <20230201163100.1001180-7-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230201163100.1001180-1-vladbu@nvidia.com> References: <20230201163100.1001180-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CO1NAM11FT105:EE_|IA1PR12MB7638:EE_ X-MS-Office365-Filtering-Correlation-Id: c55594de-7e1b-42e8-928d-08db0471d1ef X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: EMiHgbed3pQmoPOc/gU5T74V1i9unrSIEE/ySYbbaULPhoWFmsa+wVn5v7wxTCrX0fiXxh5mwfTxxctxYQyFW48Jb/+r8MzJh6NQIsfgmisnbOXKDx9AaY3bxtY3jX9NcO07HQ+pwnybOgZIWfNucZgHil105geCSdvDxpanNSZokiOBfsU3YSkiqR1spYYA17SleIPybSKoyYx6M3C+CYEas+xMQq+xYUVAnJAYwfn0gbH9nZQf0QS8Iri9rPF+vI/EHJknf00WRsh6EP9JpHBWDw20qtgOF10S2RzqVVdf4qqtQkE1cKoFZSZKJbBlsH62iN1Ys8vXOQCSGHa8b6sQucnpgjF/n3zsk/FhrXkY+pQqIvE3LJ4k2gPOwlvOu9vUXZGq+zg1HQxecOGI7C9lq8ps00doxtX/ujoKfvuPjjIcxHU8TT3I1kEau5gmP/bbPtWYSbsizmnSRbOBufZSkXfv6AkQ/WR2V+fSfXfWCKtEotmAgEfexspVRt6uinURaVYx9N+3vRtEIE1kpBd23MokbQsmJU9/mt8w1c1jTgeb2Oxi1biBn9hBAk/08Vssd41Lsr7jLtv5en+bd8jAuy+ziTSV6guDAX06Dfco2j1Cmy6roLGS1SqnzFVXSzlFUHo/DvqeuEDNVKpsHM1E2uqv2BGmQisRU6L9KFQhc9+6jnnQfiIi/xN5sTxRQOdeJv+hJMEHxQruS5i9/YUS7AXRsuKP/t0COU7e5QI= X-Forefront-Antispam-Report: CIP:216.228.118.232;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc7edge1.nvidia.com;CAT:NONE;SFS:(13230025)(4636009)(376002)(39860400002)(396003)(346002)(136003)(451199018)(40470700004)(36840700001)(46966006)(6666004)(107886003)(1076003)(478600001)(26005)(186003)(8676002)(4326008)(70586007)(70206006)(7696005)(7636003)(336012)(2616005)(47076005)(426003)(41300700001)(83380400001)(2906002)(40460700003)(7416002)(8936002)(86362001)(82740400003)(36860700001)(82310400005)(36756003)(40480700001)(316002)(356005)(54906003)(110136005)(5660300002)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Feb 2023 16:31:50.2074 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: c55594de-7e1b-42e8-928d-08db0471d1ef X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.118.232];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT105.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR12MB7638 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Modify the offload algorithm of UDP connections to the following: - Offload NEW connection as unidirectional. - When connection state changes to ESTABLISHED also update the hardware flow. However, in order to prevent act_ct from spamming offload add wq for every packet coming in reply direction in this state verify whether connection has already been updated to ESTABLISHED in the drivers. If that it the case, then skip flow_table and let conntrack handle such packets which will also allow conntrack to potentially promote the connection to ASSURED. - When connection state changes to ASSURED set the flow_table flow NF_FLOW_HW_BIDIRECTIONAL flag which will cause refresh mechanism to offload the reply direction. All other protocols have their offload algorithm preserved and are always offloaded as bidirectional. Note that this change tries to minimize the load on flow_table add workqueue. First, it tracks the last ctinfo that was offloaded by using new flow 'NF_FLOW_HW_ESTABLISHED' flag and doesn't schedule the refresh for reply direction packets when the offloads have already been updated with current ctinfo. Second, when 'add' task executes on workqueue it always update the offload with current flow state (by checking 'bidirectional' flow flag and obtaining actual ctinfo/cookie through meta action instead of caching any of these from the moment of scheduling the 'add' work) preventing the need from scheduling more updates if state changed concurrently while the 'add' work was pending on workqueue. Signed-off-by: Vlad Buslov --- Notes: Changes V5 -> V6: - Use NF_FLOW_HW_ESTABLISHED bit instead of ext_data pointer to determine the ctinfo of last offload call. Changes V4 -> V5: - Make clang happy. Changes V3 -> V4: - Refactor the patch to leverage the refresh code and new flow 'ext_data' field in order to change the offload state instead of relying on async gc update. net/sched/act_ct.c | 51 +++++++++++++++++++++++++++++++++++----------- 1 file changed, 39 insertions(+), 12 deletions(-) diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index 4dad7bf64b14..38095524d98b 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -369,7 +369,7 @@ static void tcf_ct_flow_tc_ifidx(struct flow_offload *entry, static void tcf_ct_flow_table_add(struct tcf_ct_flow_table *ct_ft, struct nf_conn *ct, - bool tcp) + bool tcp, bool bidirectional) { struct nf_conn_act_ct_ext *act_ct_ext; struct flow_offload *entry; @@ -388,6 +388,8 @@ static void tcf_ct_flow_table_add(struct tcf_ct_flow_table *ct_ft, ct->proto.tcp.seen[0].flags |= IP_CT_TCP_FLAG_BE_LIBERAL; ct->proto.tcp.seen[1].flags |= IP_CT_TCP_FLAG_BE_LIBERAL; } + if (bidirectional) + __set_bit(NF_FLOW_HW_BIDIRECTIONAL, &entry->flags); act_ct_ext = nf_conn_act_ct_ext_find(ct); if (act_ct_ext) { @@ -411,26 +413,34 @@ static void tcf_ct_flow_table_process_conn(struct tcf_ct_flow_table *ct_ft, struct nf_conn *ct, enum ip_conntrack_info ctinfo) { - bool tcp = false; - - if ((ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY) || - !test_bit(IPS_ASSURED_BIT, &ct->status)) - return; + bool tcp = false, bidirectional = true; switch (nf_ct_protonum(ct)) { case IPPROTO_TCP: - tcp = true; - if (ct->proto.tcp.state != TCP_CONNTRACK_ESTABLISHED) + if ((ctinfo != IP_CT_ESTABLISHED && + ctinfo != IP_CT_ESTABLISHED_REPLY) || + !test_bit(IPS_ASSURED_BIT, &ct->status) || + ct->proto.tcp.state != TCP_CONNTRACK_ESTABLISHED) return; + + tcp = true; break; case IPPROTO_UDP: + if (!nf_ct_is_confirmed(ct)) + return; + if (!test_bit(IPS_ASSURED_BIT, &ct->status)) + bidirectional = false; break; #ifdef CONFIG_NF_CT_PROTO_GRE case IPPROTO_GRE: { struct nf_conntrack_tuple *tuple; - if (ct->status & IPS_NAT_MASK) + if ((ctinfo != IP_CT_ESTABLISHED && + ctinfo != IP_CT_ESTABLISHED_REPLY) || + !test_bit(IPS_ASSURED_BIT, &ct->status) || + ct->status & IPS_NAT_MASK) return; + tuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple; /* No support for GRE v1 */ if (tuple->src.u.gre.key || tuple->dst.u.gre.key) @@ -446,7 +456,7 @@ static void tcf_ct_flow_table_process_conn(struct tcf_ct_flow_table *ct_ft, ct->status & IPS_SEQ_ADJUST) return; - tcf_ct_flow_table_add(ct_ft, ct, tcp); + tcf_ct_flow_table_add(ct_ft, ct, tcp, bidirectional); } static bool @@ -625,13 +635,30 @@ static bool tcf_ct_flow_table_lookup(struct tcf_ct_params *p, flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]); ct = flow->ct; + if (dir == FLOW_OFFLOAD_DIR_REPLY && + !test_bit(NF_FLOW_HW_BIDIRECTIONAL, &flow->flags)) { + /* Only offload reply direction after connection became + * assured. + */ + if (test_bit(IPS_ASSURED_BIT, &ct->status)) + set_bit(NF_FLOW_HW_BIDIRECTIONAL, &flow->flags); + else if (test_bit(NF_FLOW_HW_ESTABLISHED, &flow->flags)) + /* If flow_table flow has already been updated to the + * established state, then don't refresh. + */ + return false; + } + if (tcph && (unlikely(tcph->fin || tcph->rst))) { flow_offload_teardown(flow); return false; } - ctinfo = dir == FLOW_OFFLOAD_DIR_ORIGINAL ? IP_CT_ESTABLISHED : - IP_CT_ESTABLISHED_REPLY; + if (dir == FLOW_OFFLOAD_DIR_ORIGINAL) + ctinfo = test_bit(IPS_SEEN_REPLY_BIT, &ct->status) ? + IP_CT_ESTABLISHED : IP_CT_NEW; + else + ctinfo = IP_CT_ESTABLISHED_REPLY; flow_offload_refresh(nf_ft, flow); nf_conntrack_get(&ct->ct_general); From patchwork Wed Feb 1 16:31:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Buslov X-Patchwork-Id: 13124696 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 077F4C636CD for ; Wed, 1 Feb 2023 16:32:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232157AbjBAQcR (ORCPT ); Wed, 1 Feb 2023 11:32:17 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37684 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232156AbjBAQcK (ORCPT ); Wed, 1 Feb 2023 11:32:10 -0500 Received: from NAM02-DM3-obe.outbound.protection.outlook.com (mail-dm3nam02on2062.outbound.protection.outlook.com [40.107.95.62]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 81FC57922A; Wed, 1 Feb 2023 08:31:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YA4bP2aVODnw9s5Jy5vdZgn7733aoTc7PheUGfYIG/4U6J4FXTBhgNGmAiTIOhIMZLCqYKnDjfE6BkNkIG8Dvm6Sjl04gdlBK1v85XeiLLvyI3X5KGlEtTeVUDMfjaE2UQfE9thM+jSJ+pC31mQWtfvUZevRwprpSFf2wIpMLDhpdybTJEqMUu9TLbl6w+CENIAoSjJSSCoaoUB0rZdFVI3GfnaPooYl6c/FbXJe+E7eKBtCs+sh8Jo4tZjJvbeIfiY339tkVqKzRuEwquzIqjFs3E24NzqLZVV09wCKQmMwbAdxv7Rog3h5PoabjO1dVjK18Pv4atCAsgdysTxJOw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JLcQDuTm7f0BQbsr+DZXqTDP8Fsw23ph80Ixl7U15/8=; b=NeYEAPRRxUjQCkHroczDUzqvgxxrqURrciP5J1vLD/n3yMfW+WwjYF5DnNwvZcwXtZzYJeYpb9s/Pcxk6BlZ687408r4nYnJXr8QNe2LWIQgFElq95/uxC+phTTknxWjR1GQiP9yG/DjkBkAKIrZMILH2m7E7GhGCxPfZz96Tae90xGyDrYSpp4vVJG3PsUHmWTUyRhxWS8RnKhgsxRBLQavQmonSRydcP35Eli60sJRwg+yzfc1pTgzkbq0u6j8sK2Zmm3AydQZERncReZssT3li6wWEb/XKV7gsev/vuCf3oYflTAzkvCIlfGPRHWaoobSrRObipBOVpsVVYBLhQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.118.232) smtp.rcpttodomain=davemloft.net smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JLcQDuTm7f0BQbsr+DZXqTDP8Fsw23ph80Ixl7U15/8=; b=FCHFAA3jYDjiweyabkfa2B7OAOdYpO1k+3BH77X2tXtqkzGeOYLqKS4CTb17bJvBAQEQPY3/diCWuZ0KafFzxUQQeXCmu3LleFg1lEQSFZIzr2wDr1oJ7TRMqJD/o9Hi4CgWJyW/u8UjmQpHCTwjA/rBhJKdVlF78Gg4Vr9C4BJupQ1uJoQjrTGt0Ja1h8c1iNuBPb6+8UoitgPxO/eEHixZPEBPObAwH81mawzQ8gzDN3z5BeeD6vLWftnxjnqcXqcO+qGs/mNr5MgkzxJubMoakh41ovVUpjj21OPxWbtiqwUFkqOnapjblsvJvNrMu4A8tAg8zb5Yw0K1PWeIng== Received: from MW4PR03CA0250.namprd03.prod.outlook.com (2603:10b6:303:b4::15) by LV2PR12MB5968.namprd12.prod.outlook.com (2603:10b6:408:14f::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.38; Wed, 1 Feb 2023 16:31:52 +0000 Received: from CO1NAM11FT030.eop-nam11.prod.protection.outlook.com (2603:10b6:303:b4:cafe::e2) by MW4PR03CA0250.outlook.office365.com (2603:10b6:303:b4::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6064.25 via Frontend Transport; Wed, 1 Feb 2023 16:31:52 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.118.232) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.118.232 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.118.232; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.118.232) by CO1NAM11FT030.mail.protection.outlook.com (10.13.174.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.22 via Frontend Transport; Wed, 1 Feb 2023 16:31:52 +0000 Received: from drhqmail201.nvidia.com (10.126.190.180) by mail.nvidia.com (10.127.129.5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Wed, 1 Feb 2023 08:31:43 -0800 Received: from drhqmail202.nvidia.com (10.126.190.181) by drhqmail201.nvidia.com (10.126.190.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Wed, 1 Feb 2023 08:31:42 -0800 Received: from vdi.nvidia.com (10.127.8.14) by mail.nvidia.com (10.126.190.181) with Microsoft SMTP Server id 15.2.986.36 via Frontend Transport; Wed, 1 Feb 2023 08:31:39 -0800 From: Vlad Buslov To: , , , CC: , , , , , , , , Vlad Buslov Subject: [PATCH net-next v6 7/7] netfilter: nf_conntrack: allow early drop of offloaded UDP conns Date: Wed, 1 Feb 2023 17:31:00 +0100 Message-ID: <20230201163100.1001180-8-vladbu@nvidia.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230201163100.1001180-1-vladbu@nvidia.com> References: <20230201163100.1001180-1-vladbu@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CO1NAM11FT030:EE_|LV2PR12MB5968:EE_ X-MS-Office365-Filtering-Correlation-Id: 67d3fb77-f093-472c-955f-08db0471d33d X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: gWskWV++lYTLuDiw6aXJBlaxsGGx0lschae229+gFzQ+a+MVTP64pFeAGYcEo15QM/SPbk2bYAXdecIVatgcaPyT65rw+NTRML8T05lAAsvPykHeyr5pzxgqacd0jt0jNni5bIl4xkCdHG/FKoUD8V3R0JhotVgWzhOTA59jjMkgGmOhZUoNXyiO7QW+ExYpOiz9DC6OsJMnFoPxwJFAjyBGLhK1ysdEq7Vg+44Qhea8FncaQl6R59kXOIo/JviU2n7PryJstilQpneQ+Qeue6GP1CyQEJNnyYb0MeEgkXNtnZG5nueBlGpSk/gOCzyJCPedinzwejFR8Wr/0bfOnH7xFr0ODJuTVE9Ar4M65ZnEInSEQriTFNy2KCcZpip6ml2J2x9GC9yZtzBoCMUVk93yzIYTAYqOu2EIRF3keUnB7zY0yo6sk27vGDYUbstT/OCuhjsRoPH2kPeCeMUW/bCA3WWZxXynOjiijsEBssWKCA2dZCHjhLU82box0G9ZteE3vPZ303L2Gdru19oYUQ03pqIIY7f+acEIyZwFteYKn0g/k28zDoV8Ye+Sj9UZkceE/xF4q8sBbXROioKtwiaRs4/tSwVHMiRJGenvcJ8CvgbNa61jLimcwSoMIxVxiXAzMcdz4rGwudkVCIwSMuV2PqzjmKPFGfS/9EthIgDKwO75hja+cZjZiYdLyuBS+CNEBBBTKMBQUbWNNHrwpejr1vgW/khE1XPhsGgyaRzZT2zsyq7fa5hXq0ssqexQwScggE/Y3rKqK1JZ1cdT5Q== X-Forefront-Antispam-Report: CIP:216.228.118.232;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc7edge1.nvidia.com;CAT:NONE;SFS:(13230025)(4636009)(376002)(396003)(39860400002)(346002)(136003)(451199018)(46966006)(36840700001)(40470700004)(6666004)(41300700001)(336012)(316002)(5660300002)(86362001)(8936002)(7696005)(36756003)(40480700001)(83380400001)(82310400005)(8676002)(7416002)(54906003)(47076005)(110136005)(4326008)(70586007)(426003)(70206006)(478600001)(2616005)(186003)(107886003)(82740400003)(26005)(1076003)(40460700003)(7636003)(36860700001)(356005)(2906002)(2101003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Feb 2023 16:31:52.4120 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 67d3fb77-f093-472c-955f-08db0471d33d X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.118.232];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT030.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV2PR12MB5968 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Both synchronous early drop algorithm and asynchronous gc worker completely ignore connections with IPS_OFFLOAD_BIT status bit set. With new functionality that enabled UDP NEW connection offload in action CT malicious user can flood the conntrack table with offloaded UDP connections by just sending a single packet per 5tuple because such connections can no longer be deleted by early drop algorithm. To mitigate the issue allow both early drop and gc to consider offloaded UDP connections for deletion. Signed-off-by: Vlad Buslov --- net/netfilter/nf_conntrack_core.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 496c4920505b..52b824a60176 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -1374,9 +1374,6 @@ static unsigned int early_drop_list(struct net *net, hlist_nulls_for_each_entry_rcu(h, n, head, hnnode) { tmp = nf_ct_tuplehash_to_ctrack(h); - if (test_bit(IPS_OFFLOAD_BIT, &tmp->status)) - continue; - if (nf_ct_is_expired(tmp)) { nf_ct_gc_expired(tmp); continue; @@ -1446,11 +1443,14 @@ static bool gc_worker_skip_ct(const struct nf_conn *ct) static bool gc_worker_can_early_drop(const struct nf_conn *ct) { const struct nf_conntrack_l4proto *l4proto; + u8 protonum = nf_ct_protonum(ct); + if (test_bit(IPS_OFFLOAD_BIT, &ct->status) && protonum != IPPROTO_UDP) + return false; if (!test_bit(IPS_ASSURED_BIT, &ct->status)) return true; - l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct)); + l4proto = nf_ct_l4proto_find(protonum); if (l4proto->can_early_drop && l4proto->can_early_drop(ct)) return true; @@ -1507,7 +1507,8 @@ static void gc_worker(struct work_struct *work) if (test_bit(IPS_OFFLOAD_BIT, &tmp->status)) { nf_ct_offload_timeout(tmp); - continue; + if (!nf_conntrack_max95) + continue; } if (expired_count > GC_SCAN_EXPIRED_MAX) {