From: Paul Blakey <paulb@mellanox.com>
To: Paul Blakey <paulb@mellanox.com>,
Saeed Mahameed <saeedm@mellanox.com>,
Oz Shlomo <ozsh@mellanox.com>,
Jakub Kicinski <jakub.kicinski@netronome.com>,
Vlad Buslov <vladbu@mellanox.com>,
David Miller <davem@davemloft.net>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
Jiri Pirko <jiri@mellanox.com>, Roi Dayan <roid@mellanox.com>
Subject: [PATCH net-next ct-offload 04/13] net/sched: act_ct: Support refreshing the flow table entries
Date: Thu, 5 Mar 2020 17:34:19 +0200 [thread overview]
Message-ID: <1583422468-8456-5-git-send-email-paulb@mellanox.com> (raw)
In-Reply-To: <1583422468-8456-1-git-send-email-paulb@mellanox.com>
If driver deleted an FT entry, a FT failed to offload, or registered to the
flow table after flows were already added, we still get packets in
software.
For those packets, while restoring the ct state from the flow table
entry, refresh it's hardware offload.
Signed-off-by: Paul Blakey <paulb@mellanox.com>
Reviewed-by: Jiri Pirko <jiri@mellanox.com>
---
include/net/netfilter/nf_flow_table.h | 3 +++
net/netfilter/nf_flow_table_core.c | 13 +++++++++++++
net/netfilter/nf_flow_table_ip.c | 15 ++-------------
net/sched/act_ct.c | 1 +
4 files changed, 19 insertions(+), 13 deletions(-)
diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
index c2d5cdd..6890f1c 100644
--- a/include/net/netfilter/nf_flow_table.h
+++ b/include/net/netfilter/nf_flow_table.h
@@ -162,6 +162,9 @@ int flow_offload_route_init(struct flow_offload *flow,
const struct nf_flow_route *route);
int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow);
+void flow_offload_refresh(struct nf_flowtable *flow_table,
+ struct flow_offload *flow);
+
struct flow_offload_tuple_rhash *flow_offload_lookup(struct nf_flowtable *flow_table,
struct flow_offload_tuple *tuple);
void nf_flow_table_cleanup(struct net_device *dev);
diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index 4af0327..9a477bd 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -252,6 +252,19 @@ int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow)
}
EXPORT_SYMBOL_GPL(flow_offload_add);
+void flow_offload_refresh(struct nf_flowtable *flow_table,
+ struct flow_offload *flow)
+{
+ flow->timeout = nf_flowtable_time_stamp + NF_FLOW_TIMEOUT;
+
+ if (likely(!nf_flowtable_hw_offload(flow_table) ||
+ !test_and_clear_bit(NF_FLOW_HW_REFRESH, &flow->flags)))
+ return;
+
+ nf_flow_offload_add(flow_table, flow);
+}
+EXPORT_SYMBOL_GPL(flow_offload_refresh);
+
static inline bool nf_flow_has_expired(const struct flow_offload *flow)
{
return nf_flow_timeout_delta(flow->timeout) <= 0;
diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
index 9e563fd..5272721 100644
--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
@@ -232,13 +232,6 @@ static unsigned int nf_flow_xmit_xfrm(struct sk_buff *skb,
return NF_STOLEN;
}
-static bool nf_flow_offload_refresh(struct nf_flowtable *flow_table,
- struct flow_offload *flow)
-{
- return nf_flowtable_hw_offload(flow_table) &&
- test_and_clear_bit(NF_FLOW_HW_REFRESH, &flow->flags);
-}
-
unsigned int
nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
const struct nf_hook_state *state)
@@ -279,8 +272,7 @@ static bool nf_flow_offload_refresh(struct nf_flowtable *flow_table,
if (nf_flow_state_check(flow, ip_hdr(skb)->protocol, skb, thoff))
return NF_ACCEPT;
- if (unlikely(nf_flow_offload_refresh(flow_table, flow)))
- nf_flow_offload_add(flow_table, flow);
+ flow_offload_refresh(flow_table, flow);
if (nf_flow_offload_dst_check(&rt->dst)) {
flow_offload_teardown(flow);
@@ -290,7 +282,6 @@ static bool nf_flow_offload_refresh(struct nf_flowtable *flow_table,
if (nf_flow_nat_ip(flow, skb, thoff, dir) < 0)
return NF_DROP;
- flow->timeout = nf_flowtable_time_stamp + NF_FLOW_TIMEOUT;
iph = ip_hdr(skb);
ip_decrease_ttl(iph);
skb->tstamp = 0;
@@ -508,8 +499,7 @@ static int nf_flow_tuple_ipv6(struct sk_buff *skb, const struct net_device *dev,
sizeof(*ip6h)))
return NF_ACCEPT;
- if (unlikely(nf_flow_offload_refresh(flow_table, flow)))
- nf_flow_offload_add(flow_table, flow);
+ flow_offload_refresh(flow_table, flow);
if (nf_flow_offload_dst_check(&rt->dst)) {
flow_offload_teardown(flow);
@@ -522,7 +512,6 @@ static int nf_flow_tuple_ipv6(struct sk_buff *skb, const struct net_device *dev,
if (nf_flow_nat_ipv6(flow, skb, dir) < 0)
return NF_DROP;
- flow->timeout = nf_flowtable_time_stamp + NF_FLOW_TIMEOUT;
ip6h = ipv6_hdr(skb);
ip6h->hop_limit--;
skb->tstamp = 0;
diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
index 47cdba6..102be90 100644
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@ -518,6 +518,7 @@ static bool tcf_ct_flow_table_lookup(struct tcf_ct_params *p,
ctinfo = dir == FLOW_OFFLOAD_DIR_ORIGINAL ? IP_CT_ESTABLISHED :
IP_CT_ESTABLISHED_REPLY;
+ flow_offload_refresh(nf_ft, flow);
nf_conntrack_get(&ct->ct_general);
nf_ct_set(skb, ct, ctinfo);
--
1.8.3.1
next prev parent reply other threads:[~2020-03-05 15:34 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-05 15:34 [PATCH net-next ct-offload 00/13] Introduce connection tracking offload Paul Blakey
2020-03-05 15:34 ` [PATCH net-next ct-offload 01/13] netfilter: flowtable: Add API for registering to flow table events Paul Blakey
2020-03-05 15:34 ` [PATCH net-next ct-offload 02/13] net/sched: act_ct: Instantiate flow table entry actions Paul Blakey
2020-03-05 23:11 ` David Miller
2020-03-06 13:23 ` Paul Blakey
2020-03-06 11:35 ` Edward Cree
2020-03-06 13:22 ` Paul Blakey
2020-03-06 13:45 ` Marcelo Ricardo Leitner
2020-03-06 14:55 ` Edward Cree
2020-03-08 9:41 ` Paul Blakey
2020-03-05 15:34 ` [PATCH net-next ct-offload 03/13] net/sched: act_ct: Support restoring conntrack info on skbs Paul Blakey
2020-03-06 13:16 ` Edward Cree
2020-03-05 15:34 ` Paul Blakey [this message]
2020-03-05 15:34 ` [PATCH net-next ct-offload 05/13] net/sched: act_ct: Enable hardware offload of flow table entires Paul Blakey
2020-03-05 15:34 ` [PATCH net-next ct-offload 06/13] net/mlx5: E-Switch, Introduce global tables Paul Blakey
2020-03-05 15:34 ` [PATCH net-next ct-offload 07/13] net/mlx5: E-Switch, Add support for offloading rules with no in_port Paul Blakey
2020-03-05 15:34 ` [PATCH net-next ct-offload 08/13] net/mlx5: E-Switch, Support getting chain mapping Paul Blakey
2020-03-05 15:34 ` [PATCH net-next ct-offload 09/13] flow_offload: Add flow_match_ct to get rule ct match Paul Blakey
2020-03-05 15:34 ` [PATCH net-next ct-offload 10/13] net/mlx5e: CT: Introduce connection tracking Paul Blakey
2020-03-05 15:34 ` [PATCH net-next ct-offload 11/13] net/mlx5e: CT: Offload established flows Paul Blakey
2020-03-05 15:34 ` [PATCH net-next ct-offload 12/13] net/mlx5e: CT: Handle misses after executing CT action Paul Blakey
2020-03-05 15:34 ` [PATCH net-next ct-offload 13/13] net/mlx5e: CT: Support clear action Paul Blakey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1583422468-8456-5-git-send-email-paulb@mellanox.com \
--to=paulb@mellanox.com \
--cc=davem@davemloft.net \
--cc=jakub.kicinski@netronome.com \
--cc=jiri@mellanox.com \
--cc=netdev@vger.kernel.org \
--cc=ozsh@mellanox.com \
--cc=roid@mellanox.com \
--cc=saeedm@mellanox.com \
--cc=vladbu@mellanox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.