From: Vlad Buslov <vladbu@nvidia.com>
To: <davem@davemloft.net>, <kuba@kernel.org>, <pabeni@redhat.com>,
<pablo@netfilter.org>
Cc: <netdev@vger.kernel.org>, <netfilter-devel@vger.kernel.org>,
<jhs@mojatatu.com>, <xiyou.wangcong@gmail.com>,
<jiri@resnulli.us>, <ozsh@nvidia.com>,
<marcelo.leitner@gmail.com>, <simon.horman@corigine.com>,
Vlad Buslov <vladbu@nvidia.com>
Subject: [PATCH net-next v6 0/7] Allow offloading of UDP NEW connections via act_ct
Date: Wed, 1 Feb 2023 17:30:53 +0100 [thread overview]
Message-ID: <20230201163100.1001180-1-vladbu@nvidia.com> (raw)
Currently only bidirectional established connections can be offloaded
via act_ct. Such approach allows to hardcode a lot of assumptions into
act_ct, flow_table and flow_offload intermediate layer codes. In order
to enabled offloading of unidirectional UDP NEW connections start with
incrementally changing the following assumptions:
- Drivers assume that only established connections are offloaded and
don't support updating existing connections. Extract ctinfo from meta
action cookie and refuse offloading of new connections in the drivers.
- Fix flow_table offload fixup algorithm to calculate flow timeout
according to current connection state instead of hardcoded
"established" value.
- Add new flow_table flow flag that designates bidirectional connections
instead of assuming it and hardcoding hardware offload of every flow
in both directions.
- Add new flow_table flow flag that designates connections that are
offloaded to hardware as "established" instead of assuming it. This
allows some optimizations in act_ct and prevents spamming the
flow_table workqueue with redundant tasks.
With all the necessary infrastructure in place modify act_ct to offload
UDP NEW as unidirectional connection. Pass reply direction traffic to CT
and promote connection to bidirectional when UDP connection state
changes to "assured". Rely on refresh mechanism to propagate connection
state change to supporting drivers.
Note that early drop algorithm that is designed to free up some space in
connection tracking table when it becomes full (by randomly deleting up
to 5% of non-established connections) currently ignores connections
marked as "offloaded". Now, with UDP NEW connections becoming
"offloaded" it could allow malicious user to perform DoS attack by
filling the table with non-droppable UDP NEW connections by sending just
one packet in single direction. To prevent such scenario change early
drop algorithm to also consider "offloaded" connections for deletion.
Vlad Buslov (7):
net: flow_offload: provision conntrack info in ct_metadata
netfilter: flowtable: fixup UDP timeout depending on ct state
netfilter: flowtable: allow unidirectional rules
netfilter: flowtable: cache info of last offload
net/sched: act_ct: set ctinfo in meta action depending on ct state
net/sched: act_ct: offload UDP NEW connections
netfilter: nf_conntrack: allow early drop of offloaded UDP conns
.../ethernet/mellanox/mlx5/core/en/tc_ct.c | 4 ++
.../ethernet/netronome/nfp/flower/conntrack.c | 24 +++++++
include/net/netfilter/nf_flow_table.h | 8 ++-
net/netfilter/nf_conntrack_core.c | 11 ++--
net/netfilter/nf_flow_table_core.c | 5 +-
net/netfilter/nf_flow_table_inet.c | 2 +-
net/netfilter/nf_flow_table_offload.c | 18 +++--
net/sched/act_ct.c | 65 ++++++++++++++-----
8 files changed, 103 insertions(+), 34 deletions(-)
--
2.38.1
next reply other threads:[~2023-02-01 16:31 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-01 16:30 Vlad Buslov [this message]
2023-02-01 16:30 ` [PATCH net-next v6 1/7] net: flow_offload: provision conntrack info in ct_metadata Vlad Buslov
2023-02-01 16:30 ` [PATCH net-next v6 2/7] netfilter: flowtable: fixup UDP timeout depending on ct state Vlad Buslov
2023-02-01 16:30 ` [PATCH net-next v6 3/7] netfilter: flowtable: allow unidirectional rules Vlad Buslov
2023-02-01 16:30 ` [PATCH net-next v6 4/7] netfilter: flowtable: cache info of last offload Vlad Buslov
2023-02-01 16:30 ` [PATCH net-next v6 5/7] net/sched: act_ct: set ctinfo in meta action depending on ct state Vlad Buslov
2023-02-01 16:30 ` [PATCH net-next v6 6/7] net/sched: act_ct: offload UDP NEW connections Vlad Buslov
2023-02-01 16:31 ` [PATCH net-next v6 7/7] netfilter: nf_conntrack: allow early drop of offloaded UDP conns Vlad Buslov
2023-02-03 9:40 ` [PATCH net-next v6 0/7] Allow offloading of UDP NEW connections via act_ct patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230201163100.1001180-1-vladbu@nvidia.com \
--to=vladbu@nvidia.com \
--cc=davem@davemloft.net \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=marcelo.leitner@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=ozsh@nvidia.com \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=simon.horman@corigine.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).