[PATCH net v2 0/2] netfilter: conntrack: Fix CT offload timeout on heavily loaded systems

[PATCH net v2 0/2] netfilter: conntrack: Fix CT offload timeout on heavily loaded systems

[Roi Dayan]

On heavily loaded systems the GC can take time to go over all existing
conns and reset their timeout. At that time other calls like from
nf_conntrack_in() can call of nf_ct_is_expired() and see the conn as
expired. To fix this when we set the offload bit we should also reset
the timeout instead of counting on GC to finish first iteration over
all conns before the initial timeout.

First commit is to expose the function that updates the timeout.
Second commit is to use it from flow_offload_add().

Roi Dayan (2):
  netfilter: conntrack: Move nf_ct_offload_timeout to header file
  netfilter: flowtable: Set offload timeout when adding flow

 include/net/netfilter/nf_conntrack.h | 12 ++++++++++++
 net/netfilter/nf_conntrack_core.c    | 12 ------------
 net/netfilter/nf_flow_table_core.c   |  2 ++
 3 files changed, 14 insertions(+), 12 deletions(-)

-- 
2.8.4

[PATCH net v2 1/2] netfilter: conntrack: Move nf_ct_offload_timeout to header file

[Roi Dayan]

To be used by callers from other modules.

Signed-off-by: Roi Dayan <roid@mellanox.com>
Reviewed-by: Oz Shlomo <ozsh@mellanox.com>
---
 include/net/netfilter/nf_conntrack.h | 12 ++++++++++++
 net/netfilter/nf_conntrack_core.c    | 12 ------------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 90690e37a56f..8481819ff632 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -279,6 +279,18 @@ static inline bool nf_ct_should_gc(const struct nf_conn *ct)
 	       !nf_ct_is_dying(ct);
 }
 
+#define	DAY	(86400 * HZ)
+
+/* Set an arbitrary timeout large enough not to ever expire, this save
+ * us a check for the IPS_OFFLOAD_BIT from the packet path via
+ * nf_ct_is_expired().
+ */
+static inline void nf_ct_offload_timeout(struct nf_conn *ct)
+{
+	if (nf_ct_expires(ct) < DAY / 2)
+		ct->timeout = nfct_time_stamp + DAY;
+}
+
 struct kernel_param;
 
 int nf_conntrack_set_hashsize(const char *val, const struct kernel_param *kp);
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 79cd9dde457b..947c6d9437c3 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1344,18 +1344,6 @@ static bool gc_worker_can_early_drop(const struct nf_conn *ct)
 	return false;
 }
 
-#define	DAY	(86400 * HZ)
-
-/* Set an arbitrary timeout large enough not to ever expire, this save
- * us a check for the IPS_OFFLOAD_BIT from the packet path via
- * nf_ct_is_expired().
- */
-static void nf_ct_offload_timeout(struct nf_conn *ct)
-{
-	if (nf_ct_expires(ct) < DAY / 2)
-		ct->timeout = nfct_time_stamp + DAY;
-}
-
 static void gc_worker(struct work_struct *work)
 {
 	unsigned int min_interval = max(HZ / GC_MAX_BUCKETS_DIV, 1u);
-- 
2.8.4

[PATCH net v2 2/2] netfilter: flowtable: Set offload timeout when adding flow

[Roi Dayan]

On heavily loaded systems the GC can take time to go over all existing
conns and reset their timeout. At that time other calls like from
nf_conntrack_in() can call of nf_ct_is_expired() and see the conn as
expired. To fix this when we set the offload bit we should also reset
the timeout instead of counting on GC to finish first iteration over
all conns before the initial timeout.

Fixes: 90964016e5d3 ("netfilter: nf_conntrack: add IPS_OFFLOAD status bit")
Signed-off-by: Roi Dayan <roid@mellanox.com>
---

Notes:
    v2
    - timeout fix from flow_offload_add() instead of act_ct

 net/netfilter/nf_flow_table_core.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index b1eb5272b379..4f7a567c536e 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -243,6 +243,8 @@ int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow)
 		return err;
 	}
 
+	nf_ct_offload_timeout(flow->ct);
+
 	if (nf_flowtable_hw_offload(flow_table)) {
 		__set_bit(NF_FLOW_HW, &flow->flags);
 		nf_flow_offload_add(flow_table, flow);
-- 
2.8.4

Re: [PATCH net v2 0/2] netfilter: conntrack: Fix CT offload timeout on heavily loaded systems

[Pablo Neira Ayuso]

On Mon, Aug 03, 2020 at 10:33:03AM +0300, Roi Dayan wrote:
> On heavily loaded systems the GC can take time to go over all existing
> conns and reset their timeout. At that time other calls like from
> nf_conntrack_in() can call of nf_ct_is_expired() and see the conn as
> expired. To fix this when we set the offload bit we should also reset
> the timeout instead of counting on GC to finish first iteration over
> all conns before the initial timeout.
> 
> First commit is to expose the function that updates the timeout.
> Second commit is to use it from flow_offload_add().

Series applied to nf.git, thanks.

Re: [PATCH net v2 1/2] netfilter: conntrack: Move nf_ct_offload_timeout to header file

[Pablo Neira Ayuso]

On Mon, Aug 03, 2020 at 10:33:04AM +0300, Roi Dayan wrote:
> To be used by callers from other modules.
> 
> Signed-off-by: Roi Dayan <roid@mellanox.com>
> Reviewed-by: Oz Shlomo <ozsh@mellanox.com>
> ---
>  include/net/netfilter/nf_conntrack.h | 12 ++++++++++++
>  net/netfilter/nf_conntrack_core.c    | 12 ------------
>  2 files changed, 12 insertions(+), 12 deletions(-)
> 
> diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
> index 90690e37a56f..8481819ff632 100644
> --- a/include/net/netfilter/nf_conntrack.h
> +++ b/include/net/netfilter/nf_conntrack.h
> @@ -279,6 +279,18 @@ static inline bool nf_ct_should_gc(const struct nf_conn *ct)
>  	       !nf_ct_is_dying(ct);
>  }
>  
> +#define	DAY	(86400 * HZ)
> +
> +/* Set an arbitrary timeout large enough not to ever expire, this save
> + * us a check for the IPS_OFFLOAD_BIT from the packet path via
> + * nf_ct_is_expired().
> + */
> +static inline void nf_ct_offload_timeout(struct nf_conn *ct)
> +{
> +	if (nf_ct_expires(ct) < DAY / 2)
> +		ct->timeout = nfct_time_stamp + DAY;
> +}
> +
>  struct kernel_param;
>  

For the record: I have renamed DAY to NF_CT_DAY to avoid a possible
symbol name clash. No need to resend, I applied this small change
before applying.

Re: [PATCH net v2 1/2] netfilter: conntrack: Move nf_ct_offload_timeout to header file

[Roi Dayan]

On 2020-08-03 2:03 PM, Pablo Neira Ayuso wrote:
> On Mon, Aug 03, 2020 at 10:33:04AM +0300, Roi Dayan wrote:
>> To be used by callers from other modules.
>>
>> Signed-off-by: Roi Dayan <roid@mellanox.com>
>> Reviewed-by: Oz Shlomo <ozsh@mellanox.com>
>> ---
>>  include/net/netfilter/nf_conntrack.h | 12 ++++++++++++
>>  net/netfilter/nf_conntrack_core.c    | 12 ------------
>>  2 files changed, 12 insertions(+), 12 deletions(-)
>>
>> diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
>> index 90690e37a56f..8481819ff632 100644
>> --- a/include/net/netfilter/nf_conntrack.h
>> +++ b/include/net/netfilter/nf_conntrack.h
>> @@ -279,6 +279,18 @@ static inline bool nf_ct_should_gc(const struct nf_conn *ct)
>>  	       !nf_ct_is_dying(ct);
>>  }
>>  
>> +#define	DAY	(86400 * HZ)
>> +
>> +/* Set an arbitrary timeout large enough not to ever expire, this save
>> + * us a check for the IPS_OFFLOAD_BIT from the packet path via
>> + * nf_ct_is_expired().
>> + */
>> +static inline void nf_ct_offload_timeout(struct nf_conn *ct)
>> +{
>> +	if (nf_ct_expires(ct) < DAY / 2)
>> +		ct->timeout = nfct_time_stamp + DAY;
>> +}
>> +
>>  struct kernel_param;
>>  
> 
> For the record: I have renamed DAY to NF_CT_DAY to avoid a possible
> symbol name clash. No need to resend, I applied this small change
> before applying.
> 

thanks