Hi, The following patches add connection tracking offload to tc.
We plan on offloading the datapath rules to netdev one to one to tc rules. We'll be using upcoming act_ct tc module which is currently under review in netdev for the datapath ct() action. Tc chains and tc goto chain action for the recirc_id() match and recirc() action. cls_flower will do the matching on skb conntrack metadata for the ct_state matches. The patchset for act_ct and cls_flower is here: https://lwn.net/Articles/791584/ So datapath ovs connection tracking rules: recirc_id(0),in_port(ens1f0_0),ct_state(-trk),... actions:ct(zone=2),recirc(2) recirc_id(2),in_port(ens1f0_0),ct_state(+new+trk),ct_mark(0xbb),... actions:ct(commit,zone=2,nat(src=5.5.5.7),mark=0xbb),ens1f0_1 recirc_id(2),in_port(ens1f0_0),ct_state(+est+trk),ct_mark(0xbb),... actions:ct(zone=2,nat),ens1f0_1 recirc_id(1),in_port(ens1f0_1),ct_state(-trk),... actions:ct(zone=2),recirc(1) recirc_id(1),in_port(ens1f0_1),ct_state(+est+trk),... actions:ct(zone=2,nat),ens1f0_0 Will be translated to these: $ tc filter add dev ens1f0_0 ingress \ prio 1 chain 0 proto ip \ flower ip_proto tcp ct_state -trk \ action ct zone 2 pipe \ action goto chain 2 $ tc filter add dev ens1f0_0 ingress \ prio 1 chain 2 proto ip \ flower ct_state +trk+new \ action ct zone 2 commit mark 0xbb nat src addr 5.5.5.7 pipe \ action mirred egress redirect dev ens1f0_1 $ tc filter add dev ens1f0_0 ingress \ prio 1 chain 2 proto ip \ flower ct_zone 2 ct_mark 0xbb ct_state +trk+est \ action ct nat pipe \ action mirred egress redirect dev ens1f0_1 $ tc filter add dev ens1f0_1 ingress \ prio 1 chain 0 proto ip \ flower ip_proto tcp ct_state -trk \ action ct zone 2 pipe \ action goto chain 1 $ tc filter add dev ens1f0_1 ingress \ prio 1 chain 1 proto ip \ flower ct_zone 2 ct_mark 0xbb ct_state +trk+est \ action ct nat pipe \ action mirred egress redirect dev ens1f0_0 Paul Blakey (8): match: Add match_set_ct_zone_masked helper compat: Add tc ct action and flower matches defines for older kernels tc: Introduce tc_id to specify a tc filter netdev-offload-tc: Implement netdev tc flush via tc filter del netdev-offload-tc: Add recirculation support via tc chains netdev-offload-tc: Add conntrack support netdev-offload-tc: Add conntrack label and mark support netdev-offload-tc: Add conntrack nat support acinclude.m4 | 6 +- include/linux/automake.mk | 3 +- include/linux/pkt_cls.h | 50 +++- include/linux/tc_act/tc_ct.h | 41 +++ include/openvswitch/match.h | 1 + lib/dpif-netlink.c | 5 + lib/match.c | 10 +- lib/netdev-linux.c | 6 +- lib/netdev-offload-tc.c | 595 ++++++++++++++++++++++++++++++------------- lib/tc.c | 411 ++++++++++++++++++++++++------ lib/tc.h | 75 +++++- 11 files changed, 921 insertions(+), 282 deletions(-) create mode 100644 include/linux/tc_act/tc_ct.h -- 1.8.3.1 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
