On 13/12/2022 17:35, Eelco Chaudron wrote:
> tc does not support conntrack ALGs. Even worse, with tc enabled, they
> should not be used/configured at all. This is because even though TC
> will ignore the rules with ALG configured, i.e., they will flow through
> the kernel module, return traffic might flow through a tc conntrack
> rule, and it will not invoke the ALG helper.
>
> Signed-off-by: Eelco Chaudron <[email protected]>
> Acked-by: Roi Dayan <[email protected]>
> ---
> Documentation/howto/tc-offload.rst | 11 +++++++++++
> lib/netdev-offload-tc.c | 4 ++++
> tests/system-offloads.at | 28 ++++++++--------------------
> 3 files changed, 23 insertions(+), 20 deletions(-)
>
> diff --git a/Documentation/howto/tc-offload.rst
> b/Documentation/howto/tc-offload.rst
> index f6482c8af..63687adc9 100644
> --- a/Documentation/howto/tc-offload.rst
> +++ b/Documentation/howto/tc-offload.rst
> @@ -112,3 +112,14 @@ First flow packet not processed by meter
> Packets that are received by ovs-vswitchd through an upcall before the actual
> meter flow is installed, are not passing TC police action and therefore are
> not considered for policing.
> +
> +Conntrack Application Layer Gateways(ALG)
> ++++++++++++++++++++++++++++++++++++++++++
> +
> +TC does not support conntrack helpers, i.e., ALGs. TC will not offload flows
> if
> +the ALG keyword is present within the ct() action. However, this will not
> allow
> +ALGs to work within the datapath, as the return traffic without the ALG
> keyword
> +might run through a TC rule, which internally will not call the conntrack
> +helper required.
> +
> +So if ALG support is required, tc offload must be disabled.
> diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c
> index 915c45ed3..ba309c2b6 100644
> --- a/lib/netdev-offload-tc.c
> +++ b/lib/netdev-offload-tc.c
> @@ -1357,6 +1357,10 @@ parse_put_flow_ct_action(struct tc_flower *flower,
> action->ct.label_mask = ct_label->mask;
> }
> break;
> + /* The following option we do not support in tc-ct, and
> should
> + * not be ignored for proper operation. */
> + case OVS_CT_ATTR_HELPER:
> + return EOPNOTSUPP;
> }
> }
>
> diff --git a/tests/system-offloads.at b/tests/system-offloads.at
> index 9d1e80c8d..73a761316 100644
> --- a/tests/system-offloads.at
> +++ b/tests/system-offloads.at
> @@ -30,6 +30,7 @@ m4_define([OVS_TRAFFIC_VSWITCHD_START],
> AT_CHECK([ovs-vsctl -- _ADD_BR([br0]) -- $1 m4_if([$2], [], [], [|
> uuidfilt])], [0], [$2])
> ])
>
> +<<<<<<< current
Hi,
I just noticed this. I guess from rebases as the file was supposed to be ok
since v2.
I see it got added by mistake since v3
also, beside this any reason to hold the series?
Thanks,
Roi
>
> # We override the OVS_REVALIDATOR_PURGE macro, allowing a bit more time for
> the
> # tc-datapath entries to be installed.
> @@ -42,6 +43,13 @@ m4_define([OVS_REVALIDATOR_PURGE],
> m4_define([DPCTL_DUMP_CONNTRACK], [sleep 3; ovs-appctl dpctl/dump-conntrack])
>
>
> +# Conntrack ALGs are not supported for tc.
> +m4_define([CHECK_CONNTRACK_ALG],
> +[
> + AT_SKIP_IF([:])
> +])
> +
> +
> # The list below are tests that will not pass for a "test environment"
> specific
> # issue.
> m4_define([OVS_TEST_SKIP_LIST],
> @@ -60,27 +68,7 @@ conntrack - IPv6 Fragmentation over vxlan
> conntrack - zone-based timeout policy
> conntrack - multiple zones, local
> conntrack - multi-stage pipeline, local
> -conntrack - FTP
> -conntrack - FTP over IPv6
> -conntrack - IPv6 FTP Passive
> -conntrack - FTP with multiple expectations
> -conntrack - TFTP
> conntrack - ICMP related with NAT
> -conntrack - FTP SNAT prerecirc<SPC>
> -conntrack - FTP SNAT prerecirc seqadj
> -conntrack - FTP SNAT postrecirc<SPC>
> -conntrack - FTP SNAT postrecirc seqadj
> -conntrack - FTP SNAT orig tuple<SPC>
> -conntrack - FTP SNAT orig tuple seqadj
> -conntrack - IPv4 FTP Passive with SNAT
> -conntrack - IPv4 FTP Passive with DNAT
> -conntrack - IPv4 FTP Passive with DNAT 2
> -conntrack - IPv4 FTP Active with DNAT
> -conntrack - IPv4 FTP Active with DNAT with reverse skew
> -conntrack - IPv6 FTP with SNAT
> -conntrack - IPv6 FTP Passive with SNAT
> -conntrack - IPv6 FTP with SNAT - orig tuple
> -conntrack - IPv4 TFTP with SNAT
> conntrack - DNAT load balancing
> conntrack - DNAT load balancing with NC
> conntrack - Multiple ICMP traverse
>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
