tc does not support conntrack ALGs. Even worse, with tc enabled, they should not be used/configured at all. This is because even though TC will ignore the rules with ALG configured, i.e., they will flow through the kernel module, return traffic might flow through a tc conntrack rule, and it will not invoke the ALG helper.
Fixes: 576126a931cd ("netdev-offload-tc: Add conntrack support") Signed-off-by: Eelco Chaudron <echau...@redhat.com> Acked-by: Roi Dayan <r...@nvidia.com> --- Documentation/howto/tc-offload.rst | 11 +++++++++++ lib/netdev-offload-tc.c | 4 ++++ tests/system-offloads-testsuite-macros.at | 6 ++++++ tests/system-traffic.at | 15 --------------- 4 files changed, 21 insertions(+), 15 deletions(-) diff --git a/Documentation/howto/tc-offload.rst b/Documentation/howto/tc-offload.rst index f6482c8af..681dff13e 100644 --- a/Documentation/howto/tc-offload.rst +++ b/Documentation/howto/tc-offload.rst @@ -112,3 +112,14 @@ First flow packet not processed by meter Packets that are received by ovs-vswitchd through an upcall before the actual meter flow is installed, are not passing TC police action and therefore are not considered for policing. + +Conntrack Application Layer Gateways (ALG) +++++++++++++++++++++++++++++++++++++++++++ + +TC does not support conntrack helpers, i.e., ALGs. TC will not offload flows if +the ALG keyword is present within the ct() action. However, this will not allow +ALGs to work within the datapath, as the return traffic without the ALG keyword +might run through a TC rule, which internally will not call the conntrack +helper required. + +So if ALG support is required, tc offload must be disabled. diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c index f9f05cd5c..4e94430ec 100644 --- a/lib/netdev-offload-tc.c +++ b/lib/netdev-offload-tc.c @@ -1425,6 +1425,10 @@ parse_put_flow_ct_action(struct tc_flower *flower, get_32aligned_u128(&ct_label->mask); } break; + /* The following option we do not support in tc-ct, and should + * not be ignored for proper operation. */ + case OVS_CT_ATTR_HELPER: + return EOPNOTSUPP; } } diff --git a/tests/system-offloads-testsuite-macros.at b/tests/system-offloads-testsuite-macros.at index 2129cf7f0..5d7044f42 100644 --- a/tests/system-offloads-testsuite-macros.at +++ b/tests/system-offloads-testsuite-macros.at @@ -34,3 +34,9 @@ m4_define([CHECK_NO_TC_OFFLOAD], [ AT_SKIP_IF([:]) ]) + +# Conntrack ALGs are not supported for tc. +m4_define([CHECK_CONNTRACK_ALG], +[ + AT_SKIP_IF([:]) +]) diff --git a/tests/system-traffic.at b/tests/system-traffic.at index b2751e7e4..05e0473ec 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -4827,7 +4827,6 @@ OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP AT_SETUP([conntrack - FTP]) -CHECK_NO_TC_OFFLOAD() AT_SKIP_IF([test $HAVE_FTP = no]) CHECK_CONNTRACK() CHECK_CONNTRACK_ALG() @@ -4937,7 +4936,6 @@ AT_SETUP([conntrack - FTP over IPv6]) AT_SKIP_IF([test $HAVE_FTP = no]) CHECK_CONNTRACK() CHECK_CONNTRACK_ALG() -CHECK_NO_TC_OFFLOAD() OVS_TRAFFIC_VSWITCHD_START() ADD_NAMESPACES(at_ns0, at_ns1) @@ -4993,7 +4991,6 @@ AT_SETUP([conntrack - IPv6 FTP Passive]) AT_SKIP_IF([test $HAVE_FTP = no]) CHECK_CONNTRACK() CHECK_CONNTRACK_ALG() -CHECK_NO_TC_OFFLOAD() OVS_TRAFFIC_VSWITCHD_START() ADD_NAMESPACES(at_ns0, at_ns1) @@ -5053,7 +5050,6 @@ AT_SETUP([conntrack - FTP with multiple expectations]) AT_SKIP_IF([test $HAVE_FTP = no]) CHECK_CONNTRACK() CHECK_CONNTRACK_ALG() -CHECK_NO_TC_OFFLOAD() OVS_TRAFFIC_VSWITCHD_START() ADD_NAMESPACES(at_ns0, at_ns1) @@ -5120,7 +5116,6 @@ AT_SETUP([conntrack - TFTP]) AT_SKIP_IF([test $HAVE_TFTP = no]) CHECK_CONNTRACK() CHECK_CONNTRACK_ALG() -CHECK_NO_TC_OFFLOAD() OVS_TRAFFIC_VSWITCHD_START() ADD_NAMESPACES(at_ns0, at_ns1) @@ -5756,7 +5751,6 @@ m4_define([CHECK_FTP_NAT], CHECK_CONNTRACK() CHECK_CONNTRACK_NAT() CHECK_CONNTRACK_ALG() - CHECK_NO_TC_OFFLOAD() OVS_TRAFFIC_VSWITCHD_START() @@ -6064,7 +6058,6 @@ AT_SKIP_IF([test $HAVE_FTP = no]) CHECK_CONNTRACK() CHECK_CONNTRACK_NAT() CHECK_CONNTRACK_ALG() -CHECK_NO_TC_OFFLOAD() OVS_TRAFFIC_VSWITCHD_START() @@ -6125,7 +6118,6 @@ AT_SKIP_IF([test $HAVE_FTP = no]) CHECK_CONNTRACK() CHECK_CONNTRACK_NAT() CHECK_CONNTRACK_ALG() -CHECK_NO_TC_OFFLOAD() OVS_TRAFFIC_VSWITCHD_START() @@ -6186,7 +6178,6 @@ AT_SKIP_IF([test $HAVE_FTP = no]) CHECK_CONNTRACK() CHECK_CONNTRACK_NAT() CHECK_CONNTRACK_ALG() -CHECK_NO_TC_OFFLOAD() OVS_TRAFFIC_VSWITCHD_START() @@ -6247,7 +6238,6 @@ AT_SKIP_IF([test $HAVE_FTP = no]) CHECK_CONNTRACK() CHECK_CONNTRACK_NAT() CHECK_CONNTRACK_ALG() -CHECK_NO_TC_OFFLOAD() OVS_TRAFFIC_VSWITCHD_START() @@ -6308,7 +6298,6 @@ AT_SKIP_IF([test $HAVE_FTP = no]) CHECK_CONNTRACK() CHECK_CONNTRACK_NAT() CHECK_CONNTRACK_ALG() -CHECK_NO_TC_OFFLOAD() OVS_TRAFFIC_VSWITCHD_START() @@ -6511,7 +6500,6 @@ AT_SKIP_IF([test $HAVE_FTP = no]) CHECK_CONNTRACK() CHECK_CONNTRACK_NAT() CHECK_CONNTRACK_ALG() -CHECK_NO_TC_OFFLOAD() OVS_TRAFFIC_VSWITCHD_START() @@ -6572,7 +6560,6 @@ AT_SKIP_IF([test $HAVE_FTP = no]) CHECK_CONNTRACK() CHECK_CONNTRACK_NAT() CHECK_CONNTRACK_ALG() -CHECK_NO_TC_OFFLOAD() OVS_TRAFFIC_VSWITCHD_START() @@ -6634,7 +6621,6 @@ AT_SKIP_IF([test $HAVE_FTP = no]) CHECK_CONNTRACK() CHECK_CONNTRACK_NAT() CHECK_CONNTRACK_ALG() -CHECK_NO_TC_OFFLOAD() OVS_TRAFFIC_VSWITCHD_START() ADD_NAMESPACES(at_ns0, at_ns1) @@ -6695,7 +6681,6 @@ AT_SKIP_IF([test $HAVE_TFTP = no]) CHECK_CONNTRACK() CHECK_CONNTRACK_NAT() CHECK_CONNTRACK_ALG() -CHECK_NO_TC_OFFLOAD() OVS_TRAFFIC_VSWITCHD_START() _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev