Re: [ovs-dev] [PATCH v6 09/15] netdev-offload-tc: Conntrack ALGs are not supported with tc.
On 24 Jan 2023, at 7:39, Roi Dayan wrote: > On 13/12/2022 17:35, Eelco Chaudron wrote: >> tc does not support conntrack ALGs. Even worse, with tc enabled, they >> should not be used/configured at all. This is because even though TC >> will ignore the rules with ALG configured, i.e., they will flow through >> the kernel module, return traffic might flow through a tc conntrack >> rule, and it will not invoke the ALG helper. >> >> Signed-off-by: Eelco Chaudron >> Acked-by: Roi Dayan >> --- >> Documentation/howto/tc-offload.rst | 11 +++ >> lib/netdev-offload-tc.c|4 >> tests/system-offloads.at | 28 >> 3 files changed, 23 insertions(+), 20 deletions(-) >> >> diff --git a/Documentation/howto/tc-offload.rst >> b/Documentation/howto/tc-offload.rst >> index f6482c8af..63687adc9 100644 >> --- a/Documentation/howto/tc-offload.rst >> +++ b/Documentation/howto/tc-offload.rst >> @@ -112,3 +112,14 @@ First flow packet not processed by meter >> Packets that are received by ovs-vswitchd through an upcall before the >> actual >> meter flow is installed, are not passing TC police action and therefore are >> not considered for policing. >> + >> +Conntrack Application Layer Gateways(ALG) >> ++ >> + >> +TC does not support conntrack helpers, i.e., ALGs. TC will not offload >> flows if >> +the ALG keyword is present within the ct() action. However, this will not >> allow >> +ALGs to work within the datapath, as the return traffic without the ALG >> keyword >> +might run through a TC rule, which internally will not call the conntrack >> +helper required. >> + >> +So if ALG support is required, tc offload must be disabled. >> diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c >> index 915c45ed3..ba309c2b6 100644 >> --- a/lib/netdev-offload-tc.c >> +++ b/lib/netdev-offload-tc.c >> @@ -1357,6 +1357,10 @@ parse_put_flow_ct_action(struct tc_flower *flower, >> action->ct.label_mask = ct_label->mask; >> } >> break; >> +/* The following option we do not support in tc-ct, and >> should >> + * not be ignored for proper operation. */ >> +case OVS_CT_ATTR_HELPER: >> +return EOPNOTSUPP; >> } >> } >> >> diff --git a/tests/system-offloads.at b/tests/system-offloads.at >> index 9d1e80c8d..73a761316 100644 >> --- a/tests/system-offloads.at >> +++ b/tests/system-offloads.at >> @@ -30,6 +30,7 @@ m4_define([OVS_TRAFFIC_VSWITCHD_START], >> AT_CHECK([ovs-vsctl -- _ADD_BR([br0]) -- $1 m4_if([$2], [], [], [| >> uuidfilt])], [0], [$2]) >> ]) >> >> +<<< current > > Hi, > > I just noticed this. I guess from rebases as the file was supposed to be ok > since v2. > I see it got added by mistake since v3 > also, beside this any reason to hold the series? Thanks, I’ll send out a v7 to fix this. I think it’s not yet in because Ilya had no time to look at this before the 3.1 branch creation :( > Thanks, > Roi > > >> >> # We override the OVS_REVALIDATOR_PURGE macro, allowing a bit more time for >> the >> # tc-datapath entries to be installed. >> @@ -42,6 +43,13 @@ m4_define([OVS_REVALIDATOR_PURGE], >> m4_define([DPCTL_DUMP_CONNTRACK], [sleep 3; ovs-appctl >> dpctl/dump-conntrack]) >> >> >> +# Conntrack ALGs are not supported for tc. >> +m4_define([CHECK_CONNTRACK_ALG], >> +[ >> + AT_SKIP_IF([:]) >> +]) >> + >> + >> # The list below are tests that will not pass for a "test environment" >> specific >> # issue. >> m4_define([OVS_TEST_SKIP_LIST], >> @@ -60,27 +68,7 @@ conntrack - IPv6 Fragmentation over vxlan >> conntrack - zone-based timeout policy >> conntrack - multiple zones, local >> conntrack - multi-stage pipeline, local >> -conntrack - FTP >> -conntrack - FTP over IPv6 >> -conntrack - IPv6 FTP Passive >> -conntrack - FTP with multiple expectations >> -conntrack - TFTP >> conntrack - ICMP related with NAT >> -conntrack - FTP SNAT prerecirc >> -conntrack - FTP SNAT prerecirc seqadj >> -conntrack - FTP SNAT postrecirc >> -conntrack - FTP SNAT postrecirc seqadj >> -conntrack - FTP SNAT orig tuple >> -conntrack - FTP SNAT orig tuple seqadj >> -conntrack - IPv4 FTP Passive with SNAT >> -conntrack - IPv4 FTP Passive with DNAT >> -conntrack - IPv4 FTP Passive with DNAT 2 >> -conntrack - IPv4 FTP Active with DNAT >> -conntrack - IPv4 FTP Active with DNAT with reverse skew >> -conntrack - IPv6 FTP with SNAT >> -conntrack - IPv6 FTP Passive with SNAT >> -conntrack - IPv6 FTP with SNAT - orig tuple >> -conntrack - IPv4 TFTP with SNAT >> conntrack - DNAT load balancing >> conntrack - DNAT load balancing with NC >> conntrack - Multiple ICMP traverse >> ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v6 09/15] netdev-offload-tc: Conntrack ALGs are not supported with tc.
On 13/12/2022 17:35, Eelco Chaudron wrote: > tc does not support conntrack ALGs. Even worse, with tc enabled, they > should not be used/configured at all. This is because even though TC > will ignore the rules with ALG configured, i.e., they will flow through > the kernel module, return traffic might flow through a tc conntrack > rule, and it will not invoke the ALG helper. > > Signed-off-by: Eelco Chaudron > Acked-by: Roi Dayan > --- > Documentation/howto/tc-offload.rst | 11 +++ > lib/netdev-offload-tc.c|4 > tests/system-offloads.at | 28 > 3 files changed, 23 insertions(+), 20 deletions(-) > > diff --git a/Documentation/howto/tc-offload.rst > b/Documentation/howto/tc-offload.rst > index f6482c8af..63687adc9 100644 > --- a/Documentation/howto/tc-offload.rst > +++ b/Documentation/howto/tc-offload.rst > @@ -112,3 +112,14 @@ First flow packet not processed by meter > Packets that are received by ovs-vswitchd through an upcall before the actual > meter flow is installed, are not passing TC police action and therefore are > not considered for policing. > + > +Conntrack Application Layer Gateways(ALG) > ++ > + > +TC does not support conntrack helpers, i.e., ALGs. TC will not offload flows > if > +the ALG keyword is present within the ct() action. However, this will not > allow > +ALGs to work within the datapath, as the return traffic without the ALG > keyword > +might run through a TC rule, which internally will not call the conntrack > +helper required. > + > +So if ALG support is required, tc offload must be disabled. > diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c > index 915c45ed3..ba309c2b6 100644 > --- a/lib/netdev-offload-tc.c > +++ b/lib/netdev-offload-tc.c > @@ -1357,6 +1357,10 @@ parse_put_flow_ct_action(struct tc_flower *flower, > action->ct.label_mask = ct_label->mask; > } > break; > +/* The following option we do not support in tc-ct, and > should > + * not be ignored for proper operation. */ > +case OVS_CT_ATTR_HELPER: > +return EOPNOTSUPP; > } > } > > diff --git a/tests/system-offloads.at b/tests/system-offloads.at > index 9d1e80c8d..73a761316 100644 > --- a/tests/system-offloads.at > +++ b/tests/system-offloads.at > @@ -30,6 +30,7 @@ m4_define([OVS_TRAFFIC_VSWITCHD_START], > AT_CHECK([ovs-vsctl -- _ADD_BR([br0]) -- $1 m4_if([$2], [], [], [| > uuidfilt])], [0], [$2]) > ]) > > +<<< current Hi, I just noticed this. I guess from rebases as the file was supposed to be ok since v2. I see it got added by mistake since v3 also, beside this any reason to hold the series? Thanks, Roi > > # We override the OVS_REVALIDATOR_PURGE macro, allowing a bit more time for > the > # tc-datapath entries to be installed. > @@ -42,6 +43,13 @@ m4_define([OVS_REVALIDATOR_PURGE], > m4_define([DPCTL_DUMP_CONNTRACK], [sleep 3; ovs-appctl dpctl/dump-conntrack]) > > > +# Conntrack ALGs are not supported for tc. > +m4_define([CHECK_CONNTRACK_ALG], > +[ > + AT_SKIP_IF([:]) > +]) > + > + > # The list below are tests that will not pass for a "test environment" > specific > # issue. > m4_define([OVS_TEST_SKIP_LIST], > @@ -60,27 +68,7 @@ conntrack - IPv6 Fragmentation over vxlan > conntrack - zone-based timeout policy > conntrack - multiple zones, local > conntrack - multi-stage pipeline, local > -conntrack - FTP > -conntrack - FTP over IPv6 > -conntrack - IPv6 FTP Passive > -conntrack - FTP with multiple expectations > -conntrack - TFTP > conntrack - ICMP related with NAT > -conntrack - FTP SNAT prerecirc > -conntrack - FTP SNAT prerecirc seqadj > -conntrack - FTP SNAT postrecirc > -conntrack - FTP SNAT postrecirc seqadj > -conntrack - FTP SNAT orig tuple > -conntrack - FTP SNAT orig tuple seqadj > -conntrack - IPv4 FTP Passive with SNAT > -conntrack - IPv4 FTP Passive with DNAT > -conntrack - IPv4 FTP Passive with DNAT 2 > -conntrack - IPv4 FTP Active with DNAT > -conntrack - IPv4 FTP Active with DNAT with reverse skew > -conntrack - IPv6 FTP with SNAT > -conntrack - IPv6 FTP Passive with SNAT > -conntrack - IPv6 FTP with SNAT - orig tuple > -conntrack - IPv4 TFTP with SNAT > conntrack - DNAT load balancing > conntrack - DNAT load balancing with NC > conntrack - Multiple ICMP traverse > ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH v6 09/15] netdev-offload-tc: Conntrack ALGs are not supported with tc.
tc does not support conntrack ALGs. Even worse, with tc enabled, they should not be used/configured at all. This is because even though TC will ignore the rules with ALG configured, i.e., they will flow through the kernel module, return traffic might flow through a tc conntrack rule, and it will not invoke the ALG helper. Signed-off-by: Eelco Chaudron Acked-by: Roi Dayan --- Documentation/howto/tc-offload.rst | 11 +++ lib/netdev-offload-tc.c|4 tests/system-offloads.at | 28 3 files changed, 23 insertions(+), 20 deletions(-) diff --git a/Documentation/howto/tc-offload.rst b/Documentation/howto/tc-offload.rst index f6482c8af..63687adc9 100644 --- a/Documentation/howto/tc-offload.rst +++ b/Documentation/howto/tc-offload.rst @@ -112,3 +112,14 @@ First flow packet not processed by meter Packets that are received by ovs-vswitchd through an upcall before the actual meter flow is installed, are not passing TC police action and therefore are not considered for policing. + +Conntrack Application Layer Gateways(ALG) ++ + +TC does not support conntrack helpers, i.e., ALGs. TC will not offload flows if +the ALG keyword is present within the ct() action. However, this will not allow +ALGs to work within the datapath, as the return traffic without the ALG keyword +might run through a TC rule, which internally will not call the conntrack +helper required. + +So if ALG support is required, tc offload must be disabled. diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c index 915c45ed3..ba309c2b6 100644 --- a/lib/netdev-offload-tc.c +++ b/lib/netdev-offload-tc.c @@ -1357,6 +1357,10 @@ parse_put_flow_ct_action(struct tc_flower *flower, action->ct.label_mask = ct_label->mask; } break; +/* The following option we do not support in tc-ct, and should + * not be ignored for proper operation. */ +case OVS_CT_ATTR_HELPER: +return EOPNOTSUPP; } } diff --git a/tests/system-offloads.at b/tests/system-offloads.at index 9d1e80c8d..73a761316 100644 --- a/tests/system-offloads.at +++ b/tests/system-offloads.at @@ -30,6 +30,7 @@ m4_define([OVS_TRAFFIC_VSWITCHD_START], AT_CHECK([ovs-vsctl -- _ADD_BR([br0]) -- $1 m4_if([$2], [], [], [| uuidfilt])], [0], [$2]) ]) +<<< current # We override the OVS_REVALIDATOR_PURGE macro, allowing a bit more time for the # tc-datapath entries to be installed. @@ -42,6 +43,13 @@ m4_define([OVS_REVALIDATOR_PURGE], m4_define([DPCTL_DUMP_CONNTRACK], [sleep 3; ovs-appctl dpctl/dump-conntrack]) +# Conntrack ALGs are not supported for tc. +m4_define([CHECK_CONNTRACK_ALG], +[ + AT_SKIP_IF([:]) +]) + + # The list below are tests that will not pass for a "test environment" specific # issue. m4_define([OVS_TEST_SKIP_LIST], @@ -60,27 +68,7 @@ conntrack - IPv6 Fragmentation over vxlan conntrack - zone-based timeout policy conntrack - multiple zones, local conntrack - multi-stage pipeline, local -conntrack - FTP -conntrack - FTP over IPv6 -conntrack - IPv6 FTP Passive -conntrack - FTP with multiple expectations -conntrack - TFTP conntrack - ICMP related with NAT -conntrack - FTP SNAT prerecirc -conntrack - FTP SNAT prerecirc seqadj -conntrack - FTP SNAT postrecirc -conntrack - FTP SNAT postrecirc seqadj -conntrack - FTP SNAT orig tuple -conntrack - FTP SNAT orig tuple seqadj -conntrack - IPv4 FTP Passive with SNAT -conntrack - IPv4 FTP Passive with DNAT -conntrack - IPv4 FTP Passive with DNAT 2 -conntrack - IPv4 FTP Active with DNAT -conntrack - IPv4 FTP Active with DNAT with reverse skew -conntrack - IPv6 FTP with SNAT -conntrack - IPv6 FTP Passive with SNAT -conntrack - IPv6 FTP with SNAT - orig tuple -conntrack - IPv4 TFTP with SNAT conntrack - DNAT load balancing conntrack - DNAT load balancing with NC conntrack - Multiple ICMP traverse ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
