Re: [ovs-dev] [PATCH v8 09/15] netdev-offload-tc: Conntrack ALGs are not supported with tc.
On 26 Jan 2023, at 22:33, Ilya Maximets wrote: > On 1/26/23 22:32, Ilya Maximets wrote: >> On 1/24/23 13:57, Eelco Chaudron wrote: >>> tc does not support conntrack ALGs. Even worse, with tc enabled, they >>> should not be used/configured at all. This is because even though TC >>> will ignore the rules with ALG configured, i.e., they will flow through >>> the kernel module, return traffic might flow through a tc conntrack >>> rule, and it will not invoke the ALG helper. >>> > > And maybe a Fixes tag? Will add Fixes: 576126a931cd ("netdev-offload-tc: Add conntrack support") >>> Signed-off-by: Eelco Chaudron >>> Acked-by: Roi Dayan >>> --- >>> Documentation/howto/tc-offload.rst | 11 +++ >>> lib/netdev-offload-tc.c|4 >>> tests/system-offloads.at | 27 +++ >>> 3 files changed, 22 insertions(+), 20 deletions(-) >>> >>> diff --git a/Documentation/howto/tc-offload.rst >>> b/Documentation/howto/tc-offload.rst >>> index f6482c8af..63687adc9 100644 >>> --- a/Documentation/howto/tc-offload.rst >>> +++ b/Documentation/howto/tc-offload.rst >>> @@ -112,3 +112,14 @@ First flow packet not processed by meter >>> Packets that are received by ovs-vswitchd through an upcall before the >>> actual >>> meter flow is installed, are not passing TC police action and therefore are >>> not considered for policing. >>> + >>> +Conntrack Application Layer Gateways(ALG) >> >> Nit: a space before the '(ALG)' would be nice. Will fix. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v8 09/15] netdev-offload-tc: Conntrack ALGs are not supported with tc.
On 1/26/23 22:32, Ilya Maximets wrote: > On 1/24/23 13:57, Eelco Chaudron wrote: >> tc does not support conntrack ALGs. Even worse, with tc enabled, they >> should not be used/configured at all. This is because even though TC >> will ignore the rules with ALG configured, i.e., they will flow through >> the kernel module, return traffic might flow through a tc conntrack >> rule, and it will not invoke the ALG helper. >> And maybe a Fixes tag? >> Signed-off-by: Eelco Chaudron >> Acked-by: Roi Dayan >> --- >> Documentation/howto/tc-offload.rst | 11 +++ >> lib/netdev-offload-tc.c|4 >> tests/system-offloads.at | 27 +++ >> 3 files changed, 22 insertions(+), 20 deletions(-) >> >> diff --git a/Documentation/howto/tc-offload.rst >> b/Documentation/howto/tc-offload.rst >> index f6482c8af..63687adc9 100644 >> --- a/Documentation/howto/tc-offload.rst >> +++ b/Documentation/howto/tc-offload.rst >> @@ -112,3 +112,14 @@ First flow packet not processed by meter >> Packets that are received by ovs-vswitchd through an upcall before the >> actual >> meter flow is installed, are not passing TC police action and therefore are >> not considered for policing. >> + >> +Conntrack Application Layer Gateways(ALG) > > Nit: a space before the '(ALG)' would be nice. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v8 09/15] netdev-offload-tc: Conntrack ALGs are not supported with tc.
On 1/24/23 13:57, Eelco Chaudron wrote: > tc does not support conntrack ALGs. Even worse, with tc enabled, they > should not be used/configured at all. This is because even though TC > will ignore the rules with ALG configured, i.e., they will flow through > the kernel module, return traffic might flow through a tc conntrack > rule, and it will not invoke the ALG helper. > > Signed-off-by: Eelco Chaudron > Acked-by: Roi Dayan > --- > Documentation/howto/tc-offload.rst | 11 +++ > lib/netdev-offload-tc.c|4 > tests/system-offloads.at | 27 +++ > 3 files changed, 22 insertions(+), 20 deletions(-) > > diff --git a/Documentation/howto/tc-offload.rst > b/Documentation/howto/tc-offload.rst > index f6482c8af..63687adc9 100644 > --- a/Documentation/howto/tc-offload.rst > +++ b/Documentation/howto/tc-offload.rst > @@ -112,3 +112,14 @@ First flow packet not processed by meter > Packets that are received by ovs-vswitchd through an upcall before the actual > meter flow is installed, are not passing TC police action and therefore are > not considered for policing. > + > +Conntrack Application Layer Gateways(ALG) Nit: a space before the '(ALG)' would be nice. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH v8 09/15] netdev-offload-tc: Conntrack ALGs are not supported with tc.
tc does not support conntrack ALGs. Even worse, with tc enabled, they should not be used/configured at all. This is because even though TC will ignore the rules with ALG configured, i.e., they will flow through the kernel module, return traffic might flow through a tc conntrack rule, and it will not invoke the ALG helper. Signed-off-by: Eelco Chaudron Acked-by: Roi Dayan --- Documentation/howto/tc-offload.rst | 11 +++ lib/netdev-offload-tc.c|4 tests/system-offloads.at | 27 +++ 3 files changed, 22 insertions(+), 20 deletions(-) diff --git a/Documentation/howto/tc-offload.rst b/Documentation/howto/tc-offload.rst index f6482c8af..63687adc9 100644 --- a/Documentation/howto/tc-offload.rst +++ b/Documentation/howto/tc-offload.rst @@ -112,3 +112,14 @@ First flow packet not processed by meter Packets that are received by ovs-vswitchd through an upcall before the actual meter flow is installed, are not passing TC police action and therefore are not considered for policing. + +Conntrack Application Layer Gateways(ALG) ++ + +TC does not support conntrack helpers, i.e., ALGs. TC will not offload flows if +the ALG keyword is present within the ct() action. However, this will not allow +ALGs to work within the datapath, as the return traffic without the ALG keyword +might run through a TC rule, which internally will not call the conntrack +helper required. + +So if ALG support is required, tc offload must be disabled. diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c index 915c45ed3..ba309c2b6 100644 --- a/lib/netdev-offload-tc.c +++ b/lib/netdev-offload-tc.c @@ -1357,6 +1357,10 @@ parse_put_flow_ct_action(struct tc_flower *flower, action->ct.label_mask = ct_label->mask; } break; +/* The following option we do not support in tc-ct, and should + * not be ignored for proper operation. */ +case OVS_CT_ATTR_HELPER: +return EOPNOTSUPP; } } diff --git a/tests/system-offloads.at b/tests/system-offloads.at index 9d1e80c8d..c4ed3a171 100644 --- a/tests/system-offloads.at +++ b/tests/system-offloads.at @@ -42,6 +42,13 @@ m4_define([OVS_REVALIDATOR_PURGE], m4_define([DPCTL_DUMP_CONNTRACK], [sleep 3; ovs-appctl dpctl/dump-conntrack]) +# Conntrack ALGs are not supported for tc. +m4_define([CHECK_CONNTRACK_ALG], +[ + AT_SKIP_IF([:]) +]) + + # The list below are tests that will not pass for a "test environment" specific # issue. m4_define([OVS_TEST_SKIP_LIST], @@ -60,27 +67,7 @@ conntrack - IPv6 Fragmentation over vxlan conntrack - zone-based timeout policy conntrack - multiple zones, local conntrack - multi-stage pipeline, local -conntrack - FTP -conntrack - FTP over IPv6 -conntrack - IPv6 FTP Passive -conntrack - FTP with multiple expectations -conntrack - TFTP conntrack - ICMP related with NAT -conntrack - FTP SNAT prerecirc -conntrack - FTP SNAT prerecirc seqadj -conntrack - FTP SNAT postrecirc -conntrack - FTP SNAT postrecirc seqadj -conntrack - FTP SNAT orig tuple -conntrack - FTP SNAT orig tuple seqadj -conntrack - IPv4 FTP Passive with SNAT -conntrack - IPv4 FTP Passive with DNAT -conntrack - IPv4 FTP Passive with DNAT 2 -conntrack - IPv4 FTP Active with DNAT -conntrack - IPv4 FTP Active with DNAT with reverse skew -conntrack - IPv6 FTP with SNAT -conntrack - IPv6 FTP Passive with SNAT -conntrack - IPv6 FTP with SNAT - orig tuple -conntrack - IPv4 TFTP with SNAT conntrack - DNAT load balancing conntrack - DNAT load balancing with NC conntrack - Multiple ICMP traverse ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev