` (5 subsequent siblings) 6 siblings, 5 replies 15+ messages in thread 13:30 ` netfilter: flowtable: fixup UDP timeout depending on ct state Vlad Buslov 13:30 Allow offloading of UDP NEW connections via act_ct Vlad 13:30 ` Vlad Buslov * net: flow_offload: provision conntrack info in ct_metadata.Net/netfilter/nf_flow_table_offload.c | 17 ++++. Net/netfilter/nf_conntrack_core.c | 11 ++. Include/net/netfilter/nf_flow_table.h | 4 +. ethernet/netronome/nfp/flower/conntrack.c | 20 +++++++ ethernet/mellanox/mlx5/core/en/tc_ct.c | 2 +. Netfilter: nf_conntrack: allow early drop of offloaded UDP conns Net/sched: act_ct: offload UDP NEW connections Net/sched: act_ct: set ctinfo in meta action depending on ct state Netfilter: flowtable: allow updating offloaded rules asynchronously Netfilter: flowtable: allow unidirectional rules Netfilter: flowtable: fixup UDP timeout depending on ct state Net: flow_offload: provision conntrack info in ct_metadata To prevent such scenario change earlyĭrop algorithm to also consider "offloaded" connections for deletion. "offloaded" it could allow malicious user to perform DoS attack byįilling the table with non-droppable UDP NEW connections by sending just To 5% of non-established connections) currently ignores connections Note that early drop algorithm that is designed to free up some space inĬonnection tracking table when it becomes full (by randomly deleting up Rely on refresh mechanism to propagate connection Pass reply direction traffic to CTĪnd promote connection to bidirectional when UDP connection stateĬhanges to "assured". With all the necessary infrastructure in place modify act_ct to offload Hardware offload state of such flows is updated by gc task by leveraging Add new flow_table flow flag that marks the flow for asynchronous update. Instead of assuming it and hardcoding hardware offload of every flow in Add new flow_table flow flag that designates bidirectional connections Fix flow_table offload fixup algorithm to calculate flow timeoutĪccording to current connection state instead of hardcoded "established" Provide ctinfo as a new structure field and modify act_ct to set it "established replied" is assumed depending on the direction. CT meta action metadata doesn't store ctinfo as "established" or Incrementally changing the following assumptions: To enabled offloading of unidirectional UDP NEW connections start with Such approach allows to hardcode a lot of assumptions intoĪct_ct, flow_table and flow_offload intermediate layer codes. Marcelo.leitner, simon.horman, Vlad BuslovĬurrently only bidirectional established connections can be offloaded ` (6 more replies) 0 siblings, 7 replies 15+ messages in threadĬc: netdev, netfilter-devel, jhs, xiyou.wangcong, jiri, ozsh, 13:30 ` net: flow_offload: provision conntrack info in ct_metadata Vlad Buslov Allow offloading of UDP NEW connections via act_ct Netdev Archive on help / color / mirror / Atom feed * Allow offloading of UDP NEW connections via act_ct 13:30 Vlad Buslov
0 Comments
Leave a Reply. |