Hi John, On Tue, Jun 26, 2018 at 08:30:55AM +0200, John Crispin wrote: > > > On 26/06/18 07:48, Florian Westphal wrote: > > John Crispin <john@xxxxxxxxxxx> wrote: > > > Currently traffic that hits the SW offloading path is not accounted for > > > and the conntrack counters will only show the first packet of the flow. > > > This patch adds a small helper function that gets called from the nf_hooks, > > > updating the accounting counters. > > Not sure this is a good idea. With offload accouting might not be > > available at all. > > correct but this is the pure SW path and accounting should work. I have > patches that sit on top of Pablo's HW offloading code for MediaTek Arm > Silicon, where accounting is not possible. However with the QCOM IPQ806x NSS > engine which i am currently working on, per flow accounting is indeed > possible. Right now only the netdev counters get updated by sw offloaded > flows. I agree with Florian on this, several ideas: 1) I think we should expose this as a property of the flowtable, so users enable this explicitly from control plane. By when we load the configuration, if the flowtable HW offload comes with counter support, then we allow this, otherwise we tell the user this is not supported when loading the ruleset. As you said, some HW comes with no accounting support, so we should expose those semantics to the user from the control plane. It would be just a mere option in your flowtable configuration, instead of enabling this inconditionally as in this patch. 2) For HW with traffic accounting support, we could just dump back to conntrack the counters once the connection is destroyed. Or alternatively, fetch them from netlink dump path, ie. if user requests stats, then from the netlink dump path, go to hardware and fetch them from the control plane path. 3) I think these counters below to the flowtable abstraction. So I suggest we add them there. We still need a netlink interface to dump the content of the flowtable, but that is doable. Since this looks very much related to hardware offload, I would keep it back until there is a driver in the tree. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
