Current conntrack offload implementation doesn't provide much visibility and control over offload code. The code just tries to offload new flows, even if current amount of flows is beyond what can be reasonably processed by target hardware. On top of that there is no way to determine current load on workqueues that process the offload tasks which makes it hard to debug the cases where offload is significantly delayed due to rate of new connections being higher than driver or hardware offload rate. Improve the debuggability situation by implementing following new functionality: - Sysctls for current total count of offloaded flow and user-configurable maximum. Capping the amount of offloaded flows can be useful for the allocations of hardware resources. Note that the flow can still be offloaded afterwards via 'refresh' mechanism if total hardware count. - Procfs for current total of workqueue tasks for nf_ft_offload_add, nf_ft_offload_del and nf_ft_offload_stats queues. This allows visibility for flow offload delay due to system scheduling offload tasks faster than driver/hardware can process them. Vlad Buslov (3): net/sched: act_ct: set 'net' pointer when creating new nf_flow_table netfilter: nf_flow_table: count and limit hw offloaded entries netfilter: nf_flow_table: count pending offload workqueue tasks .../networking/nf_conntrack-sysctl.rst | 9 ++ include/net/net_namespace.h | 6 + include/net/netfilter/nf_flow_table.h | 57 +++++++ include/net/netns/flow_table.h | 14 ++ net/netfilter/Kconfig | 9 ++ net/netfilter/Makefile | 1 + net/netfilter/nf_flow_table_core.c | 89 ++++++++++- net/netfilter/nf_flow_table_offload.c | 55 ++++++- net/netfilter/nf_flow_table_sysctl.c | 148 ++++++++++++++++++ net/sched/act_ct.c | 5 +- 10 files changed, 380 insertions(+), 13 deletions(-) create mode 100644 include/net/netns/flow_table.h create mode 100644 net/netfilter/nf_flow_table_sysctl.c -- 2.31.1