On Thu, 19 May 2022 16:11:36 -0700 Jakub Kicinski wrote: > On Fri, 20 May 2022 00:02:01 +0200 Pablo Neira Ayuso wrote: > > To improve hardware offload debuggability and scalability introduce > > 'nf_flowtable_count_hw' and 'nf_flowtable_max_hw' sysctl entries in new > > dedicated 'net/netfilter/ft' namespace. Add new pernet struct nf_ft_net in > > order to store the counter and sysctl header of new sysctl table. > > > > Count the offloaded flows in workqueue add task handler. Verify that > > offloaded flow total is lower than allowed maximum before calling the > > driver callbacks. To prevent spamming the 'add' workqueue with tasks when > > flows can't be offloaded anymore also check that count is below limit > > before queuing offload work. This doesn't prevent all redundant workqueue > > task since counter can be taken by concurrent work handler after the check > > had been performed but before the offload job is executed but it still > > greatly reduces such occurrences. Note that flows that were not offloaded > > due to counter being larger than the cap can still be offloaded via refresh > > function. > > > > Ensure that flows are accounted correctly by verifying IPS_HW_OFFLOAD_BIT > > value before counting them. This ensures that add/refresh code path > > increments the counter exactly once per flow when setting the bit and > > decrements it only for accounted flows when deleting the flow with the bit > > set. > > Why a sysctl and not a netlink attr per table or per device? Let me do something unorthodox and pull just the first 4 patches for now so the warning goes away...
