[PATCH nf-next 0/7] netfilter: rework conntrack/flowtable interaction

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This series resolves a few problems with flowtables when entries are
moved from offload (hw/sw offload) back to the conntrack slowpath.

First patch fixes conntrack reset validation, we must clear MAXACK flag
on reset packets in the sw flow offload path, conntrack state is stale,
it cannot validate reset sequence number.

Second patch adds mandatory locking when manipulating ct state flags.

Third patch is a cleanup patch so existing API can be re-used when
we lack an skb.

Patch 4 is a small preparation patch to reuse existing api and
get rid of redundant one later.

Patch 5 moves timeout extension logic from conntrack GC to flowtable
GC worker.

Patch 6 prevents accidental unwanted growth of conntrack timeout
when handling packets of same flow in slowpath at same time.

Patch 7 is an optimization to keep entry in software flowtable
when a fin is received.

NB: nftables flowtable selftest needs a minor fixup to exect 300s
timeout instead of 5 days after inital move to slowpath, this is the
only observed failure with nf kselftests or nftables shell tests.

Florian Westphal (7):
  netfilter: nft_flow_offload: clear tcp MAXACK flag before moving to
    slowpath
  netfilter: nft_flow_offload: update tcp state flags under lock
  netfilter: conntrack: remove skb argument from nf_ct_refresh
  netfilter: flowtable: prefer plain nf_ct_refresh for setting initial
    timeout
  netfilter: conntrack: rework offload nf_conn timeout extension logic
  netfilter: nft_flow_offload: never grow the timeout when moving
    packets back to slowpath
  netfilter: nft_flow_offload: do not remove flowtable entry for fin
    packets

 Patches vs. nf-next, but could be applied to nf too.

 include/net/netfilter/nf_conntrack.h   |  18 +--
 net/netfilter/nf_conntrack_amanda.c    |   2 +-
 net/netfilter/nf_conntrack_broadcast.c |   2 +-
 net/netfilter/nf_conntrack_core.c      |  13 +-
 net/netfilter/nf_conntrack_h323_main.c |   4 +-
 net/netfilter/nf_conntrack_sip.c       |   4 +-
 net/netfilter/nf_flow_table_core.c     | 200 ++++++++++++++++++++++---
 net/netfilter/nf_flow_table_ip.c       |   5 +-
 net/netfilter/nft_ct.c                 |   2 +-
 net/netfilter/nft_flow_offload.c       |  16 +-
 10 files changed, 207 insertions(+), 59 deletions(-)

-- 
2.44.2
[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux