Re: [PATCH nf-next 00/19] netfilter: nftables: dscp modification offload

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Boris Sukholitko <boris.sukholitko@broadcom.com>
Cc: netfilter-devel@vger.kernel.org,
	Ilya Lifshits <ilya.lifshits@broadcom.com>
Subject: Re: [PATCH nf-next 00/19] netfilter: nftables: dscp modification offload
Date: Wed, 3 May 2023 20:46:30 +0200	[thread overview]
Message-ID: <20230503184630.GB28036@breakpoint.cc> (raw)
In-Reply-To: <20230503125552.41113-1-boris.sukholitko@broadcom.com>

Boris Sukholitko <boris.sukholitko@broadcom.com> wrote:
> Consider ruleset such as:
> 
> table inet filter {
>         chain forward {
>                 type filter hook forward priority filter; policy accept;
>                 ip dscp set cs3
>                 ct state established,related accept
>         }
> }
> 
> As expected, all of the packets from 10.0.2.99 to 10.0.1.99 have IPv4 tos field
> changed to 0x60:
> 
> ...
> 13:36:42.474591 fe:dc:b3:e2:dc:3b > 5a:45:4d:2a:25:65, ethertype IPv4 (0x0800), length 1090: (tos 0x60, ttl 62, id 39855, offset 0, flags [none], proto TCP (6), length 1076)
>     10.0.2.99.12345 > 10.0.1.99.44084: Flags [P.], cksum 0x1bec (incorrect -> 0x44c3), seq 1:1025, ack 1025, win 1987, options [nop,nop,TS val 2854899766 ecr 3249774499], length 1024
> ...
> 
> Now lets try to add flow offload:
> 
> table inet filter {
>         flowtable f1 {
>                 hook ingress priority filter
>                 devices = { veth0, veth1 }
>         }
> 
>         chain forward {
>                 type filter hook forward priority filter; policy accept;
>                 ip dscp set cs3
>                 ip protocol { tcp, udp, gre } flow add 
>                 ct state established,related accept
>         }
> }
> 
> Although some of the packets still have their TOS being correct, some are not:
> 
> ...
> 13:41:17.138782 5e:d5:1f:a3:ba:d1 > d2:d2:73:e6:5b:92, ethertype IPv4 (0x0800), length 1090: (tos 0x0, ttl 62, id 20142, offset 0, flags [none], proto TCP (6), length 1076)
>     10.0.2.99.12345 > 10.0.1.99.34230: Flags [P.], cksum 0x1bec (incorrect -> 0xc090), seq 1:1025, ack 1, win 2009, options [nop,nop,TS val 2855174430 ecr 3250049157], length 1024
> ...
> 
> The root cause for the bug seems to be that nft_payload_set_eval (which sets the
> dscp tos field) isn't being called on the offload fast path in
> nf_flow_offload_ip_hook.

I wish you would have reported this before you started to work on
this, because this is not a bug, this is expected behaviour.

Once you offload, the ruleset is bypassed, this is by design.
Lets not make the software offload more complex as it already is.

If you want to apply dscp payload modification, do not use flowtable
offload or hook those parts at netdev:ingress, it will be called before the
software offload pipeline.

I will reply to some of the changes to the shell tests because this
general reply above doesn't apply to those patches.

next prev parent reply	other threads:[~2023-05-03 18:47 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-05-03 12:55 [PATCH nf-next 00/19] netfilter: nftables: dscp modification offload Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 01/19] selftest: netfilter: use /proc for pid checking Boris Sukholitko
2023-05-03 18:47   ` Florian Westphal
2023-05-04  8:53     ` Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 02/19] selftest: netfilter: no need for ps -x option Boris Sukholitko
2023-05-03 18:53   ` Florian Westphal
2023-05-03 12:55 ` [PATCH nf-next 03/19] selftest: netfilter: wait for specific nc pids Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 04/19] selftest: netfilter: monitor result file sizes Boris Sukholitko
2023-05-03 18:54   ` Florian Westphal
2023-05-03 12:55 ` [PATCH nf-next 05/19] netfilter: nft_payload: refactor mangle operation Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 06/19] netfilter: nft_payload: publish nft_payload_set Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 07/19] netfilter: nft_payload: export mangle Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 08/19] netfilter: nft_payload: use flag for checksum need Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 09/19] netfilter: nft_payload: add offload flag define Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 10/19] netfilter: nft_payload: allow offload in the netlink Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 11/19] netfilter: conntrack: nft extension Kconfig Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 12/19] netfilter: nft: empty nft conntrack extension Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 13/19] netfilter: conntrack: register nft extension Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 14/19] netfilter: nft: add payload context into extension Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 15/19] netfilter: nft: add payload application Boris Sukholitko
2023-05-03 23:32   ` kernel test robot
2023-05-04  0:44   ` kernel test robot
2023-05-03 12:55 ` [PATCH nf-next 16/19] netfilter: nftables: fast path payload mangle Boris Sukholitko
2023-05-03 15:41   ` kernel test robot
2023-05-03 12:55 ` [PATCH nf-next 17/19] netfilter: nftables: payload save mechanism Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 18/19] netfilter: nft_payload: save payload if needed Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 19/19] selftests: netfilter: dscp offload test Boris Sukholitko
2023-05-03 18:46 ` Florian Westphal [this message]
2023-05-07 15:22   ` [PATCH nf-next 00/19] netfilter: nftables: dscp modification offload Boris Sukholitko
2023-05-07 17:37     ` Florian Westphal
2023-05-08 13:38       ` Boris Sukholitko
2023-05-08 20:07         ` Pablo Neira Ayuso
2023-05-09 14:56           ` Boris Sukholitko
2023-05-09  9:48         ` Florian Westphal
2023-05-10  7:49           ` Boris Sukholitko
2023-05-10 12:55             ` Florian Westphal
2023-05-11 15:59               ` Boris Sukholitko
2023-05-11 16:36                 ` Florian Westphal
2023-05-03 20:30 ` Pablo Neira Ayuso
2023-05-03 20:41 ` Pablo Neira Ayuso
2023-05-04  8:50   ` Boris Sukholitko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230503184630.GB28036@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=boris.sukholitko@broadcom.com \
    --cc=ilya.lifshits@broadcom.com \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.