From: Florian Westphal <fw@strlen.de>
To: Florian Westphal <fw@strlen.de>
Cc: Jakub Kicinski <kuba@kernel.org>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Xin Long <lucien.xin@gmail.com>,
network dev <netdev@vger.kernel.org>,
dev@openvswitch.org, davem@davemloft.net,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>,
Pravin B Shelar <pshelar@ovn.org>,
Jamal Hadi Salim <jhs@mojatatu.com>,
Cong Wang <xiyou.wangcong@gmail.com>,
Jiri Pirko <jiri@resnulli.us>,
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
Davide Caratti <dcaratti@redhat.com>,
Aaron Conole <aconole@redhat.com>
Subject: Re: [PATCH net-next 0/3] net: handle the exp removal problem with ovs upcall properly
Date: Wed, 19 Jul 2023 18:12:40 +0200 [thread overview]
Message-ID: <20230719161240.GB32192@breakpoint.cc> (raw)
In-Reply-To: <20230719030131.GA15663@breakpoint.cc>
Florian Westphal <fw@strlen.de> wrote:
> Jakub Kicinski <kuba@kernel.org> wrote:
> > On Sun, 16 Jul 2023 17:09:16 -0400 Xin Long wrote:
> > > With the OVS upcall, the original ct in the skb will be dropped, and when
> > > the skb comes back from userspace it has to create a new ct again through
> > > nf_conntrack_in() in either OVS __ovs_ct_lookup() or TC tcf_ct_act().
> > >
> > > However, the new ct will not be able to have the exp as the original ct
> > > has taken it away from the hash table in nf_ct_find_expectation(). This
> > > will cause some flow never to be matched, like:
> > >
> > > 'ip,ct_state=-trk,in_port=1 actions=ct(zone=1)'
> > > 'ip,ct_state=+trk+new+rel,in_port=1 actions=ct(commit,zone=1)'
> > > 'ip,ct_state=+trk+new+rel,in_port=1 actions=ct(commit,zone=2),normal'
> > >
> > > if the 2nd flow triggers the OVS upcall, the 3rd flow will never get
> > > matched.
> > >
> > > OVS conntrack works around this by adding its own exp lookup function to
> > > not remove the exp from the hash table and saving the exp and its master
> > > info to the flow keys instead of create a real ct. But this way doesn't
> > > work for TC act_ct.
> > >
> > > The patch 1/3 allows nf_ct_find_expectation() not to remove the exp from
> > > the hash table if tmpl is set with IPS_CONFIRMED when doing lookup. This
> > > allows both OVS conntrack and TC act_ct to have a simple and clear fix
> > > for this problem in the patch 2/3 and 3/3.
> >
> > Florian, Pablo, any opinion on these?
>
> Sorry for the silence. I dislike moving tc/ovs artifacts into
> the conntrack core.
Can't find a better solution, feel free to take this though the net-next tree.
Acked-by: Florian Westphal <fw@strlen.de>
next prev parent reply other threads:[~2023-07-19 16:12 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-16 21:09 [PATCH net-next 0/3] net: handle the exp removal problem with ovs upcall properly Xin Long
2023-07-16 21:09 ` [PATCH net-next 1/3] netfilter: allow exp not to be removed in nf_ct_find_expectation Xin Long
2023-07-19 16:07 ` Aaron Conole
2023-07-16 21:09 ` [PATCH net-next 2/3] net: sched: set IPS_CONFIRMED in tmpl status only when commit is set in act_ct Xin Long
2023-07-19 16:07 ` Aaron Conole
2023-07-19 16:44 ` Davide Caratti
2023-07-16 21:09 ` [PATCH net-next 3/3] openvswitch: set IPS_CONFIRMED in tmpl status only when commit is set in conntrack Xin Long
2023-07-19 16:08 ` Aaron Conole
2024-06-17 20:10 ` Ilya Maximets
2024-06-18 11:34 ` Ilya Maximets
2024-06-18 14:58 ` Xin Long
2024-06-18 15:50 ` Ilya Maximets
2024-06-19 12:58 ` Ilya Maximets
2024-06-19 14:07 ` Xin Long
2024-06-19 17:30 ` Ilya Maximets
2024-06-19 20:11 ` Xin Long
2024-06-19 20:19 ` Florian Westphal
2024-06-19 20:50 ` Xin Long
2024-06-19 21:20 ` Florian Westphal
2024-06-19 22:10 ` Xin Long
2024-07-08 22:03 ` Xin Long
2024-07-08 22:38 ` Florian Westphal
2024-07-09 1:49 ` Xin Long
2024-07-09 5:49 ` Florian Westphal
2023-07-19 2:58 ` [PATCH net-next 0/3] net: handle the exp removal problem with ovs upcall properly Jakub Kicinski
2023-07-19 3:01 ` Florian Westphal
2023-07-19 16:12 ` Florian Westphal [this message]
2023-07-19 13:31 ` Aaron Conole
2023-07-20 8:20 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230719161240.GB32192@breakpoint.cc \
--to=fw@strlen.de \
--cc=aconole@redhat.com \
--cc=davem@davemloft.net \
--cc=dcaratti@redhat.com \
--cc=dev@openvswitch.org \
--cc=edumazet@google.com \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=lucien.xin@gmail.com \
--cc=marcelo.leitner@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=pshelar@ovn.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.