* [PATCH net-next v3 1/3] net/sched: act_ct: set 'net' pointer when creating new nf_flow_table
2022-05-17 16:59 [PATCH net-next v3 0/3] Conntrack offload debuggability improvements Vlad Buslov
@ 2022-05-17 16:59 ` Vlad Buslov
2022-05-17 16:59 ` [PATCH net-next v3 2/3] netfilter: nf_flow_table: count and limit hw offloaded entries Vlad Buslov
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Vlad Buslov @ 2022-05-17 16:59 UTC (permalink / raw)
To: netfilter-devel; +Cc: pablo, kadlec, fw, ozsh, paulb, Vlad Buslov
Following patches in series use the pointer to access flow table offload
debug variables.
Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
Signed-off-by: Oz Shlomo <ozsh@nvidia.com>
---
net/sched/act_ct.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
index 8af9d6e5ba61..58e0dfed22c6 100644
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@ -277,7 +277,7 @@ static struct nf_flowtable_type flowtable_ct = {
.owner = THIS_MODULE,
};
-static int tcf_ct_flow_table_get(struct tcf_ct_params *params)
+static int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params)
{
struct tcf_ct_flow_table *ct_ft;
int err = -ENOMEM;
@@ -303,6 +303,7 @@ static int tcf_ct_flow_table_get(struct tcf_ct_params *params)
err = nf_flow_table_init(&ct_ft->nf_ft);
if (err)
goto err_init;
+ write_pnet(&ct_ft->nf_ft.net, net);
__module_get(THIS_MODULE);
out_unlock:
@@ -1391,7 +1392,7 @@ static int tcf_ct_init(struct net *net, struct nlattr *nla,
if (err)
goto cleanup;
- err = tcf_ct_flow_table_get(params);
+ err = tcf_ct_flow_table_get(net, params);
if (err)
goto cleanup;
--
2.31.1
^ permalink raw reply related [flat|nested] 5+ messages in thread* [PATCH net-next v3 2/3] netfilter: nf_flow_table: count and limit hw offloaded entries
2022-05-17 16:59 [PATCH net-next v3 0/3] Conntrack offload debuggability improvements Vlad Buslov
2022-05-17 16:59 ` [PATCH net-next v3 1/3] net/sched: act_ct: set 'net' pointer when creating new nf_flow_table Vlad Buslov
@ 2022-05-17 16:59 ` Vlad Buslov
2022-05-17 16:59 ` [PATCH net-next v3 3/3] netfilter: nf_flow_table: count pending offload workqueue tasks Vlad Buslov
2022-05-19 20:41 ` [PATCH net-next v3 0/3] Conntrack offload debuggability improvements Pablo Neira Ayuso
3 siblings, 0 replies; 5+ messages in thread
From: Vlad Buslov @ 2022-05-17 16:59 UTC (permalink / raw)
To: netfilter-devel; +Cc: pablo, kadlec, fw, ozsh, paulb, Vlad Buslov
To improve hardware offload debuggability and scalability introduce
'nf_flowtable_count_hw' and 'nf_flowtable_max_hw' sysctl entries in new
dedicated 'net/netfilter/ft' namespace. Add new pernet struct nf_ft_net in
order to store the counter and sysctl header of new sysctl table.
Count the offloaded flows in workqueue add task handler. Verify that
offloaded flow total is lower than allowed maximum before calling the
driver callbacks. To prevent spamming the 'add' workqueue with tasks when
flows can't be offloaded anymore also check that count is below limit
before queuing offload work. This doesn't prevent all redundant workqueue
task since counter can be taken by concurrent work handler after the check
had been performed but before the offload job is executed but it still
greatly reduces such occurrences. Note that flows that were not offloaded
due to counter being larger than the cap can still be offloaded via refresh
function.
Ensure that flows are accounted correctly by verifying IPS_HW_OFFLOAD_BIT
value before counting them. This ensures that add/refresh code path
increments the counter exactly once per flow when setting the bit and
decrements it only for accounted flows when deleting the flow with the bit
set.
Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
Signed-off-by: Oz Shlomo <ozsh@nvidia.com>
---
Notes:
Changes V2 -> V3:
- Move sysctl documentation to existing conntrack rst file.
- Change Makefile to conditionally include nf_flow_table_sysctl.c file and
remove corresponding ifdefs from the file.
Changes V1 -> V2:
- Combine patches that expose offloaded flow count and limit total
offloaded flows.
- Rework the counting logic to count in workqueue context.
- Create dedicated namespace for flow table sysctls.
.../networking/nf_conntrack-sysctl.rst | 9 +++
include/net/netfilter/nf_flow_table.h | 36 ++++++++++
net/netfilter/Makefile | 1 +
net/netfilter/nf_flow_table_core.c | 55 ++++++++++++++-
net/netfilter/nf_flow_table_offload.c | 38 ++++++++--
net/netfilter/nf_flow_table_sysctl.c | 69 +++++++++++++++++++
6 files changed, 200 insertions(+), 8 deletions(-)
create mode 100644 net/netfilter/nf_flow_table_sysctl.c
diff --git a/Documentation/networking/nf_conntrack-sysctl.rst b/Documentation/networking/nf_conntrack-sysctl.rst
index 311128abb768..a60394e1d3a5 100644
--- a/Documentation/networking/nf_conntrack-sysctl.rst
+++ b/Documentation/networking/nf_conntrack-sysctl.rst
@@ -207,3 +207,12 @@ nf_flowtable_udp_timeout - INTEGER (seconds)
Control offload timeout for udp connections.
UDP connections may be offloaded from nf conntrack to nf flow table.
Once aged, the connection is returned to nf conntrack with udp pickup timeout.
+
+nf_flowtable_count_hw - INTEGER (read-only)
+ Number of flowtable entries that are currently offloaded to hardware.
+
+nf_flowtable_max_hw - INTEGER
+ - 0 - disabled (default)
+ - not 0 - enabled
+
+ Cap on maximum total amount of flowtable entries offloaded to hardware.
diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
index 64daafd1fc41..9709f984fba2 100644
--- a/include/net/netfilter/nf_flow_table.h
+++ b/include/net/netfilter/nf_flow_table.h
@@ -335,4 +335,40 @@ static inline __be16 nf_flow_pppoe_proto(const struct sk_buff *skb)
return 0;
}
+struct nf_ft_net {
+ atomic_t count_hw;
+#ifdef CONFIG_SYSCTL
+ struct ctl_table_header *sysctl_header;
+#endif
+};
+
+extern unsigned int nf_ft_hw_max;
+extern unsigned int nf_ft_net_id;
+
+#include <net/netns/generic.h>
+
+static inline struct nf_ft_net *nf_ft_pernet(const struct net *net)
+{
+ return net_generic(net, nf_ft_net_id);
+}
+
+static inline struct nf_ft_net *nf_ft_pernet_get(struct nf_flowtable *flow_table)
+{
+ return nf_ft_pernet(read_pnet(&flow_table->net));
+}
+
+#ifdef CONFIG_SYSCTL
+int nf_flow_table_init_sysctl(struct net *net);
+void nf_flow_table_fini_sysctl(struct net *net);
+#else
+static inline int nf_flow_table_init_sysctl(struct net *net)
+{
+ return 0;
+}
+
+static inline void nf_flow_table_fini_sysctl(struct net *net)
+{
+}
+#endif /* CONFIG_SYSCTL */
+
#endif /* _NF_FLOW_TABLE_H */
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 238b6a620e88..9e3c1f9c6d07 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -128,6 +128,7 @@ obj-$(CONFIG_NFT_FWD_NETDEV) += nft_fwd_netdev.o
obj-$(CONFIG_NF_FLOW_TABLE) += nf_flow_table.o
nf_flow_table-objs := nf_flow_table_core.o nf_flow_table_ip.o \
nf_flow_table_offload.o
+nf_flow_table-$(CONFIG_SYSCTL) += nf_flow_table_sysctl.o
obj-$(CONFIG_NF_FLOW_TABLE_INET) += nf_flow_table_inet.o
diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index 3db256da919b..e2598f98017c 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -277,6 +277,13 @@ static const struct rhashtable_params nf_flow_offload_rhash_params = {
.automatic_shrinking = true,
};
+static bool flow_max_hw_entries(struct nf_flowtable *flow_table)
+{
+ struct nf_ft_net *fnet = nf_ft_pernet_get(flow_table);
+
+ return nf_ft_hw_max && atomic_read(&fnet->count_hw) >= nf_ft_hw_max;
+}
+
unsigned long flow_offload_get_timeout(struct flow_offload *flow)
{
unsigned long timeout = NF_FLOW_TIMEOUT;
@@ -320,7 +327,8 @@ int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow)
nf_ct_offload_timeout(flow->ct);
- if (nf_flowtable_hw_offload(flow_table)) {
+ if (nf_flowtable_hw_offload(flow_table) &&
+ !flow_max_hw_entries(flow_table)) {
__set_bit(NF_FLOW_HW, &flow->flags);
nf_flow_offload_add(flow_table, flow);
}
@@ -338,9 +346,11 @@ void flow_offload_refresh(struct nf_flowtable *flow_table,
if (READ_ONCE(flow->timeout) != timeout)
WRITE_ONCE(flow->timeout, timeout);
- if (likely(!nf_flowtable_hw_offload(flow_table)))
+ if (likely(!nf_flowtable_hw_offload(flow_table) ||
+ flow_max_hw_entries(flow_table)))
return;
+ set_bit(NF_FLOW_HW, &flow->flags);
nf_flow_offload_add(flow_table, flow);
}
EXPORT_SYMBOL_GPL(flow_offload_refresh);
@@ -652,14 +662,53 @@ void nf_flow_table_free(struct nf_flowtable *flow_table)
}
EXPORT_SYMBOL_GPL(nf_flow_table_free);
+static int nf_flow_table_pernet_init(struct net *net)
+{
+ return nf_flow_table_init_sysctl(net);
+}
+
+static void nf_flow_table_pernet_exit(struct list_head *net_exit_list)
+{
+ struct net *net;
+
+ list_for_each_entry(net, net_exit_list, exit_list)
+ nf_flow_table_fini_sysctl(net);
+}
+
+unsigned int nf_ft_net_id __read_mostly;
+
+static struct pernet_operations nf_flow_table_net_ops = {
+ .init = nf_flow_table_pernet_init,
+ .exit_batch = nf_flow_table_pernet_exit,
+ .id = &nf_ft_net_id,
+ .size = sizeof(struct nf_ft_net),
+};
+
static int __init nf_flow_table_module_init(void)
{
- return nf_flow_table_offload_init();
+ int ret;
+
+ nf_ft_hw_max = 0;
+
+ ret = register_pernet_subsys(&nf_flow_table_net_ops);
+ if (ret < 0)
+ return ret;
+
+ ret = nf_flow_table_offload_init();
+ if (ret)
+ goto out_offload;
+
+ return 0;
+
+out_offload:
+ unregister_pernet_subsys(&nf_flow_table_net_ops);
+ return ret;
}
static void __exit nf_flow_table_module_exit(void)
{
nf_flow_table_offload_exit();
+ unregister_pernet_subsys(&nf_flow_table_net_ops);
}
module_init(nf_flow_table_module_init);
diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
index 11b6e1942092..5c7146eb646a 100644
--- a/net/netfilter/nf_flow_table_offload.c
+++ b/net/netfilter/nf_flow_table_offload.c
@@ -13,6 +13,8 @@
#include <net/netfilter/nf_conntrack_core.h>
#include <net/netfilter/nf_conntrack_tuple.h>
+unsigned int nf_ft_hw_max __read_mostly;
+
static struct workqueue_struct *nf_flow_offload_add_wq;
static struct workqueue_struct *nf_flow_offload_del_wq;
static struct workqueue_struct *nf_flow_offload_stats_wq;
@@ -903,30 +905,56 @@ static int flow_offload_rule_add(struct flow_offload_work *offload,
return 0;
}
+static bool flow_get_max_hw_entries(struct nf_flowtable *flow_table)
+{
+ struct nf_ft_net *fnet = nf_ft_pernet_get(flow_table);
+ int count_hw = atomic_inc_return(&fnet->count_hw);
+
+ if (nf_ft_hw_max && count_hw > nf_ft_hw_max) {
+ atomic_dec(&fnet->count_hw);
+ return false;
+ }
+ return true;
+}
+
static void flow_offload_work_add(struct flow_offload_work *offload)
{
+ struct nf_ft_net *fnet = nf_ft_pernet_get(offload->flowtable);
struct nf_flow_rule *flow_rule[FLOW_OFFLOAD_DIR_MAX];
int err;
+ if (!flow_get_max_hw_entries(offload->flowtable))
+ return;
+
err = nf_flow_offload_alloc(offload, flow_rule);
if (err < 0)
- return;
+ goto out_alloc;
err = flow_offload_rule_add(offload, flow_rule);
if (err < 0)
- goto out;
+ goto out_add;
- set_bit(IPS_HW_OFFLOAD_BIT, &offload->flow->ct->status);
+ if (test_and_set_bit(IPS_HW_OFFLOAD_BIT, &offload->flow->ct->status))
+ atomic_dec(&fnet->count_hw);
+ nf_flow_offload_destroy(flow_rule);
+ return;
-out:
+out_add:
nf_flow_offload_destroy(flow_rule);
+out_alloc:
+ atomic_dec(&fnet->count_hw);
}
static void flow_offload_work_del(struct flow_offload_work *offload)
{
- clear_bit(IPS_HW_OFFLOAD_BIT, &offload->flow->ct->status);
+ bool offloaded = test_and_clear_bit(IPS_HW_OFFLOAD_BIT,
+ &offload->flow->ct->status);
+ struct nf_ft_net *fnet = nf_ft_pernet_get(offload->flowtable);
+
flow_offload_tuple_del(offload, FLOW_OFFLOAD_DIR_ORIGINAL);
flow_offload_tuple_del(offload, FLOW_OFFLOAD_DIR_REPLY);
+ if (offloaded)
+ atomic_dec(&fnet->count_hw);
set_bit(NF_FLOW_HW_DEAD, &offload->flow->flags);
}
diff --git a/net/netfilter/nf_flow_table_sysctl.c b/net/netfilter/nf_flow_table_sysctl.c
new file mode 100644
index 000000000000..2e7539be8f88
--- /dev/null
+++ b/net/netfilter/nf_flow_table_sysctl.c
@@ -0,0 +1,69 @@
+// SPDX-License-Identifier: GPL-2.0-only
+#include <linux/kernel.h>
+#include <net/netfilter/nf_flow_table.h>
+
+enum nf_ct_sysctl_index {
+ NF_SYSCTL_FLOW_TABLE_MAX_HW,
+ NF_SYSCTL_FLOW_TABLE_COUNT_HW,
+
+ __NF_SYSCTL_FLOW_TABLE_LAST_SYSCTL,
+};
+
+#define NF_SYSCTL_FLOW_TABLE_LAST_SYSCTL \
+ (__NF_SYSCTL_FLOW_TABLE_LAST_SYSCTL + 1)
+
+static struct ctl_table nf_flow_table_sysctl_table[] = {
+ [NF_SYSCTL_FLOW_TABLE_MAX_HW] = {
+ .procname = "nf_flowtable_max_hw",
+ .data = &nf_ft_hw_max,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ },
+ [NF_SYSCTL_FLOW_TABLE_COUNT_HW] = {
+ .procname = "nf_flowtable_count_hw",
+ .maxlen = sizeof(int),
+ .mode = 0444,
+ .proc_handler = proc_dointvec,
+ },
+ {}
+};
+
+int nf_flow_table_init_sysctl(struct net *net)
+{
+ struct nf_ft_net *fnet = nf_ft_pernet(net);
+ struct ctl_table *table;
+
+ BUILD_BUG_ON(ARRAY_SIZE(nf_flow_table_sysctl_table) != NF_SYSCTL_FLOW_TABLE_LAST_SYSCTL);
+
+ table = kmemdup(nf_flow_table_sysctl_table, sizeof(nf_flow_table_sysctl_table),
+ GFP_KERNEL);
+ if (!table)
+ return -ENOMEM;
+
+ table[NF_SYSCTL_FLOW_TABLE_COUNT_HW].data = &fnet->count_hw;
+
+ /* Don't allow non-init_net ns to alter global sysctls */
+ if (!net_eq(&init_net, net))
+ table[NF_SYSCTL_FLOW_TABLE_MAX_HW].mode = 0444;
+
+ fnet->sysctl_header = register_net_sysctl(net, "net/netfilter/ft", table);
+ if (!fnet->sysctl_header)
+ goto out_unregister_netfilter;
+
+ return 0;
+
+out_unregister_netfilter:
+ kfree(table);
+ return -ENOMEM;
+}
+
+void nf_flow_table_fini_sysctl(struct net *net)
+{
+ struct nf_ft_net *fnet = nf_ft_pernet(net);
+ struct ctl_table *table;
+
+ table = fnet->sysctl_header->ctl_table_arg;
+ unregister_net_sysctl_table(fnet->sysctl_header);
+ kfree(table);
+}
--
2.31.1
^ permalink raw reply related [flat|nested] 5+ messages in thread* [PATCH net-next v3 3/3] netfilter: nf_flow_table: count pending offload workqueue tasks
2022-05-17 16:59 [PATCH net-next v3 0/3] Conntrack offload debuggability improvements Vlad Buslov
2022-05-17 16:59 ` [PATCH net-next v3 1/3] net/sched: act_ct: set 'net' pointer when creating new nf_flow_table Vlad Buslov
2022-05-17 16:59 ` [PATCH net-next v3 2/3] netfilter: nf_flow_table: count and limit hw offloaded entries Vlad Buslov
@ 2022-05-17 16:59 ` Vlad Buslov
2022-05-19 20:41 ` [PATCH net-next v3 0/3] Conntrack offload debuggability improvements Pablo Neira Ayuso
3 siblings, 0 replies; 5+ messages in thread
From: Vlad Buslov @ 2022-05-17 16:59 UTC (permalink / raw)
To: netfilter-devel; +Cc: pablo, kadlec, fw, ozsh, paulb, Vlad Buslov
To improve hardware offload debuggability count pending 'add', 'del' and
'stats' flow_table offload workqueue tasks. Counters are incremented before
scheduling new task and decremented when workqueue handler finishes
executing. These counters allow user to diagnose congestion on hardware
offload workqueues that can happen when either CPU is starved and workqueue
jobs are executed at lower rate than new ones are added or when
hardware/driver can't keep up with the rate.
Implement the described counters as percpu counters inside new struct
netns_ft which is stored inside struct net. Expose them via new procfs file
'/proc/net/stats/nf_flowtable' that is similar to existing 'nf_conntrack'
file.
Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
Signed-off-by: Oz Shlomo <ozsh@nvidia.com>
---
Notes:
Changes V2 -> V3:
- Add CONFIG_NF_FLOW_TABLE_PROCFS dependency on SYSCTL.
- Move dummy definitions of nf_flow_table_{init|fini}_proc() from source to
nf_flow_table.h file in order to not break compilation when CONFIG_SYSCTL
is disabled.
Changes V1 -> V2:
- Combine patches that expose add, del, stats tasks.
- Use percpu stats to count pending workqueue tasks instead of atomics.
- Expose the stats via /proc/net/stats/nf_flowtable file instead of
sysctls.
include/net/net_namespace.h | 6 ++
include/net/netfilter/nf_flow_table.h | 21 +++++++
include/net/netns/flow_table.h | 14 +++++
net/netfilter/Kconfig | 9 +++
net/netfilter/nf_flow_table_core.c | 38 ++++++++++++-
net/netfilter/nf_flow_table_offload.c | 17 +++++-
net/netfilter/nf_flow_table_sysctl.c | 79 +++++++++++++++++++++++++++
7 files changed, 179 insertions(+), 5 deletions(-)
create mode 100644 include/net/netns/flow_table.h
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index c4f5601f6e32..bf770c13e19b 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -26,6 +26,9 @@
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
#include <net/netns/conntrack.h>
#endif
+#if IS_ENABLED(CONFIG_NF_FLOW_TABLE)
+#include <net/netns/flow_table.h>
+#endif
#include <net/netns/nftables.h>
#include <net/netns/xfrm.h>
#include <net/netns/mpls.h>
@@ -140,6 +143,9 @@ struct net {
#if defined(CONFIG_NF_TABLES) || defined(CONFIG_NF_TABLES_MODULE)
struct netns_nftables nft;
#endif
+#if IS_ENABLED(CONFIG_NF_FLOW_TABLE)
+ struct netns_ft ft;
+#endif
#endif
#ifdef CONFIG_WEXT_CORE
struct sk_buff_head wext_nlevents;
diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
index 9709f984fba2..e6d63228efd4 100644
--- a/include/net/netfilter/nf_flow_table.h
+++ b/include/net/netfilter/nf_flow_table.h
@@ -371,4 +371,25 @@ static inline void nf_flow_table_fini_sysctl(struct net *net)
}
#endif /* CONFIG_SYSCTL */
+#define NF_FLOW_TABLE_STAT_INC(net, count) __this_cpu_inc((net)->ft.stat->count)
+#define NF_FLOW_TABLE_STAT_DEC(net, count) __this_cpu_dec((net)->ft.stat->count)
+#define NF_FLOW_TABLE_STAT_INC_ATOMIC(net, count) \
+ this_cpu_inc((net)->ft.stat->count)
+#define NF_FLOW_TABLE_STAT_DEC_ATOMIC(net, count) \
+ this_cpu_dec((net)->ft.stat->count)
+
+#ifdef CONFIG_NF_FLOW_TABLE_PROCFS
+int nf_flow_table_init_proc(struct net *net);
+void nf_flow_table_fini_proc(struct net *net);
+#else
+static inline int nf_flow_table_init_proc(struct net *net)
+{
+ return 0;
+}
+
+static inline void nf_flow_table_fini_proc(struct net *net)
+{
+}
+#endif /* CONFIG_NF_FLOW_TABLE_PROCFS */
+
#endif /* _NF_FLOW_TABLE_H */
diff --git a/include/net/netns/flow_table.h b/include/net/netns/flow_table.h
new file mode 100644
index 000000000000..1c5fc657e267
--- /dev/null
+++ b/include/net/netns/flow_table.h
@@ -0,0 +1,14 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef __NETNS_FLOW_TABLE_H
+#define __NETNS_FLOW_TABLE_H
+
+struct nf_flow_table_stat {
+ unsigned int count_wq_add;
+ unsigned int count_wq_del;
+ unsigned int count_wq_stats;
+};
+
+struct netns_ft {
+ struct nf_flow_table_stat __percpu *stat;
+};
+#endif
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index ddc54b6d18ee..df6abbfe0079 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -734,6 +734,15 @@ config NF_FLOW_TABLE
To compile it as a module, choose M here.
+config NF_FLOW_TABLE_PROCFS
+ bool "Supply flow table statistics in procfs"
+ default y
+ depends on PROC_FS
+ depends on SYSCTL
+ help
+ This option enables for the flow table offload statistics
+ to be shown in procfs under net/netfilter/nf_flowtable.
+
config NETFILTER_XTABLES
tristate "Netfilter Xtables support (required for ip_tables)"
default m if NETFILTER_ADVANCED=n
diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index e2598f98017c..c86dd627ef42 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -662,17 +662,51 @@ void nf_flow_table_free(struct nf_flowtable *flow_table)
}
EXPORT_SYMBOL_GPL(nf_flow_table_free);
+static int nf_flow_table_init_net(struct net *net)
+{
+ net->ft.stat = alloc_percpu(struct nf_flow_table_stat);
+ return net->ft.stat ? 0 : -ENOMEM;
+}
+
+static void nf_flow_table_fini_net(struct net *net)
+{
+ free_percpu(net->ft.stat);
+}
+
static int nf_flow_table_pernet_init(struct net *net)
{
- return nf_flow_table_init_sysctl(net);
+ int ret;
+
+ ret = nf_flow_table_init_net(net);
+ if (ret < 0)
+ return ret;
+
+ ret = nf_flow_table_init_sysctl(net);
+ if (ret < 0)
+ goto out_sysctl;
+
+ ret = nf_flow_table_init_proc(net);
+ if (ret < 0)
+ goto out_proc;
+
+ return 0;
+
+out_proc:
+ nf_flow_table_fini_sysctl(net);
+out_sysctl:
+ nf_flow_table_fini_net(net);
+ return ret;
}
static void nf_flow_table_pernet_exit(struct list_head *net_exit_list)
{
struct net *net;
- list_for_each_entry(net, net_exit_list, exit_list)
+ list_for_each_entry(net, net_exit_list, exit_list) {
+ nf_flow_table_fini_proc(net);
nf_flow_table_fini_sysctl(net);
+ nf_flow_table_fini_net(net);
+ }
}
unsigned int nf_ft_net_id __read_mostly;
diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
index 5c7146eb646a..074322c1176f 100644
--- a/net/netfilter/nf_flow_table_offload.c
+++ b/net/netfilter/nf_flow_table_offload.c
@@ -995,17 +995,22 @@ static void flow_offload_work_stats(struct flow_offload_work *offload)
static void flow_offload_work_handler(struct work_struct *work)
{
struct flow_offload_work *offload;
+ struct net *net;
offload = container_of(work, struct flow_offload_work, work);
+ net = read_pnet(&offload->flowtable->net);
switch (offload->cmd) {
case FLOW_CLS_REPLACE:
flow_offload_work_add(offload);
+ NF_FLOW_TABLE_STAT_DEC_ATOMIC(net, count_wq_add);
break;
case FLOW_CLS_DESTROY:
flow_offload_work_del(offload);
+ NF_FLOW_TABLE_STAT_DEC_ATOMIC(net, count_wq_del);
break;
case FLOW_CLS_STATS:
flow_offload_work_stats(offload);
+ NF_FLOW_TABLE_STAT_DEC_ATOMIC(net, count_wq_stats);
break;
default:
WARN_ON_ONCE(1);
@@ -1017,12 +1022,18 @@ static void flow_offload_work_handler(struct work_struct *work)
static void flow_offload_queue_work(struct flow_offload_work *offload)
{
- if (offload->cmd == FLOW_CLS_REPLACE)
+ struct net *net = read_pnet(&offload->flowtable->net);
+
+ if (offload->cmd == FLOW_CLS_REPLACE) {
+ NF_FLOW_TABLE_STAT_INC(net, count_wq_add);
queue_work(nf_flow_offload_add_wq, &offload->work);
- else if (offload->cmd == FLOW_CLS_DESTROY)
+ } else if (offload->cmd == FLOW_CLS_DESTROY) {
+ NF_FLOW_TABLE_STAT_INC(net, count_wq_del);
queue_work(nf_flow_offload_del_wq, &offload->work);
- else
+ } else {
+ NF_FLOW_TABLE_STAT_INC(net, count_wq_stats);
queue_work(nf_flow_offload_stats_wq, &offload->work);
+ }
}
static struct flow_offload_work *
diff --git a/net/netfilter/nf_flow_table_sysctl.c b/net/netfilter/nf_flow_table_sysctl.c
index 2e7539be8f88..edbdcc8731d9 100644
--- a/net/netfilter/nf_flow_table_sysctl.c
+++ b/net/netfilter/nf_flow_table_sysctl.c
@@ -1,7 +1,86 @@
// SPDX-License-Identifier: GPL-2.0-only
#include <linux/kernel.h>
+#include <linux/proc_fs.h>
#include <net/netfilter/nf_flow_table.h>
+#ifdef CONFIG_NF_FLOW_TABLE_PROCFS
+static void *nf_flow_table_cpu_seq_start(struct seq_file *seq, loff_t *pos)
+{
+ struct net *net = seq_file_net(seq);
+ int cpu;
+
+ if (*pos == 0)
+ return SEQ_START_TOKEN;
+
+ for (cpu = *pos - 1; cpu < nr_cpu_ids; ++cpu) {
+ if (!cpu_possible(cpu))
+ continue;
+ *pos = cpu + 1;
+ return per_cpu_ptr(net->ft.stat, cpu);
+ }
+
+ return NULL;
+}
+
+static void *nf_flow_table_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos)
+{
+ struct net *net = seq_file_net(seq);
+ int cpu;
+
+ for (cpu = *pos; cpu < nr_cpu_ids; ++cpu) {
+ if (!cpu_possible(cpu))
+ continue;
+ *pos = cpu + 1;
+ return per_cpu_ptr(net->ft.stat, cpu);
+ }
+ (*pos)++;
+ return NULL;
+}
+
+static void nf_flow_table_cpu_seq_stop(struct seq_file *seq, void *v)
+{
+}
+
+static int nf_flow_table_cpu_seq_show(struct seq_file *seq, void *v)
+{
+ const struct nf_flow_table_stat *st = v;
+
+ if (v == SEQ_START_TOKEN) {
+ seq_puts(seq, "wq_add wq_del wq_stats\n");
+ return 0;
+ }
+
+ seq_printf(seq, "%8d %8d %8d\n",
+ st->count_wq_add,
+ st->count_wq_del,
+ st->count_wq_stats
+ );
+ return 0;
+}
+
+static const struct seq_operations nf_flow_table_cpu_seq_ops = {
+ .start = nf_flow_table_cpu_seq_start,
+ .next = nf_flow_table_cpu_seq_next,
+ .stop = nf_flow_table_cpu_seq_stop,
+ .show = nf_flow_table_cpu_seq_show,
+};
+
+int nf_flow_table_init_proc(struct net *net)
+{
+ struct proc_dir_entry *pde;
+
+ pde = proc_create_net("nf_flowtable", 0444, net->proc_net_stat,
+ &nf_flow_table_cpu_seq_ops,
+ sizeof(struct seq_net_private));
+ return pde ? 0 : -ENOMEM;
+}
+
+void nf_flow_table_fini_proc(struct net *net)
+{
+ remove_proc_entry("nf_flowtable", net->proc_net_stat);
+}
+#endif /* CONFIG_NF_FLOW_TABLE_PROCFS */
+
enum nf_ct_sysctl_index {
NF_SYSCTL_FLOW_TABLE_MAX_HW,
NF_SYSCTL_FLOW_TABLE_COUNT_HW,
--
2.31.1
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH net-next v3 0/3] Conntrack offload debuggability improvements
2022-05-17 16:59 [PATCH net-next v3 0/3] Conntrack offload debuggability improvements Vlad Buslov
` (2 preceding siblings ...)
2022-05-17 16:59 ` [PATCH net-next v3 3/3] netfilter: nf_flow_table: count pending offload workqueue tasks Vlad Buslov
@ 2022-05-19 20:41 ` Pablo Neira Ayuso
3 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2022-05-19 20:41 UTC (permalink / raw)
To: Vlad Buslov; +Cc: netfilter-devel, kadlec, fw, ozsh, paulb
On Tue, May 17, 2022 at 07:59:06PM +0300, Vlad Buslov wrote:
> Current conntrack offload implementation doesn't provide much visibility
> and control over offload code. The code just tries to offload new flows,
> even if current amount of flows is beyond what can be reasonably
> processed by target hardware. On top of that there is no way to
> determine current load on workqueues that process the offload tasks
> which makes it hard to debug the cases where offload is significantly
> delayed due to rate of new connections being higher than driver or
> hardware offload rate.
>
> Improve the debuggability situation by implementing following new
> functionality:
>
> - Sysctls for current total count of offloaded flow and
> user-configurable maximum. Capping the amount of offloaded flows can
> be useful for the allocations of hardware resources. Note that the
> flow can still be offloaded afterwards via 'refresh' mechanism if
> total hardware count.
>
> - Procfs for current total of workqueue tasks for nf_ft_offload_add,
> nf_ft_offload_del and nf_ft_offload_stats queues. This allows
> visibility for flow offload delay due to system scheduling offload
> tasks faster than driver/hardware can process them.
Series applied, thanks!
^ permalink raw reply [flat|nested] 5+ messages in thread