[ovs-dev] [CONNTRACK] Discussions at OvS 2017
Ben Pfaff
blp at ovn.org
Mon Nov 27 19:31:27 UTC 2017
Darrell, I think that you are working on some of the specific items that
Aaron listed. Can you comment on that?
On Sat, Nov 25, 2017 at 07:37:23PM +0000, Darrell Ball wrote:
> Let me clarify some general points.
>
> 1/ We will not be porting any code from the Linux kernel, whether it be SIP module code or anything else.
>
> 2/ Furthermore, we will not be using proprietary code algorithms and other aspects from the Linux kernel.
>
> 3/ Furthermore, those people working in, having worked in, or having been exposed to Netfilter code need to
> be careful about any “cross-pollination”, intentional or otherwise.
>
> 4/ In addition, in general, we don’t think it is necessary to copy the behavior of the kernel; we look at
> each behavior and see if it makes sense or is necessary on its own technical merits. If we don’t think it
> necessary, overly complex, or we have something better, we can omit that behavior entirely or do it differently.
>
> Thanks Darrell
>
>
>
> On 11/25/17, 9:47 AM, "ovs-dev-bounces at openvswitch.org on behalf of Tiago Lam" <ovs-dev-bounces at openvswitch.org on behalf of tiagolam at gmail.com> wrote:
>
> Hi Aaron (and all),
>
> Thank you for your email, I found it to be informative.
>
> Would you mind elaborating a bit more on point number 5 below?
>
> With regards to SIP (don't know about SCTP), a module [1] seems to already
> exist for the kernel, integrating with Netfilter / conntrack.
>
> So, in terms of support for SIP in OVS' userspace conntrack (or any other new
> protocol for that matter, but I'm most familiar with SIP), would OVS be
> looking for a port, or a "from scratch" implementation? Or what would be the
> preference here?
>
> Thanks and regards,
>
> Tiago.
>
> [1] https://urldefense.proofpoint.com/v2/url?u=https-3A__people.netfilter.org_chentschel_docs_sip-2Dconntrack-2Dnat.html&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=FfTX_mff2SgY4OCYC5YbZOO44fljLYgir7rk9fccjRQ&s=Pfb29ck4yGzJEN3CgHQWatvLFA-XFUuMG_UWAKoutN0&e=
>
> On 11/20/2017 06:21 PM, Aaron Conole wrote:
> > (NOTE: This is a resend - I fat-fingered the ovs email. Apologies to
> > those who got duplicates).
> >
> > This email is meant to summarize some of the discussions we had at OvS
> > conference.
> >
> > The interest in the userspace conntrack is heating up. That's a good
> > thing, but it means that we'll probably have some growing pains as it
> > relates to features and usages. These are the topics and some
> > additional information that we came up with.
> >
> > 1. Making EST state match between linux kernel conntrack and userspace
> > conntrack. We will need to make sure that the windows datapath
> > conntrack also matches. The issue came down to the distinction about
> > whether commit action should also imply that the connection is
> > established.
> >
> > 2. Disabling conntrack helpers 'on by default' in the userspace
> > datapath. This represents possible security issue; users will want
> > to disable helpers (or enable helpers) at their own discretion.
> > One proposed resolution to this is simply disabling the helpers, and
> > relying on the 'alg=' specifier in the conntrack action. Complicating
> > this solution is existing users who rely on the existing solution -
> > specifically those users with the tftp helper and pxe booting in an
> > large data center.
> >
> > 3. Performance analysis deep-dive. We'd like to get input on the
> > performance of the userspace conntrack path. There was discussion
> > that the performance was suffering - anything here like additional
> > tests people have, or data that can be shared is good. The
> > development community is interested in knowing what it means.
> >
> > 4. Hardware offload. What will we need to present from that standpoint?
> > Are there counters or other information that software will need to
> > expose? What does it mean for the userspace datapath to be aware of
> > hardware offload for conntrack?
> >
> > 5. Additional protocol support and helpers. We think SCTP, and SIP are
> > important. Any others? Anyone think this is useful work to do?
> >
> > Thanks all for the presentations and discussions.
> > _______________________________________________
> > dev mailing list
> > dev at openvswitch.org
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=FfTX_mff2SgY4OCYC5YbZOO44fljLYgir7rk9fccjRQ&s=0oFbn_OEVTacCVLYQVealZJQelpkp-hZmBriL5kLV_s&e=
> >
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwICAg&c=uilaK90D4TOVoH58JNXRgQ&r=BVhFA09CGX7JQ5Ih-uZnsw&m=FfTX_mff2SgY4OCYC5YbZOO44fljLYgir7rk9fccjRQ&s=0oFbn_OEVTacCVLYQVealZJQelpkp-hZmBriL5kLV_s&e=
>
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
More information about the dev
mailing list