[ovs-dev] [PATCH v2 00/11] conntrack zone limitation

Darrell Ball dball at vmware.com
Thu Aug 2 04:55:43 UTC 2018


Thanks for the series Yi-hung

I will help review it.

I have a few general queries initially.

Darrell

On 8/1/18, 5:41 PM, "ovs-dev-bounces at openvswitch.org on behalf of Yi-Hung Wei" <ovs-dev-bounces at openvswitch.org on behalf of yihung.wei at gmail.com> wrote:

    This patch series implements connection tracking zone limitation to
    limit the maximum number of conntrack entries in the conntrack table
    for every zone.  This feature aims to resolve a problem that if one
    of the VM/container under attack that abuses the usage the conntrack
    entries, it may block the others from committing valid conntrack
    entries into the conntrack table.  
    
    To address this issue, this patch series proposes to have a
    fine-grained mechanism that could limit the # of conntrack entries
    per-zone.  For example, we can designate different zone to different VM,
    and set conntrack limit to each zone.  By providing this isolation, a
    mis-behaved VM only consumes the conntrack entries in its own zone, and
    it will not influence other well-behaved VMs.  Moreover, the users can
    set various conntrack limit to different zone based on their preference.
    
    This patch series consist of dpif layer support, kernel backports to
    support this features in dpif-netlinkt, dpif-netlink implementation,
    dpctl commands, and a system traffic test to verify this feature.
    
    v1->v2: Fix a rebase error. Only patch 8 has changed.
    
    Yi-Hung Wei (11):
      compat: Backport nf_ct_netns_{get,put}()
      datapath: compat: Backports nf_conncount
      datapath: compat: Introduce static key support
      datapath: Add conntrack limit netlink definition
      datapath: conntrack: Support conntrack zone limit
      dpif: Support conntrack zone limit.
      ct-dpif: Helper functions for conntrack zone limit
      dpif-netlink: Implement conntrack zone limiit
      dpctl: Refactor opt_dpif_open().
      dpctl: Implement dpctl commands for conntrack per zone limit
      system-traffic: Add conntrack per zoen limit test case
    
     NEWS                                               |   3 +
     acinclude.m4                                       |   9 +
     datapath/compat.h                                  |   8 +
     datapath/conntrack.c                               | 551 +++++++++++++++++-
     datapath/conntrack.h                               |   9 +-
     datapath/datapath.c                                |   7 +-
     datapath/datapath.h                                |   3 +
     datapath/linux/Modules.mk                          |   7 +-
     datapath/linux/compat/include/linux/openvswitch.h  |  28 +
     datapath/linux/compat/include/linux/static_key.h   |  70 +++
     .../compat/include/net/netfilter/nf_conntrack.h    |   8 +
     .../include/net/netfilter/nf_conntrack_count.h     |  61 ++
     .../linux/compat/include/uapi/linux/netfilter.h    |  14 +
     datapath/linux/compat/nf_conncount.c               | 637 +++++++++++++++++++++
     datapath/linux/compat/nf_conntrack_proto.c         | 112 ++++
     lib/ct-dpif.c                                      | 129 +++++
     lib/ct-dpif.h                                      |  20 +
     lib/dpctl.c                                        | 252 ++++++--
     lib/dpctl.man                                      |  18 +
     lib/dpif-netdev.c                                  |   3 +
     lib/dpif-netlink.c                                 | 199 +++++++
     lib/dpif-provider.h                                |  26 +
     tests/system-traffic.at                            |  75 +++
     23 files changed, 2202 insertions(+), 47 deletions(-)
     create mode 100644 datapath/linux/compat/include/linux/static_key.h
     create mode 100644 datapath/linux/compat/include/net/netfilter/nf_conntrack_count.h
     create mode 100644 datapath/linux/compat/include/uapi/linux/netfilter.h
     create mode 100644 datapath/linux/compat/nf_conncount.c
     create mode 100644 datapath/linux/compat/nf_conntrack_proto.c
    
    -- 
    2.7.4
    
    _______________________________________________
    dev mailing list
    dev at openvswitch.org
    https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmail.openvswitch.org%2Fmailman%2Flistinfo%2Fovs-dev&amp;data=02%7C01%7Cdball%40vmware.com%7C43dc76263e044a9776fb08d5f810abbf%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C1%7C0%7C636687672857189783&amp;sdata=UamO%2FNcn3WkKcCT770y3HqcIPYgahhsbt%2FUkVFRCDoU%3D&amp;reserved=0
    



More information about the dev mailing list