[ovs-dev] [PATCH v2 00/11] conntrack zone limitation
Darrell Ball
dball at vmware.com
Thu Aug 2 04:55:43 UTC 2018
Thanks for the series Yi-hung
I will help review it.
I have a few general queries initially.
Darrell
On 8/1/18, 5:41 PM, "ovs-dev-bounces at openvswitch.org on behalf of Yi-Hung Wei" <ovs-dev-bounces at openvswitch.org on behalf of yihung.wei at gmail.com> wrote:
This patch series implements connection tracking zone limitation to
limit the maximum number of conntrack entries in the conntrack table
for every zone. This feature aims to resolve a problem that if one
of the VM/container under attack that abuses the usage the conntrack
entries, it may block the others from committing valid conntrack
entries into the conntrack table.
To address this issue, this patch series proposes to have a
fine-grained mechanism that could limit the # of conntrack entries
per-zone. For example, we can designate different zone to different VM,
and set conntrack limit to each zone. By providing this isolation, a
mis-behaved VM only consumes the conntrack entries in its own zone, and
it will not influence other well-behaved VMs. Moreover, the users can
set various conntrack limit to different zone based on their preference.
This patch series consist of dpif layer support, kernel backports to
support this features in dpif-netlinkt, dpif-netlink implementation,
dpctl commands, and a system traffic test to verify this feature.
v1->v2: Fix a rebase error. Only patch 8 has changed.
Yi-Hung Wei (11):
compat: Backport nf_ct_netns_{get,put}()
datapath: compat: Backports nf_conncount
datapath: compat: Introduce static key support
datapath: Add conntrack limit netlink definition
datapath: conntrack: Support conntrack zone limit
dpif: Support conntrack zone limit.
ct-dpif: Helper functions for conntrack zone limit
dpif-netlink: Implement conntrack zone limiit
dpctl: Refactor opt_dpif_open().
dpctl: Implement dpctl commands for conntrack per zone limit
system-traffic: Add conntrack per zoen limit test case
NEWS | 3 +
acinclude.m4 | 9 +
datapath/compat.h | 8 +
datapath/conntrack.c | 551 +++++++++++++++++-
datapath/conntrack.h | 9 +-
datapath/datapath.c | 7 +-
datapath/datapath.h | 3 +
datapath/linux/Modules.mk | 7 +-
datapath/linux/compat/include/linux/openvswitch.h | 28 +
datapath/linux/compat/include/linux/static_key.h | 70 +++
.../compat/include/net/netfilter/nf_conntrack.h | 8 +
.../include/net/netfilter/nf_conntrack_count.h | 61 ++
.../linux/compat/include/uapi/linux/netfilter.h | 14 +
datapath/linux/compat/nf_conncount.c | 637 +++++++++++++++++++++
datapath/linux/compat/nf_conntrack_proto.c | 112 ++++
lib/ct-dpif.c | 129 +++++
lib/ct-dpif.h | 20 +
lib/dpctl.c | 252 ++++++--
lib/dpctl.man | 18 +
lib/dpif-netdev.c | 3 +
lib/dpif-netlink.c | 199 +++++++
lib/dpif-provider.h | 26 +
tests/system-traffic.at | 75 +++
23 files changed, 2202 insertions(+), 47 deletions(-)
create mode 100644 datapath/linux/compat/include/linux/static_key.h
create mode 100644 datapath/linux/compat/include/net/netfilter/nf_conntrack_count.h
create mode 100644 datapath/linux/compat/include/uapi/linux/netfilter.h
create mode 100644 datapath/linux/compat/nf_conncount.c
create mode 100644 datapath/linux/compat/nf_conntrack_proto.c
--
2.7.4
_______________________________________________
dev mailing list
dev at openvswitch.org
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmail.openvswitch.org%2Fmailman%2Flistinfo%2Fovs-dev&data=02%7C01%7Cdball%40vmware.com%7C43dc76263e044a9776fb08d5f810abbf%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C1%7C0%7C636687672857189783&sdata=UamO%2FNcn3WkKcCT770y3HqcIPYgahhsbt%2FUkVFRCDoU%3D&reserved=0
More information about the dev
mailing list