[ovs-dev] [PATCH v3 00/10] Add support for offloading CT datapath rules to TC

Simon Horman simon.horman at netronome.com
Wed Dec 4 12:26:49 UTC 2019 

On Wed, Dec 04, 2019 at 08:10:10AM +0000, Paul Blakey wrote:
> 
> On 12/3/2019 6:41 PM, Simon Horman wrote:
> > On Tue, Dec 03, 2019 at 03:45:24PM +0200, Roi Dayan wrote:
> >> The following patchset introduces hardware offload of OVS connection
> >> tracking datapath rules.
> >>
> >> OVS uses ct() and recirc() (recirculation) actions and recirc_id()/ct_state()
> >> matches to support connection tracking.
> >>
> >> The datapath rules are in the form of:
> >>
> >> recirc_id(0),in_port(dev1),eth_type(0x0800),ct_state(-trk) actions:ct(),recirc(2)
> >> recirc_id(2),in_port(dev1),eth_type(0x0800),ct_state(+trk+est) actions:4
> >>
> >> This patchset will translate ct_state() and recirc_id() matches to tc
> >> ct_state and chain matches respectively. The datapath actions ct() and recirc()
> >> will be translated to tc actions ct and goto chain respectively.
> >>
> >> The tc equivalent commands for the above rules are:
> >>
> >> $ tc filter add dev dev1 ingress \
> >>                      prio 1 chain 0 proto ip \
> >>                                  flower tcp ct_state -trk \
> >>                                  action ct pipe \
> >>                                  action goto chain 2
> >>                                  
> >> $ tc filter add dev dev1 ingress \
> >>                      prio 1 chain 2 proto ip \
> >>                                  flower tcp ct_state +trk+est \
> >>                                  action mirred egress redirect dev dev2
> > Hi Roi,
> >
> > I understand that this patchset handles adding rules as described above.
> > But do we also need a patchset to enable offload of NF flowtable,
> > so conntrack entries are offloaded?
> 
> Yes it would be added to tc, then a upcoming kernel patchset you 
> describe will actually offloaded this via act ct  -> nf flow table 
> offload like what nft currently does.
> 
> We will submitting that to linux kernel soon.

Thanks, my follow-up question is what is the run-time effect of applying
this patch-set (and all corresponding kernel patches) but not the follow-up
described above? Are flows offloaded/not-offloaded in a manner that
allows the system to work as it would (offload aside) without this
patchset?

More information about the dev mailing list