[ovs-dev] [PATCH RFC v2 0/8] Introduce connection tracking tc offload

Paul Blakey paulb at mellanox.com
Thu Jul 4 14:28:19 UTC 2019 

Hi,

The following patches add connection tracking offload to tc.

We plan on offloading the datapath rules to netdev one to one to tc rules.
We'll be using upcoming act_ct tc module which is currently under review in netdev for the datapath ct() action.
Tc chains and tc goto chain action for the recirc_id() match and recirc() action.
cls_flower will do the matching on skb conntrack metadata for the ct_state matches.

The patchset for act_ct and cls_flower is here: https://lwn.net/Articles/791584/

So datapath ovs connection tracking rules:
recirc_id(0),in_port(ens1f0_0),ct_state(-trk),... actions:ct(zone=2),recirc(2)
recirc_id(2),in_port(ens1f0_0),ct_state(+new+trk),ct_mark(0xbb),... actions:ct(commit,zone=2,nat(src=5.5.5.7),mark=0xbb),ens1f0_1
recirc_id(2),in_port(ens1f0_0),ct_state(+est+trk),ct_mark(0xbb),... actions:ct(zone=2,nat),ens1f0_1

recirc_id(1),in_port(ens1f0_1),ct_state(-trk),... actions:ct(zone=2),recirc(1)
recirc_id(1),in_port(ens1f0_1),ct_state(+est+trk),... actions:ct(zone=2,nat),ens1f0_0

Will be translated to these:
$ tc filter add dev ens1f0_0 ingress \
  prio 1 chain 0 proto ip \
  flower ip_proto tcp ct_state -trk \
  action ct zone 2 pipe \
  action goto chain 2
$ tc filter add dev ens1f0_0 ingress \
  prio 1 chain 2 proto ip \
  flower ct_state +trk+new \
  action ct zone 2 commit mark 0xbb nat src addr 5.5.5.7 pipe \
  action mirred egress redirect dev ens1f0_1
$ tc filter add dev ens1f0_0 ingress \
  prio 1 chain 2 proto ip \
  flower ct_zone 2 ct_mark 0xbb ct_state +trk+est \
  action ct nat pipe \
  action mirred egress redirect dev ens1f0_1

$ tc filter add dev ens1f0_1 ingress \
  prio 1 chain 0 proto ip \
  flower ip_proto tcp ct_state -trk \
  action ct zone 2 pipe \
  action goto chain 1
$ tc filter add dev ens1f0_1 ingress \
  prio 1 chain 1 proto ip \
  flower ct_zone 2 ct_mark 0xbb ct_state +trk+est \
  action ct nat pipe \
  action mirred egress redirect dev ens1f0_0


Changlog:
V1->V2:
    Renamed netdev-tc-offloads to netdev-offload-tc (sorry about double email)

Paul Blakey (8):
  match: Add match_set_ct_zone_masked helper
  compat: Add tc ct action and flower matches defines for older kernels
  tc: Introduce tc_id to specify a tc filter
  netdev-offload-tc: Implement netdev tc flush via tc filter del
  netdev-offload-tc: Add recirculation support via tc chains
  netdev-offload-tc: Add conntrack support
  netdev-offload-tc: Add conntrack label and mark support
  netdev-offload-tc: Add conntrack nat support

 acinclude.m4                 |   6 +-
 include/linux/automake.mk    |   3 +-
 include/linux/pkt_cls.h      |  50 +++-
 include/linux/tc_act/tc_ct.h |  41 +++
 include/openvswitch/match.h  |   1 +
 lib/dpif-netlink.c           |   5 +
 lib/match.c                  |  10 +-
 lib/netdev-linux.c           |   6 +-
 lib/netdev-offload-tc.c      | 595 ++++++++++++++++++++++++++++++-------------
 lib/tc.c                     | 411 ++++++++++++++++++++++++------
 lib/tc.h                     |  75 +++++-
 11 files changed, 921 insertions(+), 282 deletions(-)
 create mode 100644 include/linux/tc_act/tc_ct.h

-- 
1.8.3.1

More information about the dev mailing list