[ovs-dev] [PATCH 00/12] Support zone-based conntrack timeout policy

Yi-Hung Wei yihung.wei at gmail.com
Thu Jul 25 23:24:02 UTC 2019 

This patch series enables zone-based conntrack timeout policy support in OVS.
Timeout policy is a set of timeout attributes that can be associated with a
connection when it is committed.  Then, the connection tracking system will
expire a connection based on its connection state.  For example, one use
case would be to extend the timeout of TCP connection in the established
state to avoid re-connect overhead. Or use case is to shorten the connection
timeout so that the system can reclaim resources faster.
The idea of zone-based conntrack timeout policy is to group connections
with similar characteristics in a conntrack zone, and assign timeout policy
to the conntrack zone. Therefore, all the connections in that zone will share
the same timeout policy.

For zone-based timeout policy configuration, the association of conntrack
zone and conntrack timeout policy is defined per datapath in vswitch ovsdb
schema.  User can program the database through ovs-vsctl or using ovsdb
protocol directly.  Once the zone-based timeout policy configuration is
in the database, vswitchd will read those configuration and orgaznie it
in internal datapath strcture, and push the timeout policy into datapath.
Currenlty, only the kernel datapath supports customized timeout policy.

When a packet is committed to connection tracking system, during flow
translation in ofproto-dpif-xlate, vsiwtchd will lookup the internal
data structure to figure out which timeout policy to associate with
the connection.  If timeout policy is not specified to the committed
zone, it defaults to the timeout policy in the default zone (zone 0).
If the timeout policy is not specified in the default zone, it defaults
to the system default timeouts.

Here are some more details about each patch
* p01, p04, p06: Some utility functions.
* p02: Introduce ovsdb schema for ct timeout policy.
* p03: ovs-vsctl commands to configure zone-based ct timeout policy.
* p05: dpif interface to support ct timeout policy.
* p07: dpif-netlink implementation to support ct timeout policy.
* p08: Consume ct timeout policy configuration from ovsdb server,
       keep it in interal data structure, and push configuration to
       datapath.
* p09-10: Kernel datapath support for the new ct action attribute.
* p11: Translate timeout policy in ofproto-dpif-xlate
* p12: System traffic test

Travis CI:
* https://travis-ci.org/YiHungWei/ovs/builds/563768546

Appveyor CI:
* https://ci.appveyor.com/project/YiHungWei/ovs/builds/26250549


Ben Pfaff (1):
  simap: Add utility function to help compare two simaps.

Justin Pettit (1):
  vswitchd: Add datapath, CT_Zone, and CT_Timeout_Policy tables.

William Tu (1):
  ovs-vsctl: Add datapath and CT zone commands.

Yi-Hung Wei (9):
  ct-dpif: Export ct_dpif_format_ipproto()
  ct-dpif: Add conntrack timeout policy support in dpif layer
  ct-dpif: Add timeout policy related utility functions.
  dpif-netlink: Add conntrack timeout policy support
  datapath-config: Consume datapath, CT_Zone, and CT_Timeout_Policy
    tables
  datapath: compat: Backport nf_conntrack_timeout support
  datapath: Add support for conntrack timeout policy
  ofproto-dpif-xlate: Translate timeout policy in ct action
  system-traffic: Add zone-based conntrack timeout policy test

 acinclude.m4                                       |   7 +
 datapath-windows/include/OvsDpInterfaceCtExt.h     | 114 ++++++
 datapath-windows/ovsext/Netlink/NetlinkProto.h     |   1 +
 datapath/conntrack.c                               |  30 +-
 datapath/linux/Modules.mk                          |   2 +
 datapath/linux/compat/include/linux/openvswitch.h  |   4 +
 .../include/net/netfilter/nf_conntrack_timeout.h   |  34 ++
 datapath/linux/compat/nf_conntrack_timeout.c       | 102 +++++
 include/windows/automake.mk                        |   1 +
 .../windows/linux/netfilter/nfnetlink_cttimeout.h  |   0
 lib/automake.mk                                    |   2 +
 lib/ct-dpif.c                                      | 117 +++++-
 lib/ct-dpif.h                                      |  60 +++
 lib/datapath-config.c                              | 409 +++++++++++++++++++
 lib/datapath-config.h                              |  27 ++
 lib/dpif-netdev.c                                  |  11 +
 lib/dpif-netlink.c                                 | 436 +++++++++++++++++++++
 lib/dpif-netlink.h                                 |   2 +-
 lib/dpif-provider.h                                |  48 +++
 lib/netlink-conntrack.c                            | 363 +++++++++++++++++
 lib/netlink-conntrack.h                            |  29 ++
 lib/netlink-protocol.h                             |   1 +
 lib/odp-util.c                                     |  29 +-
 lib/simap.c                                        |  15 +-
 lib/simap.h                                        |   1 +
 ofproto/ofproto-dpif-xlate.c                       |  23 ++
 tests/odp.at                                       |   1 +
 tests/ovs-vsctl.at                                 |  20 +-
 tests/system-kmod-macros.at                        |   9 +
 tests/system-traffic.at                            |  65 +++
 tests/system-userspace-macros.at                   |  10 +
 utilities/ovs-vsctl.8.in                           |  29 ++
 utilities/ovs-vsctl.c                              | 245 ++++++++++++
 vswitchd/bridge.c                                  |   3 +
 vswitchd/vswitch.ovsschema                         |  44 ++-
 vswitchd/vswitch.xml                               | 254 +++++++++---
 36 files changed, 2488 insertions(+), 60 deletions(-)
 create mode 100644 datapath/linux/compat/include/net/netfilter/nf_conntrack_timeout.h
 create mode 100644 datapath/linux/compat/nf_conntrack_timeout.c
 create mode 100644 include/windows/linux/netfilter/nfnetlink_cttimeout.h
 create mode 100644 lib/datapath-config.c
 create mode 100644 lib/datapath-config.h

-- 
2.7.4

More information about the dev mailing list