[ovs-dev] [patch v2] conntrack: Add option to disable TCP sequence checking.

Ben Pfaff blp at ovn.org
Tue Sep 24 20:45:02 UTC 2019


On Wed, Jun 12, 2019 at 12:44:18PM -0700, Darrell Ball wrote:
> On Wed, Jun 12, 2019 at 10:58 AM Ben Pfaff <blp at ovn.org> wrote:
> 
> > On Wed, Jun 12, 2019 at 10:31:17AM -0700, Darrell Ball wrote:
> > > On Wed, Jun 12, 2019 at 10:09 AM Ben Pfaff <blp at ovn.org> wrote:
> > >
> > > > On Wed, Jun 12, 2019 at 08:46:06AM -0700, Darrell Ball wrote:
> > > > > On Mon, Jun 10, 2019 at 9:51 AM Ben Pfaff <blp at ovn.org> wrote:
> > > > >
> > > > > > On Sun, Jun 09, 2019 at 07:35:09AM -0700, Darrell Ball wrote:
> > > > > > > This may be needed in some special cases, such as to support some
> > > > > > > hardware offload implementations.
> > > > > > >
> > > > > > > Reported-at:
> > > > > >
> > https://mail.openvswitch.org/pipermail/ovs-dev/2019-May/359188.html
> > > > > > > Signed-off-by: Darrell Ball <dlu998 at gmail.com>
> > > > > > > ---
> > > > > > >
> > > > > > > v2: Per particular requirement, support  'no-tcp-seq-chk' rather
> > than
> > > > > > >     'liberal' mode.
> > > > > > >
> > > > > > >     Add some debug counters.
> > > > > >
> > > > > > I'm not sure whether an ovs-appctl command is the best way for
> > users to
> > > > > > enable and disable this.  It means that it is difficult for an
> > OpenFlow
> > > > > > controller to do it, since those commands aren't exposed via
> > OpenFlow
> > > > or
> > > > > > OVSDB.
> > > > > >
> > > > >
> > > > > Thanks for your comments
> > > > >
> > > > > For local controller usage, we are using ovs-appctl today in similar
> > > > cases
> > > > > for existing products.
> > > > >
> > > > > In the case of non-local controller usage, the remote controller
> > would
> > > > need
> > > > > remote access.
> > > > >
> > > > > However, in this case,  I don't expect the remote controller to be
> > > > > involved; I was assuming
> > > > > that a deployment script would be used to set the value to
> > non-default
> > > > > value (in needed cases)
> > > > > when ovs-vswitchd is (re)started only. If this assumption cannot be
> > > > > satisfied then we would
> > > > > have to have to introduce a dependency on the database for these
> > types of
> > > > > commands.
> > > >
> > > > This seems to be teetering toward the pre-SDN model of having to
> > > > separately configure each switch.  Do you have some rationale in mind
> > > > why this should be a per-node decision rather than one made by the
> > > > controller?
> > >
> > >
> > > 1/ Because of the reduced security implications vs higher performance
> > > advantage, it would be a per node (or per node role) decision of whether
> > > to use it or not.
> >
> > Are you saying that the only advantage of disabling TCP sequence
> > checking is performance, and only in the presence of hardware for
> > offloading that requires it?
> 
> 
> Some HWOL implementations would be the most common 'recommended' usage.
> I will be adding a general statement to the documentation and will echo it
> in the commit
> message.

Is there a v3 with that change?  I haven't been able to find it.


More information about the dev mailing list