[ovs-dev] [patch v2] conntrack: Add option to disable TCP sequence checking.

Tue Sep 24 22:24:02 UTC 2019

Thanks Ben

I just noticed I sent another version here
https://patchwork.ozlabs.org/patch/1153283/
but there were a couple of issues that deserve a resend.
It might need a rebase as well

Darrell

On Tue, Sep 24, 2019 at 3:18 PM Ben Pfaff <blp at ovn.org> wrote:

> On Wed, Jun 12, 2019 at 12:44:18PM -0700, Darrell Ball wrote:
> > On Wed, Jun 12, 2019 at 10:58 AM Ben Pfaff <blp at ovn.org> wrote:
> >
> > > On Wed, Jun 12, 2019 at 10:31:17AM -0700, Darrell Ball wrote:
> > > > On Wed, Jun 12, 2019 at 10:09 AM Ben Pfaff <blp at ovn.org> wrote:
> > > >
> > > > > On Wed, Jun 12, 2019 at 08:46:06AM -0700, Darrell Ball wrote:
> > > > > > On Mon, Jun 10, 2019 at 9:51 AM Ben Pfaff <blp at ovn.org> wrote:
> > > > > >
> > > > > > > On Sun, Jun 09, 2019 at 07:35:09AM -0700, Darrell Ball wrote:
> > > > > > > > This may be needed in some special cases, such as to support
> some
> > > > > > > > hardware offload implementations.
> > > > > > > >
> > > > > > > > Reported-at:
> > > > > > >
> > > https://mail.openvswitch.org/pipermail/ovs-dev/2019-May/359188.html
> > > > > > > > Signed-off-by: Darrell Ball <dlu998 at gmail.com>
> > > > > > > > ---
> > > > > > > >
> > > > > > > > v2: Per particular requirement, support  'no-tcp-seq-chk'
> rather
> > > than
> > > > > > > >     'liberal' mode.
> > > > > > > >
> > > > > > > >     Add some debug counters.
> > > > > > >
> > > > > > > I'm not sure whether an ovs-appctl command is the best way for
> > > users to
> > > > > > > enable and disable this.  It means that it is difficult for an
> > > OpenFlow
> > > > > > > controller to do it, since those commands aren't exposed via
> > > OpenFlow
> > > > > or
> > > > > > > OVSDB.
> > > > > > >
> > > > > >
> > > > > > Thanks for your comments
> > > > > >
> > > > > > For local controller usage, we are using ovs-appctl today in
> similar
> > > > > cases
> > > > > > for existing products.
> > > > > >
> > > > > > In the case of non-local controller usage, the remote controller
> > > would
> > > > > need
> > > > > > remote access.
> > > > > >
> > > > > > However, in this case,  I don't expect the remote controller to
> be
> > > > > > involved; I was assuming
> > > > > > that a deployment script would be used to set the value to
> > > non-default
> > > > > > value (in needed cases)
> > > > > > when ovs-vswitchd is (re)started only. If this assumption cannot
> be
> > > > > > satisfied then we would
> > > > > > have to have to introduce a dependency on the database for these
> > > types of
> > > > > > commands.
> > > > >
> > > > > This seems to be teetering toward the pre-SDN model of having to
> > > > > separately configure each switch.  Do you have some rationale in
> mind
> > > > > why this should be a per-node decision rather than one made by the
> > > > > controller?
> > > >
> > > >
> > > > 1/ Because of the reduced security implications vs higher performance
> > > > advantage, it would be a per node (or per node role) decision of
> whether
> > > > to use it or not.
> > >
> > > Are you saying that the only advantage of disabling TCP sequence
> > > checking is performance, and only in the presence of hardware for
> > > offloading that requires it?
> >
> >
> > Some HWOL implementations would be the most common 'recommended' usage.
> > I will be adding a general statement to the documentation and will echo
> it
> > in the commit
> > message.
>
> Is there a v3 with that change?  I haven't been able to find it.
>