[ovs-dev] [PATCH 0/2] Add offload support for ct_state rpl and inv flags

Paul Blakey paulb at nvidia.com
Thu Feb 4 08:31:23 UTC 2021 


On Wed, 3 Feb 2021, Ilya Maximets wrote:

> On 2/3/21 1:39 PM, Ilya Maximets wrote:
> > On 2/3/21 12:58 PM, Marcelo Leitner wrote:
> >> On Wed, Feb 03, 2021 at 10:54:19AM +0200, Paul Blakey wrote:
> >>>
> >>>
> >>> On Tue, 2 Feb 2021, Marcelo Leitner wrote:
> >>>
> >>>> On Tue, Feb 02, 2021 at 04:59:44PM +0100, Ilya Maximets wrote:
> >>>>> On 2/2/21 4:52 PM, wenxu wrote:
> >>>>>>
> >>>>>> Hi,
> >>>>>>
> >>>>>> just ingore my patch. Now kernel can support match invalid
> >>>>>> ct_state in th tc flower.
> >>>>>
> >>>>> I don't think that we can ignore it.  At least we need this
> >>>>> fix on stable branches.  And also there are other conntrack
> >>>>> flags that are simply ignored, not only inv and rpl.  These
> >>>>> are snat, dnat, rel, probably some other.  So, we need this
> >>>>> change in some form anyway.
> >>>>
> >>>> That would be great, indeed.
> >>>>
> >>>> The issue is also present in tc layer, btw, but maybe Paul has his on
> >>>> the charts already. The effect here could be that if you use a newer
> >>>> ovs that supports inv ct_state, for example, up to wenxu's patch the
> >>>> kernel will simply ignore it.
> >>>>
> >>>> Best regards,
> >>>> Marcelo
> >>>
> >>>
> >>> Hi,
> >>>
> >>> Regarding the inv flag, yes if you offload a +inv rule, and not have
> >>> an updated kernel then tc rule won't match it and it will fall back to 
> >>> software. Drivers should see this flag and reject offload, same with rpl.
> >>
> >> To be more precise, it will fallback to vswitchd upcall, because the
> >> tc rule will be accepted and a ovs kernel can't be added then.
> >>
> >> flower is using a u16 without a validation of known bits. But if
> >> unknown bits are used, flow dissector won't populate them, and such
> >> packet will "slip through" (it should have matched, but not).
> >>
> >> https://elixir.bootlin.com/linux/latest/source/net/sched/cls_flower.c#L689
> >> https://elixir.bootlin.com/linux/latest/source/net/sched/cls_flower.c#L1398
> >>
> >>>
> >>> We can probe for support by adding a ct_state rule with +inv,+rpl and see
> >>> the echo back. Add that for V2?
> >>
> >> With the above, I don't think that this (or probing in general in this
> >> case) is feasible. My understanding is that flower will just echo back
> >> the unknown bits, due to the above.
> > 
> > IIUC, TC doesn't understand some flags and never reports any errors to
> > the userspace about that.  In this case we should not try to offload
> > these flags to TC or we will have broken logic in datapath flows.
> > 
> > I think, TC must return EINVAL or EOPNOTSUPP or something else in case
> > of unknown flags, so OVS will be able to put the correct flow to
> > openvswitch kernel module instead and avoid incorrect packet matches.
> > 
> > Since current TC code doesn't do that, this needs to be implemented in
> > TC first.  After that we can implement probing on the userspace side,
> > e.g. try to put certainly non-existent flags and check if TC supports
> > checking for invalid flags.  If it supports that, we can after that check
> > for all real flags that might be not supported by current kernel.
> > 
> > Until then, I think, we can not reliably support inv and rpl flags on
> > the OVS side.
> 
> After a small discussion with Marcelo, summarizing the steps that are
> needed in order to support offloading of inv/rpl/etc. in OVS:
> 
> 1. Finish work on "unsupport" patch (wenxu).  Apply it and backport
>    to all stable branches of OVS.

Here you mean wenxu doing the single reject of +inv, or rejecting if any
of current or future ct_state flags didn't translate, as we do with
the flow's mask (set each parsed attr/flag to 0, and then check mask for
0).
B
> 
> 2. Fix TC in kernel, so it will reject unknown bits in ct_state,
>    e.g. by returning EINVAL.  This will allow OVS to fall back to
>    install flow into the kernel module instead of TC.
> 

I'll send this upstream.

> 3. Add probing mechanism to detect if kernel fixed or buggy.
>    e.g. try to send UINT16_MAX as ct_state and check that kernel
>    returns EINVAL.

Good idea, will do.

> 
> 4. Implement inv/rpl/etc. support for kernels that passes probing.
>    OVS will not support these flags on buggy kernels even if
>    underlying kernel supports them, because there is no way to tell
>    if it actually supports them or just ignores.
> 
> That is how I see that.  Suggestions on how to do that differently
> are welcome.

Sounds good.

> 
> Best regards, Ilya Maximets.
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>

More information about the dev mailing list