[ovs-git] [openvswitch/ovs] 179fcc: compat: Backport nf_ct_netns_{get, put}()
GitHub
noreply at github.com
Fri Aug 17 16:51:23 UTC 2018
Branch: refs/heads/master
Home: https://github.com/openvswitch/ovs
Commit: 179fccce34db7af112be3c6e8ad114802cb235bd
https://github.com/openvswitch/ovs/commit/179fccce34db7af112be3c6e8ad114802cb235bd
Author: Yi-Hung Wei <yihung.wei at gmail.com>
Date: 2018-08-17 (Fri, 17 Aug 2018)
Changed paths:
M acinclude.m4
M datapath/linux/Modules.mk
M datapath/linux/compat/include/net/netfilter/nf_conntrack.h
A datapath/linux/compat/include/uapi/linux/netfilter.h
A datapath/linux/compat/nf_conntrack_proto.c
Log Message:
-----------
compat: Backport nf_ct_netns_{get, put}()
This patch backports nf_ct_netns_get/put() in order to support a feature
in the follow up patch.
nf_ct_netns_{get,put} were first introduced in upstream net-next commit
ecb2421b5ddf ("netfilter: add and use nf_ct_netns_get/put") in kernel
v4.10, and then updated in commmit 7e35ec0e8044 ("netfilter: conntrack:
move nf_ct_netns_{get,put}() to core") in kernel v4.15. We need to
invoke nf_ct_netns_get/put() when the underlying nf_conntrack_l3proto
supports net_ns_{get,put}().
Therefore, there are 3 cases that we need to consider.
1) Before nf_ct_{get,put}() is introduced.
We just mock nf_ct_nets_{get,put}() and do nothing.
2) After 1) and before v4.15
Backports based on commit 7e35ec0e8044 .
3) Staring from v4.15
Use the upstream version.
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Justin Pettit <jpettit at ovn.org>
Commit: 744964326f6c74894dbb129e6c1b512a762f78e5
https://github.com/openvswitch/ovs/commit/744964326f6c74894dbb129e6c1b512a762f78e5
Author: Yi-Hung Wei <yihung.wei at gmail.com>
Date: 2018-08-17 (Fri, 17 Aug 2018)
Changed paths:
M acinclude.m4
M datapath/linux/Modules.mk
A datapath/linux/compat/include/net/netfilter/nf_conntrack_count.h
A datapath/linux/compat/nf_conncount.c
Log Message:
-----------
datapath: compat: Backports nf_conncount
This patch backports the nf_conncount backend that counts the number
of connections matching an arbitrary key. The following patch will
use the feature to support connection tracking zone limit in ovs
kernel datapath.
This backport is based on an upstream net-next upstream commits.
5c789e131cbb ("netfilter: nf_conncount: Add list lock and gc worker, and RCU for init tree search")
34848d5c896e ("netfilter: nf_conncount: Split insert and traversal")
2ba39118c10a ("netfilter: nf_conncount: Move locking into count_tree()")
976afca1ceba ("netfilter: nf_conncount: Early exit in nf_conncount_lookup() and cleanup")
cb2b36f5a97d ("netfilter: nf_conncount: Switch to plain list")
2a406e8ac7c3 ("netfilter: nf_conncount: Early exit for garbage collection")
b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race")
21ba8847f857 ("netfilter: nf_conncount: Fix garbage collection with zones")
5e5cbc7b23ea ("netfilter: nf_conncount: expose connection list interface")
35d8deb80c30 ("netfilter: conncount: Support count only use case")
6aec208786c2 ("netfilter: Refactor nf_conncount")
d384e65f1e75 ("netfilter: return booleans instead of integers")
625c556118f3 ("netfilter: connlimit: split xt_connlimit into front and backend")
The upstream nf_conncount has a couple of export functions while
this patch only export the ones that ovs kernel module needs.
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Justin Pettit <jpettit at ovn.org>
Commit: 6660a9597a49ddcd84bc5dd68334eea0605cef0d
https://github.com/openvswitch/ovs/commit/6660a9597a49ddcd84bc5dd68334eea0605cef0d
Author: Yi-Hung Wei <yihung.wei at gmail.com>
Date: 2018-08-17 (Fri, 17 Aug 2018)
Changed paths:
M acinclude.m4
M datapath/linux/Modules.mk
A datapath/linux/compat/include/linux/static_key.h
Log Message:
-----------
datapath: compat: Introduce static key support
Static keys allow the inclusion of seldom used features in
performance-sensitive fast-path kernel code, via a GCC feature and a
code patching technique. For more information:
* https://www.kernel.org/doc/Documentation/static-keys.txt
Since upstream ovs kernel module now uses some static key API that was
introduced in v4.3 kernel, we shall backport them to the compat module
for older kernel supprots.
This backport is based on upstream net-next commit 11276d5306b8
("locking/static_keys: Add a new static_key interface").
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Justin Pettit <jpettit at ovn.org>
Commit: a52da944f8f6d36d454d3165911135f5ad70244e
https://github.com/openvswitch/ovs/commit/a52da944f8f6d36d454d3165911135f5ad70244e
Author: Yi-Hung Wei <yihung.wei at gmail.com>
Date: 2018-08-17 (Fri, 17 Aug 2018)
Changed paths:
M datapath/linux/compat/include/linux/openvswitch.h
Log Message:
-----------
datapath: Add conntrack limit netlink definition
Upstream commit:
commit 5972be6b2495c6bffbf444497517fd1c070eef78
Author: Yi-Hung Wei <yihung.wei at gmail.com>
Date: Thu May 24 17:56:42 2018 -0700
openvswitch: Add conntrack limit netlink definition
Define netlink messages and attributes to support user kernel
communication that uses the conntrack limit feature.
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
Acked-by: Pravin B Shelar <pshelar at ovn.org>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Justin Pettit <jpettit at ovn.org>
Commit: cb2a5486a3a3756ee3868da0050d737c8989770c
https://github.com/openvswitch/ovs/commit/cb2a5486a3a3756ee3868da0050d737c8989770c
Author: Yi-Hung Wei <yihung.wei at gmail.com>
Date: 2018-08-17 (Fri, 17 Aug 2018)
Changed paths:
M NEWS
M datapath/compat.h
M datapath/conntrack.c
M datapath/conntrack.h
M datapath/datapath.c
M datapath/datapath.h
Log Message:
-----------
datapath: conntrack: Support conntrack zone limit
Upstream commit:
commit 11efd5cb04a184eea4f57b68ea63dddd463158d1
Author: Yi-Hung Wei <yihung.wei at gmail.com>
Date: Thu May 24 17:56:43 2018 -0700
openvswitch: Support conntrack zone limit
Currently, nf_conntrack_max is used to limit the maximum number of
conntrack entries in the conntrack table for every network namespace.
For the VMs and containers that reside in the same namespace,
they share the same conntrack table, and the total # of conntrack entries
for all the VMs and containers are limited by nf_conntrack_max. In this
case, if one of the VM/container abuses the usage the conntrack entries,
it blocks the others from committing valid conntrack entries into the
conntrack table. Even if we can possibly put the VM in different network
namespace, the current nf_conntrack_max configuration is kind of rigid
that we cannot limit different VM/container to have different # conntrack
entries.
To address the aforementioned issue, this patch proposes to have a
fine-grained mechanism that could further limit the # of conntrack entries
per-zone. For example, we can designate different zone to different VM,
and set conntrack limit to each zone. By providing this isolation, a
mis-behaved VM only consumes the conntrack entries in its own zone, and
it will not influence other well-behaved VMs. Moreover, the users can
set various conntrack limit to different zone based on their preference.
The proposed implementation utilizes Netfilter's nf_conncount backend
to count the number of connections in a particular zone. If the number of
connection is above a configured limitation, ovs will return ENOMEM to the
userspace. If userspace does not configure the zone limit, the limit
defaults to zero that is no limitation, which is backward compatible to
the behavior without this patch.
The following high leve APIs are provided to the userspace:
- OVS_CT_LIMIT_CMD_SET:
* set default connection limit for all zones
* set the connection limit for a particular zone
- OVS_CT_LIMIT_CMD_DEL:
* remove the connection limit for a particular zone
- OVS_CT_LIMIT_CMD_GET:
* get the default connection limit for all zones
* get the connection limit for a particular zone
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
Acked-by: Pravin B Shelar <pshelar at ovn.org>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Justin Pettit <jpettit at ovn.org>
Commit: cd015a11c21ac774cc7354e569330ef778f4ecd9
https://github.com/openvswitch/ovs/commit/cd015a11c21ac774cc7354e569330ef778f4ecd9
Author: Yi-Hung Wei <yihung.wei at gmail.com>
Date: 2018-08-17 (Fri, 17 Aug 2018)
Changed paths:
M lib/ct-dpif.c
M lib/ct-dpif.h
M lib/dpif-netdev.c
M lib/dpif-netlink.c
M lib/dpif-provider.h
Log Message:
-----------
dpif: Support conntrack zone limit.
This patch defines the dpif interface to support conntrack
per zone limit. Basically, OVS users can use this interface
to set, delete, and get the conntrack per zone limit for various
dpif interfaces. The following patch will make use of the proposed
interface to implement the feature.
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Justin Pettit <jpettit at ovn.org>
Commit: 9bc339b64bd42d6b414f35bc207e75804cb51b32
https://github.com/openvswitch/ovs/commit/9bc339b64bd42d6b414f35bc207e75804cb51b32
Author: Yi-Hung Wei <yihung.wei at gmail.com>
Date: 2018-08-17 (Fri, 17 Aug 2018)
Changed paths:
M lib/ct-dpif.c
M lib/ct-dpif.h
Log Message:
-----------
ct-dpif: Helper functions for conntrack zone limit
This patch implments some helper function for conntrack zone limit.
It will be useful for the following patches.
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Justin Pettit <jpettit at ovn.org>
Commit: 906ff9d229eee93c4824cacefcb4f601f58d5866
https://github.com/openvswitch/ovs/commit/906ff9d229eee93c4824cacefcb4f601f58d5866
Author: Yi-Hung Wei <yihung.wei at gmail.com>
Date: 2018-08-17 (Fri, 17 Aug 2018)
Changed paths:
M lib/dpif-netlink.c
Log Message:
-----------
dpif-netlink: Implement conntrack zone limit
This patch provides the implementation of conntrack zone limit
in dpif-netlink. It basically utilizes the netlink API to
communicate with OVS kernel module to set, delete, and get conntrack
zone limit.
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Justin Pettit <jpettit at ovn.org>
Commit: 7cfb862c3d6b31f9ffd89ecdccc785d1c8212dc2
https://github.com/openvswitch/ovs/commit/7cfb862c3d6b31f9ffd89ecdccc785d1c8212dc2
Author: Yi-Hung Wei <yihung.wei at gmail.com>
Date: 2018-08-17 (Fri, 17 Aug 2018)
Changed paths:
M lib/dpctl.c
Log Message:
-----------
dpctl: Export next argument to be parsed in opt_dpif_open().
Make opt_dpif_open() to export the next argument to be parsed
in opt_dpif_open(). It will be useful for the following patches.
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Justin Pettit <jpettit at ovn.org>
Commit: 4eeec031d4c4e17f76cfe81e0c9a88cca2ef84ec
https://github.com/openvswitch/ovs/commit/4eeec031d4c4e17f76cfe81e0c9a88cca2ef84ec
Author: Yi-Hung Wei <yihung.wei at gmail.com>
Date: 2018-08-17 (Fri, 17 Aug 2018)
Changed paths:
M Documentation/faq/releases.rst
M NEWS
M lib/ct-dpif.c
M lib/ct-dpif.h
M lib/dpctl.c
M lib/dpctl.man
Log Message:
-----------
dpctl: Implement dpctl commands for conntrack per zone limit
This patch implments the following three commands on dpctl so that
users can use ovs-dpctl or ovs-appctl to set, delete, and get the
per zone limit.
For example,
$ ovs-appctl dpctl/ct-set-limits default=10 zone=0,limit=5 zone=1,limit=3
$ ovs-appctl dpct/ct-del-limits zone=0
$ ovs-appctl dpct/ct-get-limits zone=1,2,3
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Justin Pettit <jpettit at ovn.org>
Commit: 3f1087c70cf9dc7cb5f75900b25116322e1ed62e
https://github.com/openvswitch/ovs/commit/3f1087c70cf9dc7cb5f75900b25116322e1ed62e
Author: Yi-Hung Wei <yihung.wei at gmail.com>
Date: 2018-08-17 (Fri, 17 Aug 2018)
Changed paths:
M tests/system-traffic.at
Log Message:
-----------
system-traffic: Add conntrack per zone limit test case
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Justin Pettit <jpettit at ovn.org>
Compare: https://github.com/openvswitch/ovs/compare/7f63d8302e63...3f1087c70cf9
**NOTE:** This service has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/
Functionality will be removed from GitHub.com on January 31st, 2019.
More information about the git
mailing list