Skip to content

Commit

Permalink
netdev-offload-tc: Conntrack ALGs are not supported with tc.
Browse files Browse the repository at this point in the history
tc does not support conntrack ALGs. Even worse, with tc enabled, they
should not be used/configured at all. This is because even though TC
will ignore the rules with ALG configured, i.e., they will flow through
the kernel module, return traffic might flow through a tc conntrack
rule, and it will not invoke the ALG helper.

Fixes: 576126a ("netdev-offload-tc: Add conntrack support")
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Acked-by: Roi Dayan <roid@nvidia.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Tested-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
  • Loading branch information
chaudron authored and igsilya committed Feb 8, 2023
1 parent 7a176f9 commit b292cce
Show file tree
Hide file tree
Showing 4 changed files with 21 additions and 15 deletions.
11 changes: 11 additions & 0 deletions Documentation/howto/tc-offload.rst
Original file line number Diff line number Diff line change
Expand Up @@ -112,3 +112,14 @@ First flow packet not processed by meter
Packets that are received by ovs-vswitchd through an upcall before the actual
meter flow is installed, are not passing TC police action and therefore are
not considered for policing.

Conntrack Application Layer Gateways (ALG)
++++++++++++++++++++++++++++++++++++++++++

TC does not support conntrack helpers, i.e., ALGs. TC will not offload flows if
the ALG keyword is present within the ct() action. However, this will not allow
ALGs to work within the datapath, as the return traffic without the ALG keyword
might run through a TC rule, which internally will not call the conntrack
helper required.

So if ALG support is required, tc offload must be disabled.
4 changes: 4 additions & 0 deletions lib/netdev-offload-tc.c
Original file line number Diff line number Diff line change
Expand Up @@ -1426,6 +1426,10 @@ parse_put_flow_ct_action(struct tc_flower *flower,
get_32aligned_u128(&ct_label->mask);
}
break;
/* The following option we do not support in tc-ct, and should
* not be ignored for proper operation. */
case OVS_CT_ATTR_HELPER:
return EOPNOTSUPP;
}
}

Expand Down
6 changes: 6 additions & 0 deletions tests/system-offloads-testsuite-macros.at
Original file line number Diff line number Diff line change
Expand Up @@ -34,3 +34,9 @@ m4_define([CHECK_NO_TC_OFFLOAD],
[
AT_SKIP_IF([:])
])

# Conntrack ALGs are not supported for tc.
m4_define([CHECK_CONNTRACK_ALG],
[
AT_SKIP_IF([:])
])
15 changes: 0 additions & 15 deletions tests/system-traffic.at
Original file line number Diff line number Diff line change
Expand Up @@ -4890,7 +4890,6 @@ OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP

AT_SETUP([conntrack - FTP])
CHECK_NO_TC_OFFLOAD()
AT_SKIP_IF([test $HAVE_FTP = no])
CHECK_CONNTRACK()
CHECK_CONNTRACK_ALG()
Expand Down Expand Up @@ -5000,7 +4999,6 @@ AT_SETUP([conntrack - FTP over IPv6])
AT_SKIP_IF([test $HAVE_FTP = no])
CHECK_CONNTRACK()
CHECK_CONNTRACK_ALG()
CHECK_NO_TC_OFFLOAD()
OVS_TRAFFIC_VSWITCHD_START()

ADD_NAMESPACES(at_ns0, at_ns1)
Expand Down Expand Up @@ -5056,7 +5054,6 @@ AT_SETUP([conntrack - IPv6 FTP Passive])
AT_SKIP_IF([test $HAVE_FTP = no])
CHECK_CONNTRACK()
CHECK_CONNTRACK_ALG()
CHECK_NO_TC_OFFLOAD()
OVS_TRAFFIC_VSWITCHD_START()

ADD_NAMESPACES(at_ns0, at_ns1)
Expand Down Expand Up @@ -5116,7 +5113,6 @@ AT_SETUP([conntrack - FTP with multiple expectations])
AT_SKIP_IF([test $HAVE_FTP = no])
CHECK_CONNTRACK()
CHECK_CONNTRACK_ALG()
CHECK_NO_TC_OFFLOAD()
OVS_TRAFFIC_VSWITCHD_START()

ADD_NAMESPACES(at_ns0, at_ns1)
Expand Down Expand Up @@ -5183,7 +5179,6 @@ AT_SETUP([conntrack - TFTP])
AT_SKIP_IF([test $HAVE_TFTP = no])
CHECK_CONNTRACK()
CHECK_CONNTRACK_ALG()
CHECK_NO_TC_OFFLOAD()
OVS_TRAFFIC_VSWITCHD_START()

ADD_NAMESPACES(at_ns0, at_ns1)
Expand Down Expand Up @@ -5819,7 +5814,6 @@ m4_define([CHECK_FTP_NAT],
CHECK_CONNTRACK()
CHECK_CONNTRACK_NAT()
CHECK_CONNTRACK_ALG()
CHECK_NO_TC_OFFLOAD()

OVS_TRAFFIC_VSWITCHD_START()

Expand Down Expand Up @@ -6127,7 +6121,6 @@ AT_SKIP_IF([test $HAVE_FTP = no])
CHECK_CONNTRACK()
CHECK_CONNTRACK_NAT()
CHECK_CONNTRACK_ALG()
CHECK_NO_TC_OFFLOAD()

OVS_TRAFFIC_VSWITCHD_START()

Expand Down Expand Up @@ -6188,7 +6181,6 @@ AT_SKIP_IF([test $HAVE_FTP = no])
CHECK_CONNTRACK()
CHECK_CONNTRACK_NAT()
CHECK_CONNTRACK_ALG()
CHECK_NO_TC_OFFLOAD()

OVS_TRAFFIC_VSWITCHD_START()

Expand Down Expand Up @@ -6249,7 +6241,6 @@ AT_SKIP_IF([test $HAVE_FTP = no])
CHECK_CONNTRACK()
CHECK_CONNTRACK_NAT()
CHECK_CONNTRACK_ALG()
CHECK_NO_TC_OFFLOAD()

OVS_TRAFFIC_VSWITCHD_START()

Expand Down Expand Up @@ -6310,7 +6301,6 @@ AT_SKIP_IF([test $HAVE_FTP = no])
CHECK_CONNTRACK()
CHECK_CONNTRACK_NAT()
CHECK_CONNTRACK_ALG()
CHECK_NO_TC_OFFLOAD()

OVS_TRAFFIC_VSWITCHD_START()

Expand Down Expand Up @@ -6371,7 +6361,6 @@ AT_SKIP_IF([test $HAVE_FTP = no])
CHECK_CONNTRACK()
CHECK_CONNTRACK_NAT()
CHECK_CONNTRACK_ALG()
CHECK_NO_TC_OFFLOAD()

OVS_TRAFFIC_VSWITCHD_START()

Expand Down Expand Up @@ -6574,7 +6563,6 @@ AT_SKIP_IF([test $HAVE_FTP = no])
CHECK_CONNTRACK()
CHECK_CONNTRACK_NAT()
CHECK_CONNTRACK_ALG()
CHECK_NO_TC_OFFLOAD()

OVS_TRAFFIC_VSWITCHD_START()

Expand Down Expand Up @@ -6635,7 +6623,6 @@ AT_SKIP_IF([test $HAVE_FTP = no])
CHECK_CONNTRACK()
CHECK_CONNTRACK_NAT()
CHECK_CONNTRACK_ALG()
CHECK_NO_TC_OFFLOAD()

OVS_TRAFFIC_VSWITCHD_START()

Expand Down Expand Up @@ -6697,7 +6684,6 @@ AT_SKIP_IF([test $HAVE_FTP = no])
CHECK_CONNTRACK()
CHECK_CONNTRACK_NAT()
CHECK_CONNTRACK_ALG()
CHECK_NO_TC_OFFLOAD()
OVS_TRAFFIC_VSWITCHD_START()

ADD_NAMESPACES(at_ns0, at_ns1)
Expand Down Expand Up @@ -6758,7 +6744,6 @@ AT_SKIP_IF([test $HAVE_TFTP = no])
CHECK_CONNTRACK()
CHECK_CONNTRACK_NAT()
CHECK_CONNTRACK_ALG()
CHECK_NO_TC_OFFLOAD()

OVS_TRAFFIC_VSWITCHD_START()

Expand Down

0 comments on commit b292cce

Please sign in to comment.