diff options
| author | David S. Miller <davem@davemloft.net> | 2023-02-03 09:31:25 +0000 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2023-02-03 09:31:25 +0000 |
| commit | 18390581d0d4da50eeaceee903b4965254dd5802 (patch) | |
| tree | 861c404053539b3d401e46b2086c5517dd0da99a /net/dsa | |
| parent | 942814840127a7d6307d0aaf087dbd3cfdeb2a2d (diff) | |
| parent | df25455e5a489764508942b77b77de8f550e92cd (diff) | |
Merge branch 'act_ct-UDP-NEW'
Vlad Buslov says:
====================
net: Allow offloading of UDP NEW connections via act_ct
Currently only bidirectional established connections can be offloaded
via act_ct. Such approach allows to hardcode a lot of assumptions into
act_ct, flow_table and flow_offload intermediate layer codes. In order
to enabled offloading of unidirectional UDP NEW connections start with
incrementally changing the following assumptions:
- Drivers assume that only established connections are offloaded and
don't support updating existing connections. Extract ctinfo from meta
action cookie and refuse offloading of new connections in the drivers.
- Fix flow_table offload fixup algorithm to calculate flow timeout
according to current connection state instead of hardcoded
"established" value.
- Add new flow_table flow flag that designates bidirectional connections
instead of assuming it and hardcoding hardware offload of every flow
in both directions.
- Add new flow_table flow flag that designates connections that are
offloaded to hardware as "established" instead of assuming it. This
allows some optimizations in act_ct and prevents spamming the
flow_table workqueue with redundant tasks.
With all the necessary infrastructure in place modify act_ct to offload
UDP NEW as unidirectional connection. Pass reply direction traffic to CT
and promote connection to bidirectional when UDP connection state
changes to "assured". Rely on refresh mechanism to propagate connection
state change to supporting drivers.
Note that early drop algorithm that is designed to free up some space in
connection tracking table when it becomes full (by randomly deleting up
to 5% of non-established connections) currently ignores connections
marked as "offloaded". Now, with UDP NEW connections becoming
"offloaded" it could allow malicious user to perform DoS attack by
filling the table with non-droppable UDP NEW connections by sending just
one packet in single direction. To prevent such scenario change early
drop algorithm to also consider "offloaded" connections for deletion.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/dsa')
0 files changed, 0 insertions, 0 deletions