Re: [net-next 08/15] net/mlx5e: CT: Preparation for offloading +trk+new ct rules

Tue, 12 Jan 2021 01:29:14 -0800 



On 1/12/2021 1:51 AM, Marcelo Ricardo Leitner wrote:

On Sun, Jan 10, 2021 at 09:52:55AM +0200, Roi Dayan wrote:



On 2021-01-10 9:45 AM, Roi Dayan wrote:



On 2021-01-08 11:48 PM, Marcelo Ricardo Leitner wrote:

Hi,

On Thu, Jan 07, 2021 at 09:30:47PM -0800, Saeed Mahameed wrote:

From: Roi Dayan <r...@nvidia.com>

Connection tracking associates the connection state per packet. The
first packet of a connection is assigned with the +trk+new state. The
connection enters the established state once a packet is seen on the
other direction.

Currently we offload only the established flows. However, UDP traffic
using source port entropy (e.g. vxlan, RoCE) will never enter the
established state. Such protocols do not require stateful processing,
and therefore could be offloaded.


If it doesn't require stateful processing, please enlight me on why
conntrack is being used in the first place. What's the use case here?



The use case for example is when we have vxlan traffic but we do
conntrack on the inner packet (rules on the physical port) so
we never get established but on miss we can still offload as normal
vxlan traffic.



my mistake about "inner packet". we do CT on the underlay network, i.e.
the outer header.


I miss why the CT match is being used there then. Isn't it a config
issue/waste of resources? What is CT adding to the matches/actions
being done on these flows?




Consider a use case where the network port receives both east-west encapsulated traffic and 
north-south non-encapsulated traffic that requires NAT.


One possible configuration is to first apply the CT-NAT action.

Established north-south connections will successfully execute the nat action and will set the +est 
ct state.
However, the +new state may apply either for valid east-west traffic (e.g. vxlan) due to source port 
entropy, or to insecure north-south traffic that the fw should block. The user may distinguish 
between the two cases, for example, by matching on the dest udp port.







The change in the model is that a miss on the CT table will be forwarded
to a new +trk+new ct table and a miss there will be forwarded to
the slow
path table.


AFAICU this new +trk+new ct table is a wildcard match on sport with
specific dports. Also AFAICU, such entries will not be visible to the
userspace then. Is this right?

    Marcelo



right.


Thanks,
Marcelo























					Reply via email to