lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Thu,  3 Feb 2022 20:59:38 +0900
From:   Toshiaki Makita <toshiaki.makita1@...il.com>
To:     "David S. Miller" <davem@...emloft.net>,
        "Jakub Kicinski" <kuba@...nel.org>,
        "Saeed Mahameed" <saeedm@...dia.com>,
        "Jamal Hadi Salim" <jhs@...atatu.com>,
        "Cong Wang" <xiyou.wangcong@...il.com>,
        "Jiri Pirko" <jiri@...nulli.us>,
        "Pablo Neira Ayuso" <pablo@...filter.org>,
        "Jozsef Kadlecsik" <kadlec@...filter.org>,
        "Florian Westphal" <fw@...len.de>
Cc:     Toshiaki Makita <toshiaki.makita1@...il.com>,
        netdev@...r.kernel.org, netfilter-devel@...r.kernel.org,
        coreteam@...filter.org, Paul Blakey <paulb@...dia.com>
Subject: [PATCH net-next 0/3] Conntrack GRE offload

Conntrack offload currently only supports TCP and UDP.
Thus TC/nftables/OVS cannot offload GRE packets.

However, GRE is widely used so some users create gre devices in VMs,
and in that case host OVS forwards GRE packets from/to VMs.

In order to offload GRE packets in OVS with stateful firewall support,
we need act_ct GRE offload support.

This patch set adds GRE offload support for act_ct and mlx5 conntrack.
Currently only GREv0 and no NAT support.

- Patch 1: flow_offload/flowtable GRE support.
- Patch 2: act_ct GRE offload support.
- Patch 3: mlx5 conntrack GRE offload support.

Tested with ConnectX-6 Dx 100G NIC and netperf TCP_STREAM.

                      +------------------------------------+
                      |                        +-----------+
                      |                        |(namespace)|
  +---------+         |                        | netserver |
  |         |  wire   +----+  tc   +--------+  +-------+   |
  | netperf |-------->|mlx5|------>|mlx5 rep|--|mlx5 vf|   |
  |         |         +----+       +--------+  +-------+---+
  +---------+         +------------------------------------+

- No offload (TC skip_hw): 8.5 Gbps
- Offload    (act_ct)    : 22 Gbps

Signed-off-by: Toshiaki Makita <toshiaki.makita1@...il.com>

Toshiaki Makita (3):
  netfilter: flowtable: Support GRE
  act_ct: Support GRE offload
  net/mlx5: Support GRE conntrack offload

 drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c |  21 +++--
 net/netfilter/nf_flow_table_core.c                 |  10 +-
 net/netfilter/nf_flow_table_ip.c                   |  54 +++++++++--
 net/netfilter/nf_flow_table_offload.c              |  19 ++--
 net/netfilter/nft_flow_offload.c                   |  13 +++
 net/sched/act_ct.c                                 | 101 ++++++++++++++++-----
 6 files changed, 171 insertions(+), 47 deletions(-)

-- 
1.8.3.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ