ACK/Cmnt: [SRU][F:linux-bluefield][PATCH 0/5] Control nf flow table timeouts

Stefan Bader stefan.bader at canonical.com
Tue Jul 6 07:33:04 UTC 2021 

On 01.07.21 22:38, Bodong Wang wrote:
> TCP and UDP connections may be offloaded from nf conntrack to nf flow table.
> Offloaded connections are aged after 30 seconds of inactivity.
> Once aged, ownership is returned to conntrack with a hard coded tcp/udp
> pickup time of 120/30 seconds, after which the connection may be deleted.
> 
> The current hard-coded pickup intervals may introduce a very aggressive
> aging policy. For example, offloaded tcp connections in established state
> will timeout from nf conntrack after just 150 seconds of inactivity,
> instead of 5 days. In addition, the hard-coded 30 second offload timeout
> period can significantly increase the hardware insertion rate requirements
> in some use cases.
> 
> This patchset provides the user with the ability to configure protocol
> specific offload timeout and pickup intervals via sysctl.
> 
> The first and second patches revert the existing non-upstream solution.
> The next two patches introduce the sysctl configuration for tcp and udp
> protocols.
> The last patch modifies nf flow table aging mechanisms to use the configured
> time intervals.
> 
> Oz Shlomo (5):
>    Revert "UBUNTU: SAUCE: net/sched: Add module parameter to set CT age
>      out time"
>    Revert "UBUNTU: SAUCE: netfilter: flowtable: Control flow timeout
>      interval"
>    (upstream) netfilter: conntrack: Introduce tcp offload timeout
>      configuration
>    (upstream) netfilter: conntrack: Introduce udp offload timeout
>      configuration
>    (upstream) netfilter: flowtable: Set offload timeouts according to
>      proto values
> 
>   include/net/netfilter/nf_flow_table.h   | 10 ++-----
>   include/net/netns/conntrack.h           |  8 +++++
>   net/netfilter/nf_conntrack_proto_tcp.c  |  5 ++++
>   net/netfilter/nf_conntrack_proto_udp.c  |  5 ++++
>   net/netfilter/nf_conntrack_standalone.c | 46 ++++++++++++++++++++++++++++
>   net/netfilter/nf_flow_table_core.c      | 53 +++++++++++++++++++++++----------
>   net/netfilter/nf_flow_table_offload.c   |  5 ++--
>   net/sched/act_ct.c                      |  5 ----
>   8 files changed, 106 insertions(+), 31 deletions(-)
> 
The 3 new patches are upstream picks, in that case the commit message should be 
exactly like upstream (no "(upstream)" annotation). This can be fixed while 
applying, though.

Acked-by: Stefan Bader <stefan.bader at canonical.com>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20210706/cec5be8a/attachment.sig>

More information about the kernel-team mailing list