ACK: [SRU][J:linux-bluefield][PATCH] UBUNTU: SAUCE: netfilter: flowtable: additional checks for outdated flows

Tim Gardner tim.gardner at canonical.com
Thu Aug 3 18:43:56 UTC 2023 

On 8/3/23 9:49 AM, Bodong Wang wrote:
> From: Vlad Buslov <vladbu at nvidia.com>
> 
> BugLink: https://bugs.launchpad.net/bugs/2029497
> 
> Current nf_flow_is_outdated() implementation considers any flow table flow
> which state diverged from its underlying CT connection status for teardown
> which can be problematic in the following cases:
> 
> - Flow has never been offloaded to hardware in the first place either
> because flow table has hardware offload disabled (flag
> NF_FLOWTABLE_HW_OFFLOAD is not set) or because it is still pending on 'add'
> workqueue to be offloaded for the first time. The former is incorrect, the
> later generates excessive deletions and additions of flows.
> 
> - Flow is already pending to be updated on the workqueue. Tearing down such
> flows will also generate excessive removals from the flow table, especially
> on highly loaded system where the latency to re-offload a flow via 'add'
> workqueue can be quite high.
> 
> When considering a flow for teardown as outdated verify that it is both
> offloaded to hardware and doesn't have any pending updates.
> 
> Fixes: 41f2c7c342d3 ("net/sched: act_ct: Fix promotion of offloaded unreplied tuple")
> Signed-off-by: Vlad Buslov <vladbu at nvidia.com>
> Signed-off-by: Bodong Wang <bodong at nvidia.com>
> ---
>   net/netfilter/nf_flow_table_core.c | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
> index d35f3f8d9841..d8f0f924b574 100644
> --- a/net/netfilter/nf_flow_table_core.c
> +++ b/net/netfilter/nf_flow_table_core.c
> @@ -342,6 +342,8 @@ EXPORT_SYMBOL_GPL(flow_offload_refresh);
>   static bool nf_flow_is_outdated(const struct flow_offload *flow)
>   {
>   	return test_bit(IPS_SEEN_REPLY_BIT, &flow->ct->status) &&
> +		test_bit(IPS_HW_OFFLOAD_BIT, &flow->ct->status) &&
> +		!test_bit(NF_FLOW_HW_PENDING, &flow->flags) &&
>   		!test_bit(NF_FLOW_HW_ESTABLISHED, &flow->flags);
>   }
>   
Acked-by: Tim Gardner <tim.gardner at canonical.com>
-- 
-----------
Tim Gardner
Canonical, Inc

More information about the kernel-team mailing list