[SRU][J:linux-bluefield][PATCH 0/1] netfilter: ctnetlink: Support offloaded conntrack entry deletion

Mon Jun 19 20:45:13 UTC 2023

BugLink: https://bugs.launchpad.net/bugs/2015293

* Explain the bug(s)

conntrack -D or conntrack -F doesn't delete offloaded tuples.

* brief explanation of fixes

Add support for to delete offloaded tuples via netlink interface and
userspace conntrack utility.

* How to test

Create OVS bridge with 2 devices mlx5 rep devices.
Enable HW offload and configure regular connection tracking OpenFlow rules:
e.g:
    ovs-ofctl del-flows br-ovs
    ovs-ofctl add-flow br-ovs arp,actions=normal
    ovs-ofctl add-flow br-ovs "table=0, ip,ct_state=-trk actions=ct(table=1)"
    ovs-ofctl add-flow br-ovs "table=1, ip,ct_state=+trk+new actions=ct(commit),normal"
    ovs-ofctl add-flow br-ovs "table=1, ip,ct_state=+trk+est, actions=normal"

Run a UDP connection, e.g:
on mlx5 VF1 iperf -s -u
on mlx5 VF2 iperf -c <ip> -u -t 10

Optional: In different terminal, while traffic is running, check for offload:
and see no iperf udp packets.

Dump conntrack with relevant ip:

See tuples were offloaded:
ipv4 2 udp 17 src=1.1.1.2 dst=1.1.1.3 sport=56394 dport=5001 packets=2 bytes=112 src=1.1.1.3 dst=1.1.1.2 sport=5001 dport=56394 packets=1777 bytes=665340 [HW_OFFLOAD] mark=0 zone=0 use=3

Flush the tuples:
conntrack -F

Verify tuples are deleted:
cat /proc/net/nf_conntrack | grep -i <ip>

Before fix, the above tuple shows again,

after fix, it's deleted, and shows nothing.

* What it could break.

Conntrack -F / -D not working on offloaded tuples.

Paul Blakey (1):
  netfilter: ctnetlink: Support offloaded conntrack entry deletion

 net/netfilter/nf_conntrack_netlink.c | 8 --------
 1 file changed, 8 deletions(-)

-- 
2.34.1