-------------------------------------------------------------------------- Connection Tracking Offload netdev RFC v1.0 Part 1/2 - TC with Connection Tracking - command line + implementation --------------------------------------------------------------------------
OVS recirculation ID is to be translated to TC chain, as described in https://www.netdevconf.org/2.2/papers/efraim-extendtctoct-talk.pdf ------------------------------------------------------------------------------------ CT Matches: ------------------------------------------------------------------------------------ The ct match acts on ct_state bits or ct variables which were modified as a result from a connection tracking action. Some of the information can be extacted directly from struct nf_conn and the rest of the information could be taken by using conntrack_mt...() [/net/netfilter/xt_conntrack.c] 1. ct_state - a new variable The ct_state match is used to test result of connection tracking. The bits are set or unset according to the results of the connection tracking module. The following Match able ct_state items are supported: * ±trk - Tracked - Been through the connection tracker * ±new – a new connection * ±est - Established connection * ±dnat - Packet’s source address/port was mangled by NAT. * ±snat - Packet’s destination address/port was mangled by NAT. * ±inv - Invalid packet * ±rel – Related to an existing connection * ±rpl - Reply: Connection must be established Example #1: "tc filter add dev eth5 protocol ip parent ffff: chain 100 flower ct_state +trk +est -dnat action mirred egress redirect dev eth6" 2. three additional integer variables. These variables, which can be set from within the ct_action, are introduced: ct_zone - to commit the connection in (u16) Logically separate connection tracking table/Multi-tenancy ct_mark - Attach metadata to particular connections (u32) ct_label – similar to mark (128 bits) Example #2: "tc filter add dev eth5 protocol ip parent ffff: chain 100 flower ct_state +trk +est ct_label 10 ct_zone 9 action drop " Complete list of the flags and their description can be found at: http://www.openvswitch.org/support/dist-docs/ovs-fields.7.txt ------------------------------------------------------------------------------------ CT actions: ------------------------------------------------------------------------------------ The ct_action action sends packet to ConnTrack ( nf_conntrack_in() method) and then updates ct_state bits according to the result from connection tracking. [1] CT Action has the following possible arguments: 1. commit: Commit the connection to the connection tracking module which will be stored beyond the lifetime of packet in the pipeline. 2. force: The force flag may be used in addition to commit flag to effectively terminate the existing connection and start a new one in the current direction. 3. chain = K (chain is similar to ct 'table' in OVS syntax) : Clone packet to send to connection tracker. When the connection tracker is finished, resume processing in chain K for that packet. The original packet continues right after the ct(...) action. 4. Set variable: ct_zone, ct_mark, ct_label (see description above) Example #3:: "tc .... action ct ct_zone 7 commit ct_label 0x0123456789ABCDEF0000111222" 5. NAT: Specifies the address and port translation for the connection being tracked. Example #4: "ct_action nat src 10.0.0.1 10.1.1.0" rewrite source ip+port from the list. Example #5: "tc ... action ct nat src 10.0.0.1 10.1.1.0" rewrite source ip+port from the list. Example #6: "tc ... action ct nat auto" rewrite packets automatically from saved kernel NAT list ----- [2] CT action also has 3 new parameters Three new variables which can be set from within the ct_action. 1. ct_zone: 16 bit 2. ct_mark: 32bit 3. ct_label: 128bit Example #7: tc..... action ct ct_zone 7 commit ct_label x0123456789ABCDEF0000111222 ------ [3] NAT action. Supporting (1) specific NAT for source (2) specific NAT for destination (3) automatic. TC, when instructed when and how to do so, will do a NAT translation by using the kernel NAT module. Resulting in a modified skb returning to the following TC chain for further processing Example #8: "tc filter add dev eth5 protocol ip parent ffff: chain 100 flower action ct commit nat src 10.0.0.0 10.0.0.255" Commit a new connection to Conntrack and replace NAT the source ip address Example #9: "tc filter add dev eth5 protocol ip parent ffff: chain 100 flower action ct commit nat auto" Commit a new connection to Conntrack and replace NAT the source ip address Additional examples can be found at OVS NAT patch comments: https://lwn.net/Articles/674868/ [3] match on newly added variables ( ct_zone, ct_mark, ct_label) Example #10: "tc ct_zone 3 ct_mark 0x333 ...." ---------------------------------------- Connection-Tracking action: ---------------------------- TC data path calls Connection Tracking nf_conntrack_in() method with skb which returns connTrack result inside skb->_nfct which is of type struct nf_conn. Connection-Tracking Match: ---------------------------- connection tracking match can be done using conntrack_mt...() [/net/netfilter/xt_conntrack.c] calls which can be used to match connection tracking information. Connection-Tracking NAT: ------------------------------- NAT implementation details are the same as in OVS. As described in: * https://lwn.net/Articles/674868/ * https://lwn.net/Articles/671459/ * http://www.openvswitch.org/support/ovscon2014/17/1030-conntrack_nat.pdf Required OVS changes ------------------------------- 1. OVS has to be modified to send Connection-tracking datapath messages to TC 2. OVS datapath has to be enhanced to support enforcement of window-validation
