On Thu, Mar 10, 2022 at 01:55:30AM +0000, Peng He wrote: > From: Peng He <[email protected]> > > ipf_postprocess will emit packets into the datapath pipeline ignoring > the conntrack context, this might casuse weird issues when a packet > batch has less space to hold all the fragments belonging to single > packet. > > Given the below ruleest and consider sending a 64K ICMP packet which > is splitted into 64 fragments. > > priority=1,action=drop > priority=10,arp,action=normal > priority=100,in_port=1,ct_state=-trk,icmp,action=ct(zone=9,table=0) > priority=100,in_port=1,ct_state=+new+trk,icmp,action=ct(zone=9,commit),2 > priority=100,in_port=1,ct_state=-new+est+trk,icmp,action=2 > priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9) > priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1 > > Batch 1: > the first 32 packets will be buffered in the ipf preprocessing, nothing > more proceeds. > > Batch 2: > the second 32 packets succeed the fragment reassembly and goes to ct > and ipf_post will emits the first 32 packets due to the limit of batch > size. > > the first 32 packets goes to the datapath again due to the > recirculation, and again buffered at ipf preprocessing before ct commit, > then the ovs tries to call ct commit as well as ipf_postprocessing which emits > the last 32 packets, in this case the last 32 packets will follow > the current actions which will be sent to port 2 directly without > recirculation and going to ipf preprocssing and ct commit again. > > This will cause the first 32 packets never get the chance to > reassemble and evevntually this large ICMP packets fail to transmit. > > this patch fixes this issue by adding firstly ipf context to avoid > ipf_postprocessing emits packets in the wrong context. Then by > re-executing the action list again to emit the last 32 packets > in the right context to correctly transmitting multiple fragments. > > This might be one of the root cause why the OVS log warns: > > " > skipping output to input port on bridge br-int while processing > " > > As a pkt might enter into different ipf context. > > One implementation trick of implementing ipf_ctx_eq, is to use ipf_list's > key instead of the first frag's metadata, this can reduce quite a lot of > cache misses as at the time of calling ipf_ctx_eq, ipf_list is cache-hot. > On x86_64, this trick saves 2% of CPU usage of ipf processing. > > v8->v9: add action stack, fix should_steal, fix odp_port type in ipf_ctx > > Signed-off-by: Peng He <[email protected]> > Co-authored-by: Mike Pattrick <[email protected]>
I noticed this patch while looking at patchwork. It seems to be stale and no longer applies. If it is still relevant please consider rebasing and reposting. I am marking this version as "Not Applicable" in patchwork. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
