tc does not support conntrack ALGs. Even worse, with tc enabled, they
should not be used/configured at all. This is because even though TC
will ignore the rules with ALG configured, i.e., they will flow through
the kernel module, return traffic might flow through a tc conntrack
rule, and it will not invoke the ALG helper.
Signed-off-by: Eelco Chaudron
Acked-by: Roi Dayan
---
Documentation/howto/tc-offload.rst | 11 +++
lib/netdev-offload-tc.c|4
tests/system-offloads.at | 27 +++
3 files changed, 22 insertions(+), 20 deletions(-)
diff --git a/Documentation/howto/tc-offload.rst
b/Documentation/howto/tc-offload.rst
index f6482c8af..63687adc9 100644
--- a/Documentation/howto/tc-offload.rst
+++ b/Documentation/howto/tc-offload.rst
@@ -112,3 +112,14 @@ First flow packet not processed by meter
Packets that are received by ovs-vswitchd through an upcall before the actual
meter flow is installed, are not passing TC police action and therefore are
not considered for policing.
+
+Conntrack Application Layer Gateways(ALG)
++
+
+TC does not support conntrack helpers, i.e., ALGs. TC will not offload flows if
+the ALG keyword is present within the ct() action. However, this will not allow
+ALGs to work within the datapath, as the return traffic without the ALG keyword
+might run through a TC rule, which internally will not call the conntrack
+helper required.
+
+So if ALG support is required, tc offload must be disabled.
diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c
index 915c45ed3..ba309c2b6 100644
--- a/lib/netdev-offload-tc.c
+++ b/lib/netdev-offload-tc.c
@@ -1357,6 +1357,10 @@ parse_put_flow_ct_action(struct tc_flower *flower,
action->ct.label_mask = ct_label->mask;
}
break;
+/* The following option we do not support in tc-ct, and should
+ * not be ignored for proper operation. */
+case OVS_CT_ATTR_HELPER:
+return EOPNOTSUPP;
}
}
diff --git a/tests/system-offloads.at b/tests/system-offloads.at
index 9d1e80c8d..c4ed3a171 100644
--- a/tests/system-offloads.at
+++ b/tests/system-offloads.at
@@ -42,6 +42,13 @@ m4_define([OVS_REVALIDATOR_PURGE],
m4_define([DPCTL_DUMP_CONNTRACK], [sleep 3; ovs-appctl dpctl/dump-conntrack])
+# Conntrack ALGs are not supported for tc.
+m4_define([CHECK_CONNTRACK_ALG],
+[
+ AT_SKIP_IF([:])
+])
+
+
# The list below are tests that will not pass for a "test environment" specific
# issue.
m4_define([OVS_TEST_SKIP_LIST],
@@ -60,27 +67,7 @@ conntrack - IPv6 Fragmentation over vxlan
conntrack - zone-based timeout policy
conntrack - multiple zones, local
conntrack - multi-stage pipeline, local
-conntrack - FTP
-conntrack - FTP over IPv6
-conntrack - IPv6 FTP Passive
-conntrack - FTP with multiple expectations
-conntrack - TFTP
conntrack - ICMP related with NAT
-conntrack - FTP SNAT prerecirc
-conntrack - FTP SNAT prerecirc seqadj
-conntrack - FTP SNAT postrecirc
-conntrack - FTP SNAT postrecirc seqadj
-conntrack - FTP SNAT orig tuple
-conntrack - FTP SNAT orig tuple seqadj
-conntrack - IPv4 FTP Passive with SNAT
-conntrack - IPv4 FTP Passive with DNAT
-conntrack - IPv4 FTP Passive with DNAT 2
-conntrack - IPv4 FTP Active with DNAT
-conntrack - IPv4 FTP Active with DNAT with reverse skew
-conntrack - IPv6 FTP with SNAT
-conntrack - IPv6 FTP Passive with SNAT
-conntrack - IPv6 FTP with SNAT - orig tuple
-conntrack - IPv4 TFTP with SNAT
conntrack - DNAT load balancing
conntrack - DNAT load balancing with NC
conntrack - Multiple ICMP traverse
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev