diff options
author | Eelco Chaudron <echaudro@redhat.com> | 2023-02-07 15:05:25 +0100 |
---|---|---|
committer | Ilya Maximets <i.maximets@ovn.org> | 2023-02-09 00:42:30 +0100 |
commit | a596911fa2c83b74d0049e1845d72f0fba2bfb08 (patch) | |
tree | 4afefc13e15946815a0ae0e3e3d5289292fe29e5 | |
parent | 235ab5ec00e71d7392b91cf2cfddd60c6c983330 (diff) | |
download | openvswitch-a596911fa2c83b74d0049e1845d72f0fba2bfb08.tar.gz |
netdev-offload-tc: Conntrack ALGs are not supported with tc.
tc does not support conntrack ALGs. Even worse, with tc enabled, they
should not be used/configured at all. This is because even though TC
will ignore the rules with ALG configured, i.e., they will flow through
the kernel module, return traffic might flow through a tc conntrack
rule, and it will not invoke the ALG helper.
Fixes: 576126a931cd ("netdev-offload-tc: Add conntrack support")
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Acked-by: Roi Dayan <roid@nvidia.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Tested-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
-rw-r--r-- | Documentation/howto/tc-offload.rst | 11 | ||||
-rw-r--r-- | lib/netdev-offload-tc.c | 4 |
2 files changed, 15 insertions, 0 deletions
diff --git a/Documentation/howto/tc-offload.rst b/Documentation/howto/tc-offload.rst index f6482c8af..681dff13e 100644 --- a/Documentation/howto/tc-offload.rst +++ b/Documentation/howto/tc-offload.rst @@ -112,3 +112,14 @@ First flow packet not processed by meter Packets that are received by ovs-vswitchd through an upcall before the actual meter flow is installed, are not passing TC police action and therefore are not considered for policing. + +Conntrack Application Layer Gateways (ALG) +++++++++++++++++++++++++++++++++++++++++++ + +TC does not support conntrack helpers, i.e., ALGs. TC will not offload flows if +the ALG keyword is present within the ct() action. However, this will not allow +ALGs to work within the datapath, as the return traffic without the ALG keyword +might run through a TC rule, which internally will not call the conntrack +helper required. + +So if ALG support is required, tc offload must be disabled. diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c index dd4bdc4e7..09b0e3533 100644 --- a/lib/netdev-offload-tc.c +++ b/lib/netdev-offload-tc.c @@ -1405,6 +1405,10 @@ parse_put_flow_ct_action(struct tc_flower *flower, get_32aligned_u128(&ct_label->mask); } break; + /* The following option we do not support in tc-ct, and should + * not be ignored for proper operation. */ + case OVS_CT_ATTR_HELPER: + return EOPNOTSUPP; } } |