git.droids-corp.org / dpdk.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: dc7b3bf) | patch
ethdev: introduce conntrack flow action and item
authorBing Zhao <bingz@nvidia.com>
Mon, 19 Apr 2021 17:51:30 +0000 (01:51 +0800)
committerFerruh Yigit <ferruh.yigit@intel.com>
Mon, 19 Apr 2021 23:24:57 +0000 (01:24 +0200)
commit9847fd125d329a4097bea9276d9bbf5f37859948
treed0d564920944dd4e9067aa79eada7a5da3b8fd4dtree | snapshot
parentdc7b3bfcf8a905aa9d55fab893f72decb0141d0acommit | diff
ethdev: introduce conntrack flow action and item

This commit introduces the conntrack action and item.

Usually the HW offloading is stateless. For some stateful offloading
like a TCP connection, HW module will help provide the ability of a
full offloading w/o SW participation after the connection was
established.

The basic usage is that in the first flow rule the application should
add the conntrack action and jump to the next flow table. In the
following flow rule(s) of the next table, the application should use
the conntrack item to match on the result.

A TCP connection has two directions traffic. To set a conntrack
action context correctly, the information of packets from both
directions are required.

The conntrack action should be created on one ethdev port and supply
the peer ethdev port as a parameter to the action. After context
created, it could only be used between these two ethdev ports
(dual-port mode) or a single port. The application should modify the
action via the API "rte_action_handle_update" only when before using
it to create a flow rule with conntrack for the opposite direction.
This will help the driver to recognize the direction of the flow to
be created, especially in the single-port mode, in which case the
traffic from both directions will go through the same ethdev port
if the application works as an "forwarding engine" but not an end
point. There is no need to call the update interface if the
subsequent flow rules have nothing to be changed.

Query will be supported via "rte_action_handle_query" interface,
about the current packets information and connection status. The
fields query capabilities depends on the HW.

For the packets received during the conntrack setup, it is suggested
to re-inject the packets in order to make sure the conntrack module
works correctly without missing any packet. Only the valid packets
should pass the conntrack, packets with invalid TCP information,
like out of window, or with invalid header, like malformed, should
not pass.

Naming and definition:
https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/
        netfilter/nf_conntrack_tcp.h
https://elixir.bootlin.com/linux/latest/source/net/netfilter/
        nf_conntrack_proto_tcp.c

Other reference:
https://www.usenix.org/legacy/events/sec01/invitedtalks/rooij.pdf

Signed-off-by: Bing Zhao <bingz@nvidia.com>
Acked-by: Ori Kam <orika@nvidia.com>
Acked-by: Thomas Monjalon <thomas@monjalon.net>
doc/guides/prog_guide/rte_flow.rst diff | blob | history
doc/guides/rel_notes/release_21_05.rst diff | blob | history
lib/ethdev/rte_flow.c diff | blob | history
lib/ethdev/rte_flow.h diff | blob | history
DPDK repo used for reviews