1 From: Pablo Neira Ayuso <pablo@netfilter.org>
2 Date: Sun, 7 Jan 2018 01:03:56 +0100
3 Subject: [PATCH] netfilter: nf_conntrack: add IPS_OFFLOAD status bit
5 This new bit tells us that the conntrack entry is owned by the flow
6 table offload infrastructure.
8 # cat /proc/net/nf_conntrack
9 ipv4 2 tcp 6 src=10.141.10.2 dst=147.75.205.195 sport=36392 dport=443 src=147.75.205.195 dst=192.168.2.195 sport=443 dport=36392 [OFFLOAD] mark=0 zone=0 use=2
11 Note the [OFFLOAD] tag in the listing.
13 The timer of such conntrack entries look like stopped from userspace.
14 In practise, to make sure the conntrack entry does not go away, the
15 conntrack timer is periodically set to an arbitrary large value that
16 gets refreshed on every iteration from the garbage collector, so it
17 never expires- and they display no internal state in the case of TCP
18 flows. This allows us to save a bitcheck from the packet path via
21 Conntrack entries that have been offloaded to the flow table
22 infrastructure cannot be deleted/flushed via ctnetlink. The flow table
23 infrastructure is also responsible for releasing this conntrack entry.
25 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
28 --- a/include/uapi/linux/netfilter/nf_conntrack_common.h
29 +++ b/include/uapi/linux/netfilter/nf_conntrack_common.h
30 @@ -101,12 +101,16 @@ enum ip_conntrack_status {
32 IPS_HELPER = (1 << IPS_HELPER_BIT),
34 + /* Conntrack has been offloaded to flow table. */
35 + IPS_OFFLOAD_BIT = 14,
36 + IPS_OFFLOAD = (1 << IPS_OFFLOAD_BIT),
38 /* Be careful here, modifying these bits can make things messy,
39 * so don't let users modify them directly.
41 IPS_UNCHANGEABLE_MASK = (IPS_NAT_DONE_MASK | IPS_NAT_MASK |
42 IPS_EXPECTED | IPS_CONFIRMED | IPS_DYING |
43 - IPS_SEQ_ADJUST | IPS_TEMPLATE),
44 + IPS_SEQ_ADJUST | IPS_TEMPLATE | IPS_OFFLOAD),
48 --- a/net/netfilter/nf_conntrack_core.c
49 +++ b/net/netfilter/nf_conntrack_core.c
50 @@ -901,6 +901,9 @@ static unsigned int early_drop_list(stru
51 hlist_nulls_for_each_entry_rcu(h, n, head, hnnode) {
52 tmp = nf_ct_tuplehash_to_ctrack(h);
54 + if (test_bit(IPS_OFFLOAD_BIT, &tmp->status))
57 if (nf_ct_is_expired(tmp)) {
58 nf_ct_gc_expired(tmp);
60 @@ -975,6 +978,18 @@ static bool gc_worker_can_early_drop(con
64 +#define DAY (86400 * HZ)
66 +/* Set an arbitrary timeout large enough not to ever expire, this save
67 + * us a check for the IPS_OFFLOAD_BIT from the packet path via
68 + * nf_ct_is_expired().
70 +static void nf_ct_offload_timeout(struct nf_conn *ct)
72 + if (nf_ct_expires(ct) < DAY / 2)
73 + ct->timeout = nfct_time_stamp + DAY;
76 static void gc_worker(struct work_struct *work)
78 unsigned int min_interval = max(HZ / GC_MAX_BUCKETS_DIV, 1u);
79 @@ -1011,6 +1026,11 @@ static void gc_worker(struct work_struct
80 tmp = nf_ct_tuplehash_to_ctrack(h);
83 + if (test_bit(IPS_OFFLOAD_BIT, &tmp->status)) {
84 + nf_ct_offload_timeout(tmp);
88 if (nf_ct_is_expired(tmp)) {
89 nf_ct_gc_expired(tmp);
91 --- a/net/netfilter/nf_conntrack_netlink.c
92 +++ b/net/netfilter/nf_conntrack_netlink.c
93 @@ -1120,6 +1120,14 @@ static const struct nla_policy ct_nla_po
94 .len = NF_CT_LABELS_MAX_SIZE },
97 +static int ctnetlink_flush_iterate(struct nf_conn *ct, void *data)
99 + if (test_bit(IPS_OFFLOAD_BIT, &ct->status))
102 + return ctnetlink_filter_match(ct, data);
105 static int ctnetlink_flush_conntrack(struct net *net,
106 const struct nlattr * const cda[],
107 u32 portid, int report)
108 @@ -1132,7 +1140,7 @@ static int ctnetlink_flush_conntrack(str
109 return PTR_ERR(filter);
112 - nf_ct_iterate_cleanup_net(net, ctnetlink_filter_match, filter,
113 + nf_ct_iterate_cleanup_net(net, ctnetlink_flush_iterate, filter,
117 @@ -1178,6 +1186,11 @@ static int ctnetlink_del_conntrack(struc
119 ct = nf_ct_tuplehash_to_ctrack(h);
121 + if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) {
127 u_int32_t id = ntohl(nla_get_be32(cda[CTA_ID]));
128 if (id != (u32)(unsigned long)ct) {
129 --- a/net/netfilter/nf_conntrack_proto_tcp.c
130 +++ b/net/netfilter/nf_conntrack_proto_tcp.c
131 @@ -305,6 +305,9 @@ static bool tcp_invert_tuple(struct nf_c
132 /* Print out the private part of the conntrack. */
133 static void tcp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
135 + if (test_bit(IPS_OFFLOAD_BIT, &ct->status))
138 seq_printf(s, "%s ", tcp_conntrack_names[ct->proto.tcp.state]);
141 --- a/net/netfilter/nf_conntrack_standalone.c
142 +++ b/net/netfilter/nf_conntrack_standalone.c
143 @@ -309,10 +309,12 @@ static int ct_seq_show(struct seq_file *
147 - seq_printf(s, "%-8s %u %-8s %u %ld ",
148 + seq_printf(s, "%-8s %u %-8s %u ",
149 l3proto_name(l3proto->l3proto), nf_ct_l3num(ct),
150 - l4proto_name(l4proto->l4proto), nf_ct_protonum(ct),
151 - nf_ct_expires(ct) / HZ);
152 + l4proto_name(l4proto->l4proto), nf_ct_protonum(ct));
154 + if (!test_bit(IPS_OFFLOAD_BIT, &ct->status))
155 + seq_printf(s, "%ld ", nf_ct_expires(ct) / HZ);
157 if (l4proto->print_conntrack)
158 l4proto->print_conntrack(s, ct);
159 @@ -339,7 +341,9 @@ static int ct_seq_show(struct seq_file *
160 if (seq_print_acct(s, ct, IP_CT_DIR_REPLY))
163 - if (test_bit(IPS_ASSURED_BIT, &ct->status))
164 + if (test_bit(IPS_OFFLOAD_BIT, &ct->status))
165 + seq_puts(s, "[OFFLOAD] ");
166 + else if (test_bit(IPS_ASSURED_BIT, &ct->status))
167 seq_puts(s, "[ASSURED] ");
169 if (seq_has_overflowed(s))