bpf: significantly improve capacity of TCP CT tables #10518
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
borkmann
added
pending-review
sig/datapath
|
test-me-please |
|
Hitting #10517 as well now in CI: |
joestringer
approved these changes
Mar 9, 2020
tklauser
approved these changes
Mar 10, 2020
|
Do we consider this as a bug? Asking, as we might need to set |
No-one reported an issue at this point, but we potentially could backport. |
borkmann
force-pushed
the
pr/fix-icmp-related
branch
from
be1fe4d
to
1ee55ed
Compare
|
test-me-please |
brb
approved these changes
Mar 10, 2020
|
test-me-please |
|
provision failure again |
|
test-me-please |
borkmann
force-pushed
the
pr/fix-icmp-related
branch
from
1ee55ed
to
8d4653d
Compare
|
test-me-please |
borkmann
added this to In progress (1.8)
in 1.9 kube-proxy removal & general dp optimization
|
Build expired. Triggering again... |
|
test-me-please Failed on #10442: https://jenkins.cilium.io/job/Cilium-PR-Ginkgo-Tests-Validated/18147/ |
|
test-me-please net-next vm provisioning fail: https://jenkins.cilium.io/job/Cilium-PR-Ginkgo-Tests-Validated/18158/ |
|
test-me-please Looks like #9330: https://jenkins.cilium.io/job/Cilium-PR-Ginkgo-Tests-Validated/18171/ |
|
test-me-please Hit #9330 again, it seems: https://jenkins.cilium.io/job/Cilium-PR-Ginkgo-Tests-Validated/18182/ |
|
test-me-please |
ct_create{4,6}() inserts related entries into the TCP CT tables given
the map is usually in the form of ct_create4(get_ct_map4(&tuple)) or
ct_create6(get_ct_map6(&tuple)). Similarly, the lookup parts are in
form of ct_lookup4(get_ct_map4(&tuple)) or ct_lookup6(get_ct_map6(&tuple)).
However, the tuples' nexthdr usually points to the one in the packet.
This means, we can /never/ find a related entry since it sits in the TCP
CT tables, but their lookup is always in the ANY table instead.
Fix the insertions by adding to the CT_MAP_ANY{4,6} tables and by that
implicityly double the capacity of TCP CT tables.
Go even beyond that by not creating related entries for CT_SERVICE entries.
It does not make sense to create CT_SERVICE entries with related flag
since we don't translate ICMP there anyway. Save overhead and don't add
them to the maps (same for NodePort/NAT related ones).
Fixes: 750b3f9 ("bpf: Split connection tracking for TCP and non-TCP")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann
force-pushed
the
pr/fix-icmp-related
branch
from
8d4653d
to
eddafe1
Compare
|
test-me-please net-next vm provisioning fail: https://jenkins.cilium.io/job/Cilium-PR-Ginkgo-Tests-Validated/18221/ |
|
test-me-please |
1 similar comment
|
test-me-please |
|
Hit #10231 |
|
test-me-please |
borkmann
moved this from In progress (1.8)
to Done
in 1.9 kube-proxy removal & general dp optimization
maintainer-s-little-helper
bot
moved this from Needs backport from master
to Backport pending to v1.7
in 1.7.2
maintainer-s-little-helper
bot
moved this from Needs backport from master
to Backport pending to v1.7
in 1.7.2
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ct_create{4,6}() inserts related entries into the TCP CT tables given
the map is usually in the form of ct_create4(get_ct_map4(&tuple)) or
ct_create6(get_ct_map6(&tuple)). Similarly, the lookup parts are in
form of ct_lookup4(get_ct_map4(&tuple)) or ct_lookup6(get_ct_map6(&tuple)).
However, the tuples' nexthdr usually points to the one in the packet.
This means, we can /never/ find a related entry since it sits in the TCP
CT tables, but their lookup is always in the ANY table instead.
Fix the insertions by adding to the CT_MAP_ANY{4,6} tables and by that
implicityly double the capacity of TCP CT tables.
Go even beyond that by not creating related entries for CT_SERVICE entries.
It does not make sense to create CT_SERVICE entries with related flag
since we don't translate ICMP there anyway. Save overhead and don't add
them to the maps (same for NodePort/NAT related ones).
Fixes: 750b3f9 ("bpf: Split connection tracking for TCP and non-TCP")
Signed-off-by: Daniel Borkmann daniel@iogearbox.net
This change is