-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpf: nodeport: reduce CT lookup scope #25826
Conversation
/test |
@gentoo-root ha, I was hoping it would hit you 😄 . No particular rush, let's give this a good thought. But the complexity results look pretty nice.... |
(back to draft for a bit, we can do even better ...) |
4fc2a5c
to
b7f4cd1
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Really nice cleanup! Conntrack lookups are becoming easier and easier to understand.
I'll take another look after you move it out from draft.
/* Lookup entry in forward direction */ | ||
if (dir != CT_SERVICE) { | ||
/* now lookup in forward direction: */ | ||
case SCOPE_FORWARD: | ||
ipv6_ct_tuple_reverse(tuple); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A further improvement could be to make the callers pass the right tuple from the beginning, without the need to reverse it here if scope is SCOPE_FORWARD.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh yes, nice idea. Definitely follow-on material - we'd need to check how far back we can push this in the call chain without having subtle changes in behaviour. But would make a lot of sense to me.
Glad that you feel it becomes easier to understand! That's worth even more than the complexity reductions 😊. FWIW, I'm in no rush to squeeze this in just before feature freeze. Thinking it might make more sense to merge it early for v1.15, add the SNAT changes, give it some time to mature, and take a thorough pass over all the debug statements etc in the CT code to make sure that everything still fits. |
b7f4cd1
to
0551250
Compare
/ci-l4lb |
The function only returns a very narrow scope of values, document this clearly. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
A CT lookup is usually done in two directions - first the reverse direction (to match replies), then the actual direction. Currently the only exception is CT_SERVICE lookups, where we only check the reverse direction. Control this behaviour independently of the CT_SERVICE type, so that we can introduce more uni-directional lookups with subsequent patches. No functional change intended. Note that users of SCOPE_REVERSE need to tolerate that their passed-in CT tuple won't be reversed after the CT lookup. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
For RevDNAT we only care about lookups that return CT_REPLY. So avoid the second lookup in the forward direction. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Both the NAT path in the LB (for DNATed service requests) and the DSR path in the backend node (for requests on a DSR connection) need to perform CT tracking. Currently their CT code needs to handle an unexpected CT_REPLY result from the CT lookup - which we're treating as a match of a stale entry that needs to be recreated. But if we instead limit the lookup scope to the forward direction, we won't even match such entries. Instead we get a CT_NEW result, and create a fresh entry - implicitly clearing any sort of stale entry. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
0551250
to
8061285
Compare
/test |
I take that back 😄. Looks like we might need it a bit earlier than I expected... Updated the |
The standard behaviour for a CT lookup is that we first check whether the packet is a reply for some tracked connection. If that doesn't return a match, we do an additional lookup for the packet's actual direction (which might either find a match, or return
CT_NEW
). The exception is when we look for entries of typeCT_SERVICE
- here we already avoid the second lookup.But we have some additional code paths that would benefit from excluding the second lookup
CT_REPLY
lookup result (as it only wants to reverse-translate the replies for nodeport connections). This PR converts those users.SCOPE_FORWARD
.Make the needed changes so that we can avoid the second lookup. This reduces code size / complexity, and offers more robust behaviour (as we no longer have to consider "impossible" CT results).