datapath: conntrack: Support conntrack zone limit

Upstream commit: commit 11efd5cb04a184eea4f57b68ea63dddd463158d1 Author: Yi-Hung Wei <[email protected]> Date: Thu May 24 17:56:43 2018 -0700 openvswitch: Support conntrack zone limit Currently, nf_conntrack_max is used to limit the maximum number of conntrack entries in the conntrack table for every network namespace. For the VMs and containers that reside in the same namespace, they share the same conntrack table, and the total # of conntrack entries for all the VMs and containers are limited by nf_conntrack_max. In this case, if one of the VM/container abuses the usage the conntrack entries, it blocks the others from committing valid conntrack entries into the conntrack table. Even if we can possibly put the VM in different network namespace, the current nf_conntrack_max configuration is kind of rigid that we cannot limit different VM/container to have different # conntrack entries. To address the aforementioned issue, this patch proposes to have a fine-grained mechanism that could further limit the # of conntrack entries per-zone. For example, we can designate different zone to different VM, and set conntrack limit to each zone. By providing this isolation, a mis-behaved VM only consumes the conntrack entries in its own zone, and it will not influence other well-behaved VMs. Moreover, the users can set various conntrack limit to different zone based on their preference. The proposed implementation utilizes Netfilter's nf_conncount backend to count the number of connections in a particular zone. If the number of connection is above a configured limitation, ovs will return ENOMEM to the userspace. If userspace does not configure the zone limit, the limit defaults to zero that is no limitation, which is backward compatible to the behavior without this patch. The following high leve APIs are provided to the userspace: - OVS_CT_LIMIT_CMD_SET: * set default connection limit for all zones * set the connection limit for a particular zone - OVS_CT_LIMIT_CMD_DEL: * remove the connection limit for a particular zone - OVS_CT_LIMIT_CMD_GET: * get the default connection limit for all zones * get the connection limit for a particular zone Signed-off-by: Yi-Hung Wei <[email protected]> Acked-by: Pravin B Shelar <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Yi-Hung Wei <[email protected]> Signed-off-by: Justin Pettit <[email protected]>
venkatgattupalli · Aug 17, 2018 · cb2a548 · cb2a548
1 parent a52da94
commit cb2a548
Show file tree

Hide file tree

Showing 6 changed files with 574 additions and 5 deletions.
diff --git a/NEWS b/NEWS
@@ -32,6 +32,7 @@ v2.10.0 - xx xxx xxxx
    - Linux datapath
      * Add support for compiling OVS with the latest Linux 4.14 kernel.
      * Added support for meters.
+     * Add support for conntrack zone limit.
    - ovn:
      * Implemented icmp4/icmp6/tcp_reset actions in order to drop the packet
        and reply with a RST for TCP or ICMPv4/ICMPv6 unreachable message for

diff --git a/datapath/compat.h b/datapath/compat.h
@@ -26,6 +26,7 @@
 #include <net/route.h>
 #include <net/xfrm.h>
 #include <net/netfilter/ipv6/nf_defrag_ipv6.h>
+#include <net/netfilter/nf_conntrack_count.h>
 
 /* Even though vanilla 3.10 kernel has grp->id, RHEL 7 kernel is missing
  * this field. */
@@ -59,8 +60,14 @@ static inline int __init compat_init(void)
 	if (err)
 		goto error_frag6_exit;
 
+	err = rpl_nf_conncount_modinit();
+	if (err)
+		goto error_nf_conncount_exit;
+
 	return 0;
 
+error_nf_conncount_exit:
+	rpl_nf_conncount_modexit();
 error_frag6_exit:
 	nf_ct_frag6_cleanup();
 error_ipfrag_exit:
@@ -69,6 +76,7 @@ static inline int __init compat_init(void)
 }
 static inline void compat_exit(void)
 {
+	rpl_nf_conncount_modexit();
 	ip6_output_exit();
 	nf_ct_frag6_cleanup();
 	rpl_ipfrag_fini();