On Wed, Jul 29, 2015 at 3:15 PM, Eric Dumazet [off-list ref] wrote:

On Wed, 2015-07-29 at 14:47 -0700, Tom Herbert wrote:

quoted

Hi Eric,

So the scenario you're thinking is conntrack in the forwarding path,
RPS enabled (RSS not relevant), no hash from device, no IPv6 flow
labels or any other asymmetric inputs into the flow hash? I can look
at that, but it does make me wonder if maybe conntrack should set RFS
for both sides to avoid any issue with asymmetric hashes. With more
IPv6 and flow labels (which we will enable by default), asymmetric
hashes will likely become the norm.

Yes, but as long as the hash was done in software in our stack we could
use flow dissection and this swap() thing, regardless of the hashes
computed by the NIC or derived from IPv6 flow label.

The IPv6 flow label is now taken as input to the software hash (along
with VLAN id, GRE keyid, MPLS label, etc.). Packets encapsulated in
UDP also cause asymmetric hashes since the source port is used for
entropy. We have no way to predict what a remote host will put into
these fields, so our only recourse would be not include them in the
hash if symmetric hashes are really a requirement.

RFS wont fly here, as DDOS traffic will need more cache misses.