Thread (10 messages) 10 messages, 2 authors, 2022-11-02

Re: [PATCH] Periodically flow expire from flow offload tables

From: Michael Lilja <hidden>
Date: 2022-10-25 12:37:04
Also in: linux-doc, lkml, netfilter-devel 

Hi,

No problem. Here is a snippet of the rulesets in play. I simplified it because there are a lot of devices and a lot of schedules per device. The ‘mark’ is set by userspace so not all flow types are offloaded, that is controlled by userspace:

- - - - snip start - - - - 
table inet fw4 {
	flowtable ft {
	hook ingress priority filter
	devices = { lan1, lan2, wan }
	flags offload
}

 chain mangle_forward {
	type filter hook forward priority mangle; policy
	meta mark set ct mark
	meta mark 0x00000000/16 queue flags bypass to 0
 }


chain my_devices_rules {
	ether saddr 96:68:97:a7:e8:a7 jump fw_p0_dev0 comment “Device match”
}

chain fw_p0_dev0 {
	meta time >= "2022-10-09 18:46:50" meta time < "2022-10-09 19:16:50" counter packets 0 bytes 0 drop comment "!Schedule OFFLINE override"
	meta day “Tuesday" meta hour >= "06:00" meta hour < "07:00" drop
}

chain forward {
	 type filter hook forward priority filter; policy accept;
	jump my_devices_rules
}

chain my_forward_offload {
	type filter hook forward priority filter + 1; policy accept;
	meta mark != 0x00000000/16 meta l4proto { tcp, udp } flow add @ft
}

chain mangle_postrouting {
	type filter hook postrouting priority mangle; policy accept;
	ct mark set meta mark
}
- - - - snip end - - - -

The use case is that I have schedules per device to control when they are allowed access to the internet and if the flows are offloaded they will not get dropped once the schedule kicks in.

Thanks

On 25 Oct 2022, at 13.05, Pablo Neira Ayuso [off-list ref] wrote:

Hi,

On Sun, Oct 23, 2022 at 07:16:58PM +0200, Michael Lilja wrote:
quoted
When a flow is added to a flow table for offload SW/HW-offload
the user has no means of controlling the flow once it has
been offloaded. If a number of firewall rules has been made using
time schedules then these rules doesn't apply for the already
offloaded flows. Adding new firewall rules also doesn't affect
already offloaded flows.

This patch handle flow table retirement giving the user the option
to at least periodically get the flow back into control of the
firewall rules so already offloaded flows can be dropped or be
pushed back to flow offload tables.

The flow retirement is disabled by default and can be set in seconds
using sysctl -w net.netfilter.nf_flowtable_retire
How does your ruleset look like? Could you detail your usecase?

Thanks.
  



    
  

  
    

      

        Keyboard shortcuts
      

      

        
          
hback out one level

          
jnext message in thread

          
kprevious message in thread

          
ldrill in

          
Escclose help / fold thread tree

          
?toggle this help