Re: [PATCH] Periodically flow expire from flow offload tables

From: Michael Lilja
Date: Tue Oct 25 2022 - 08:37:04 EST


Hi,

No problem. Here is a snippet of the rulesets in play. I simplified it because there are a lot of devices and a lot of schedules per device. The ‘mark’ is set by userspace so not all flow types are offloaded, that is controlled by userspace:

- - - - snip start - - - -
table inet fw4 {
flowtable ft {
hook ingress priority filter
devices = { lan1, lan2, wan }
flags offload
}

chain mangle_forward {
type filter hook forward priority mangle; policy
meta mark set ct mark
meta mark 0x00000000/16 queue flags bypass to 0
}


chain my_devices_rules {
ether saddr 96:68:97:a7:e8:a7 jump fw_p0_dev0 comment “Device match”
}

chain fw_p0_dev0 {
meta time >= "2022-10-09 18:46:50" meta time < "2022-10-09 19:16:50" counter packets 0 bytes 0 drop comment "!Schedule OFFLINE override"
meta day “Tuesday" meta hour >= "06:00" meta hour < "07:00" drop
}

chain forward {
type filter hook forward priority filter; policy accept;
jump my_devices_rules
}

chain my_forward_offload {
type filter hook forward priority filter + 1; policy accept;
meta mark != 0x00000000/16 meta l4proto { tcp, udp } flow add @ft
}

chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
ct mark set meta mark
}
- - - - snip end - - - -

The use case is that I have schedules per device to control when they are allowed access to the internet and if the flows are offloaded they will not get dropped once the schedule kicks in.

Thanks

> On 25 Oct 2022, at 13.05, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>
> Hi,
>
> On Sun, Oct 23, 2022 at 07:16:58PM +0200, Michael Lilja wrote:
>> When a flow is added to a flow table for offload SW/HW-offload
>> the user has no means of controlling the flow once it has
>> been offloaded. If a number of firewall rules has been made using
>> time schedules then these rules doesn't apply for the already
>> offloaded flows. Adding new firewall rules also doesn't affect
>> already offloaded flows.
>>
>> This patch handle flow table retirement giving the user the option
>> to at least periodically get the flow back into control of the
>> firewall rules so already offloaded flows can be dropped or be
>> pushed back to flow offload tables.
>>
>> The flow retirement is disabled by default and can be set in seconds
>> using sysctl -w net.netfilter.nf_flowtable_retire
>
> How does your ruleset look like? Could you detail your usecase?
>
> Thanks.