![Hauke Mehrtens](/assets/img/avatar_default.png)
This backports some patches from kernel 5.15 to fix issues with flowtable offloading in kernel 5.10. OpenWrt backports most of the patches related to flowtable offloading from kernel 5.15 already, but we are missing some of the extra fixes. This fixes some connection tracking problems when a flow gets removed from the offload and added to the normal SW path again. The patch 614-v5.18-netfilter-flowtable-fix-TCP-flow-teardown.patch was extended manually with the nf_conntrack_tcp_established() function. All changes are already included in kernel 5.15. Fixes: #8776 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
28 lines
885 B
Diff
28 lines
885 B
Diff
From: Felix Fietkau <nbd@nbd.name>
|
|
Date: Fri, 6 May 2022 12:37:23 +0200
|
|
Subject: [PATCH] netfilter: flowtable: fix excessive hw offload attempts
|
|
after failure
|
|
|
|
If a flow cannot be offloaded, the code currently repeatedly tries again as
|
|
quickly as possible, which can significantly increase system load.
|
|
Fix this by limiting flow timeout update and hardware offload retry to once
|
|
per second.
|
|
|
|
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
---
|
|
|
|
--- a/net/netfilter/nf_flow_table_core.c
|
|
+++ b/net/netfilter/nf_flow_table_core.c
|
|
@@ -318,8 +318,10 @@ void flow_offload_refresh(struct nf_flow
|
|
u32 timeout;
|
|
|
|
timeout = nf_flowtable_time_stamp + flow_offload_get_timeout(flow);
|
|
- if (READ_ONCE(flow->timeout) != timeout)
|
|
+ if (timeout - READ_ONCE(flow->timeout) > HZ)
|
|
WRITE_ONCE(flow->timeout, timeout);
|
|
+ else
|
|
+ return;
|
|
|
|
if (likely(!nf_flowtable_hw_offload(flow_table)))
|
|
return;
|