From patchwork Wed Jun 27 13:34:24 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Flavio Leitner X-Patchwork-Id: 935500 Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 41G3mk3jxYz9s2L for ; Wed, 27 Jun 2018 23:34:46 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965352AbeF0Nen (ORCPT ); Wed, 27 Jun 2018 09:34:43 -0400 Received: from mail-qk0-f194.google.com ([209.85.220.194]:41256 "EHLO mail-qk0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965153AbeF0Nel (ORCPT ); Wed, 27 Jun 2018 09:34:41 -0400 Received: by mail-qk0-f194.google.com with SMTP id d22-v6so1009391qkc.8 for ; Wed, 27 Jun 2018 06:34:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=OSMTLURg+Idmc6ukHoguN9ROhGnCSXPjlNgCCroKt9c=; b=D6ERApQlztxc3war/zDoj29V33DWnT5Es2TusXsReZ398zUtjfziqsW871VjldxXm5 nhPuyeEC3LgU7rZqf1wkk4T1CBjuJFTTZw4Vrvrsw/gPjYnOTOA+9L4vATNDN33KJx/I pwnVNVeGxePagsDOoSRWNL/HYSxt3IZuC2Z7rwjV8A/ftEZsYR4yuvOztDhBuxQtW5SI Ati5mptK/h2lgpqiVvKN56j4NKe28+wl3fIXCzKoiFXMmnzLcWyWYFGm5vzyb3M1sjco Alp//6IRSnAKnGaGyVLRk0VZUb2MWH+x8fX/i69dEHwv72cXiuElHgl/Jr3Y5jEVty2k gM1g== X-Gm-Message-State: APt69E1cqZjJughWriss2n5FS2dDgV0FHXcVtC3Oa+MjWhXH/Pdigx25 dfZPU4gJUZIAx23I0BHULEG6ywm8ntk= X-Google-Smtp-Source: AAOMgpeFSqWzcCc0GjFHZ0CPJP5VI6iUiZnrOJyjchPNXGZa5AADevYi7AdTDk3/78AVNsQCxjG7ew== X-Received: by 2002:a37:528b:: with SMTP id g133-v6mr4948515qkb.282.1530106480837; Wed, 27 Jun 2018 06:34:40 -0700 (PDT) Received: from localhost ([177.183.215.231]) by smtp.gmail.com with ESMTPSA id m15-v6sm3684154qki.44.2018.06.27.06.34.39 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 27 Jun 2018 06:34:40 -0700 (PDT) From: Flavio Leitner To: netdev@vger.kernel.org Cc: Eric Dumazet , Paolo Abeni , David Miller , Florian Westphal , netfilter-devel@vger.kernel.org, Flavio Leitner Subject: [PATCH v2 net-next 0/2] net: preserve sock reference when scrubbing the skb. Date: Wed, 27 Jun 2018 10:34:24 -0300 Message-Id: <20180627133426.3858-1-fbl@redhat.com> X-Mailer: git-send-email 2.14.3 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org The sock reference is lost when scrubbing the packet and that breaks TSQ (TCP Small Queues) and XPS (Transmit Packet Steering) causing performance impacts of about 50% in a single TCP stream when crossing network namespaces. XPS breaks because the queue mapping stored in the socket is not available, so another random queue might be selected when the stack needs to transmit something like a TCP ACK, or TCP Retransmissions. That causes packet re-ordering and/or performance issues. TSQ breaks because it orphans the packet while it is still in the host, so packets are queued contributing to the buffer bloat problem. Preserving the sock reference fixes both issues. The socket is orphaned anyways in the receiving path before any relevant action, but the transmit side needs some extra checking included in the first patch. The first patch will update netfilter to check if the socket netns is local before use it. The second patch removes the skb_orphan() from the skb_scrub_packet() and improve the documentation. ChangeLog: - split into two (Eric) - addressed Paolo's offline feedback to swap the checks in xt_socket.c to preserve original behavior. - improved ip-sysctl.txt (reported by Cong) Flavio Leitner (2): netfilter: check if the socket netns is correct. skbuff: preserve sock reference when scrubbing the skb. Documentation/networking/ip-sysctl.txt | 10 +++++----- include/net/netfilter/nf_log.h | 3 ++- net/core/skbuff.c | 1 - net/ipv4/netfilter/nf_log_ipv4.c | 8 ++++---- net/ipv6/netfilter/nf_log_ipv6.c | 8 ++++---- net/netfilter/nf_conntrack_broadcast.c | 2 +- net/netfilter/nf_log_common.c | 5 +++-- net/netfilter/nf_nat_core.c | 6 +++++- net/netfilter/nft_meta.c | 9 ++++++--- net/netfilter/nft_socket.c | 5 ++++- net/netfilter/xt_cgroup.c | 6 ++++-- net/netfilter/xt_owner.c | 2 +- net/netfilter/xt_recent.c | 3 ++- net/netfilter/xt_socket.c | 8 ++++++++ 14 files changed, 49 insertions(+), 27 deletions(-)