From patchwork Fri Nov 17 15:31:13 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Felix Huettner X-Patchwork-Id: 1865128 X-Patchwork-Delegate: horms@verge.net.au Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=mail.schwarz header.i=@mail.schwarz header.a=rsa-sha256 header.s=selector1 header.b=vDXYFr35; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SX18j5LKQz1yRV for ; Sat, 18 Nov 2023 02:31:32 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 2FE7183B31; Fri, 17 Nov 2023 15:31:26 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 2FE7183B31 Authentication-Results: smtp1.osuosl.org; dkim=fail reason="signature verification failed" (2048-bit key, unprotected) header.d=mail.schwarz header.i=@mail.schwarz header.a=rsa-sha256 header.s=selector1 header.b=vDXYFr35 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id euKlLTXDLCM0; Fri, 17 Nov 2023 15:31:24 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp1.osuosl.org (Postfix) with ESMTPS id E97C2834FC; Fri, 17 Nov 2023 15:31:23 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org E97C2834FC Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id B8D9FC0DCE; Fri, 17 Nov 2023 15:31:23 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 1B632C0039 for ; Fri, 17 Nov 2023 15:31:22 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id CD87760AA4 for ; Fri, 17 Nov 2023 15:31:21 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org CD87760AA4 Authentication-Results: smtp3.osuosl.org; dkim=pass (2048-bit key, unprotected) header.d=mail.schwarz header.i=@mail.schwarz header.a=rsa-sha256 header.s=selector1 header.b=vDXYFr35 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gYVtxVYR4QQ4 for ; Fri, 17 Nov 2023 15:31:20 +0000 (UTC) Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on20728.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d00::728]) by smtp3.osuosl.org (Postfix) with ESMTPS id 4405B608B7 for ; Fri, 17 Nov 2023 15:31:20 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 4405B608B7 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=l9jfygJdR2kYs41jXKhVmxV7CeuyAH/PgNYUQOKJ2WwUY3uhR324A6VnlNUvay99l1COk6Aw2wJVwFW9E+wg54VpiFVtmz4hFrldWQqy4UqZMwP3y5fO0uycQH+p68/ER/FX+YWfsLUMnmiM88liydEPvoZ0mO/a0OJTZ/8YhAghXy2Ox8R9VA6Uv8nSP5QmUJXjXB7J4I3zOCq0wKOVPhDKRuvFsIrMY7eebGh5icWVpsMPyDWY5DuwBe/f8RRz0kj6YbTioVZwmDFGweaC4eXOkNoJ+vcEx+V/g4n8Pqzm6OZJfQ4mRqJqA2am9GNV+GlHKL0TYeQjh96+YRoIyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=iWLsg/j4nvOoEtLD7BFiRpm6wpUQsBfaRcxbarTvSXY=; b=nVg2nJpp7HYzbT/6cvGDVZv8ep8Cz4uhTbA5S4B/5DmEesCSItI24OUiDfEKlxjOyHp6oQ8eau+SkuJLxFkDnSOMj7K5fRuFzJ0zRn7swmaygtRdZ90igKyp2IExA8hmY9IvUbfaf8B8fkWDDyX8g+oaO31PziUxjJYrRfLmwYyAASjqQHL621B8CgnuzOJt8T8L6dAh54GXq451n1OteZz2394aPxcTuZMPeiyyuioxZuIbJNlihGBRSlJr6zuEzz56Vf/Dy+SZFaBfcRWtLKASaZTrE1/2jqjViXCB219N9/OAsdu3mst2ymyCzYoDeWobJkJxEfNh/7RfPO2QNA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mail.schwarz; dmarc=pass action=none header.from=mail.schwarz; dkim=pass header.d=mail.schwarz; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mail.schwarz; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iWLsg/j4nvOoEtLD7BFiRpm6wpUQsBfaRcxbarTvSXY=; b=vDXYFr35xdfPKVb1MublzUg/n3cEoWHOeK1AJQI6x5hxLezHr5HBSHd9D8snNQY10fEB7X2WC/rw+ms/QUjtFzbJ2mHZ8PeV1B0/cs8RkTMunz9jZc3TNe/UPAQIPjKOy1klJ2OJBja4mwC9w4kHCcKiYPomQFgkd4oTHB2YaM1vpPoqhHL5MVv/GCgAvmLYDFwJNn3tnXsmQDWdyum3c6+iEMMQM+5zOrkkNMQrbRQduwDmW61ULIlMPA7x0f0cCz+7wsw6doPFCy/t3r1DdwqiEj+35eaCQASNw+MHBxBiydSB5q4H2/Lkj1Pt03qZxqE1o0ytSs7NP4RZNYJfWQ== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mail.schwarz; Received: from DU0PR10MB5244.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:34c::22) by AS8PR10MB6022.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:50b::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7002.19; Fri, 17 Nov 2023 15:31:16 +0000 Received: from DU0PR10MB5244.EURPRD10.PROD.OUTLOOK.COM ([fe80::8969:39d0:149d:7662]) by DU0PR10MB5244.EURPRD10.PROD.OUTLOOK.COM ([fe80::8969:39d0:149d:7662%4]) with mapi id 15.20.7002.019; Fri, 17 Nov 2023 15:31:16 +0000 Date: Fri, 17 Nov 2023 16:31:13 +0100 To: dev@openvswitch.org Message-ID: Mail-Followup-To: dev@openvswitch.org, Luca Czesla , Max Lamprecht Content-Disposition: inline X-ClientProxiedBy: FR3P281CA0106.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:a3::16) To DU0PR10MB5244.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:34c::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU0PR10MB5244:EE_|AS8PR10MB6022:EE_ X-MS-Office365-Filtering-Correlation-Id: e5906138-ec54-47cd-9c77-08dbe7823d22 x-mp-schwarz-dsgvo2: 1 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: iFA7Okr717BQqUj6OWZhbTxkHicXeRd9Xr8XDhiLuQeJhxgw1Yoz/vzyiOa+81XScsD7fiEfM/SYFxwlQ+u3241HmwyYkPLJo1nSK/rgK6XUxXJ4BJzT699CzZwY7TJ2CtDKXSOLO51z2UcMlK9kCjw9QvgpgNepL33VobAvczFNekrqowOgBu1MrBk6FpMS5hePMJC3fFfqBeKGlFVPtR7kw8QIU3y5XLwO7htGqBT7VofYSDY1KJsT/MSFWL9ZHL+K1kZnWTz8huRhLWocjFSdsbN/Np8+ij6BPhOdGpZU1j0fwYXOvAS0XUCvvDNNy4ti2durBptoKQt3rIeci+4VucXgBtozFTbxf2vb2Xaxfa0b+DmbOqBdD0XTb4tyfnZD7mWA0uZX+vSpDYO4kF3MjXSgVnLBu4HCES1Zrmt20VPSTzbDmM6nsrKWJBrm7VLRCyq7hx02T2xz79ZtmQn4gS2FFSA9/eFwQ1ygVVs7X17hJE2TPPWFyfoItDis9ryY4T/ORmu1vg6HN6jIxNrr/AhFfWrPSkngl7f+gpA= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU0PR10MB5244.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(39860400002)(396003)(366004)(376002)(136003)(346002)(230922051799003)(451199024)(64100799003)(186009)(1800799009)(2906002)(38100700002)(5660300002)(86362001)(44832011)(6506007)(9686003)(66574015)(6512007)(83380400001)(82960400001)(107886003)(26005)(966005)(6666004)(41300700001)(6486002)(478600001)(66556008)(66476007)(8676002)(66946007)(316002)(54906003)(6916009)(4326008)(8936002); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: +knsQ3eb4koxmp3s//hHi4eZMI1g6c538QCvq6F/tuZR2GMACUvU56QiK3nxzgfaT9vRNmMS/wQHt8vs4LPoYsHIsrCaBsCMg+IoWwpgFSZIpzsox6d4i/ev4tyw982OPd2GLzD+bv8DnLY0G6+0LqSSWKi6hJKrJYMIiA/Bx65RN1TehXQpIwRTOY09V5MfDOs7RaS9cIGS3aL1d383wKlXWsRU+kTNLVcs/xCMAzH8/SnHSRAJ6+CO3D6nSdYFNoH8PCewMtqLkAeJ8ZTLLM+HqecKdVUc6si4MXC7q/Cf9Qr3vayZOhITy4DUFrccJFYEAheNK6MjRlkdtUwndrf3ttPk1DTcttOLg6ifbTw74NOh/l/XbfXaB3Iaas/vUtBNptA5usywJS34eY+vJgSnxUKDZBUZS8pYGykiCyQZsAjY1O/CVw0YVb4YYbp+hesKbDViMGk+GlGBEqDC09Qu2GaL2TDcFBGSLeU4VC0w988PhQUM2B4MtaSFhUFJK1F/z+HTcGSRGRXSNo263xHB06CkYuoYnmyFgYa+UGAwsqd2VCKsnvY/WL/8HP6Jn0p1eCfu+2RpeWc4qFnIA2KF6U0kMju1x0iQx012SiWpC1vhUVZqFL1E+mWgZFLTcamcL1RCLvfRpS6iQ42tQfXxEWFuAnIr1hDi9vs1I3hFpQPmPdWON7jXQ4JMvgpcntrAnc2jIG2XFvV1JrbxLAqRtfMueTtW0Rt/hguC00hPQdHAOKYT6ilL5/I/gsu3Wm6mApDwIcosqt9ztkQiHg/kYCKwTUI1gkhgbMeyIh0f6oiKHeZC35BAy5U16wFJBK1yLWksc2oe4N9DYOfJbw5eaVrDyp9XpswK3hh3Y6bg32f3f/lngmKm6Hh0hFuDnUoElIGCFJ0huVq9VD2lK8XqWoOJXNWWZFAhFpN/Mzzor5fAF7WY58f/DyMiD/vPHkqqWs7tbuSi1vWdq9iWAy9LJ3xOgvfdeZSTAzgQ8nBOdoAUculZrae2R51CFFneg9zSr98puXDVKoyxhtAY8TL1Mhd3hxocw1o0RqTHo8KK/HTUXHEnWDduLZxzsbzH+nMqLHPSkqMcgh+nVlH7psEh2+DiqAxar8PweYqOR+jMRmLnbY26d7fNnOGsL8D7/vVkrZfxJXyTCeBnZbImh4hW2VuDUoQbEseNEv2PmYCrJCA4czskZqhMd0LgafDWXPYRIoD6ii+lXCOP8MxeSN9aUuqT1JwnhDpPjWMig6KYaq3U2VuI4gXJCsNSBxvMdn1MObMGBEh7qJa9GPM1W4vNeiI+UFaFMknoy3JkUBSv4RNFoRWN2jpbVyzLfcPSzqLGGyOqkb83QKqhTAT2AIiQqQCGyZ7a4WAKh2DDuiUN83j7x3zowLs7jbm2f4cMwMzOXyW3pDBsJZESd5Ldg6JFVwSMUj2GUMYB88+NBasR78vO+Jxd0Rj01vLydFZYSBRB8lW7OwFxW3uDTuZt4LOzSoDyqpsJl9pUQqXCyYGJImBQWjoLjC8zvvUAIqYucFot9PhPR5B5tAbZZ24D6wMMR8d/b8bp9jym74O6fK7CzQfyfmZztGaWgYnvgXhNg+ZMQXZP+gjzWRSMkl2mTA== X-OriginatorOrg: mail.schwarz X-MS-Exchange-CrossTenant-Network-Message-Id: e5906138-ec54-47cd-9c77-08dbe7823d22 X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB5244.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Nov 2023 15:31:16.1302 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d04f4717-5a6e-4b98-b3f9-6918e0385f4c X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: MbywazvaJ6BNAtk56dRj8bH2+Bb4DB4Ozul5IweQyH7u7SVq4rpjZxWiVEHFsJ/1rl4Nnnbu1tpk39sV6IQ9sEmIlVrdCxH5Kizp5MGwN0g= X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR10MB6022 Subject: [ovs-dev] [RFC] netlink-conntrack: optimize flushing ct zone X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Felix Huettner via dev From: Felix Huettner Reply-To: Felix Huettner Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" NOTE: this change makes improvements depending on a change in the kernel currently on the netdev mailing list (see [1]). Previously the kernel did not provide a netlink interface to flush/list only conntrack entries matching a specific zone. With [1] it is now possible to flush and list conntrack entries filtered by zone. Older kernels not yet supporting this feature will ignore the filter. For the list request that means just returning all entries (which we can then filter in userspace as before). FOr the flush request that means deleting all conntrack entries. These significantly improves the performance of flushing conntrack zones when the conntrack table is large. Since flushing a conntrack zone is normally triggered via an openflow command it blocks the main ovs thread and thereby also blocks new flows from being applied. The main benefit can already be acheived by using the existing logicl with the additional filter based on the zone (90-95% speedup). Using the logical to flush directly by zone brings an additional 10-15% on top of that (more numbers below). In combination with OVN the creation of a Logical_Router (which causes the flushing of a ct zone) could block other operations, e.g. the failover of Logical_Routers (as they cause new flows to be created). This is visible from a user perspective as a ovn-controller that is idle (as it waits for vswitchd) and vswitchd reporting: "blocked 1000 ms waiting for main to quiesce" (potentially with ever increasing times). The following performance tests where run in a qemu vm with 500.000 conntrack entries distributed evenly over 500 ct zones using `ovstest test-netlink-conntrack flush zone=`. With this patch and the respective kernel patch applied, but OVS_NETLINK_CONNTRAK_FLUSH_ZONE_SUPPORTED unset: ----------------------------------------------------------------------------------------------------------------------------------------------------- Min (s) Median (s) 90%ile (s) 99%ile (s) Max (s) Mean (s) Total (s) Count ----------------------------------------------------------------------------------------------------------------------------------------------------- flush zone with 1000 entries 0.309 0.372 0.393 0.467 0.516 0.374 93.597 250 flush zone with no entry 0.265 0.305 0.333 0.352 0.393 0.307 76.770 250 ----------------------------------------------------------------------------------------------------------------------------------------------------- With this patch and the respective kernel patch applied, and OVS_NETLINK_CONNTRAK_FLUSH_ZONE_SUPPORTED set: ----------------------------------------------------------------------------------------------------------------------------------------------------- Min (s) Median (s) 90%ile (s) 99%ile (s) Max (s) Mean (s) Total (s) Count ----------------------------------------------------------------------------------------------------------------------------------------------------- flush zone with 1000 entries 0.256 0.323 0.341 0.367 0.389 0.322 80.729 250 flush zone with no entry 0.225 0.265 0.317 0.336 0.351 0.274 68.659 250 ----------------------------------------------------------------------------------------------------------------------------------------------------- Before this patch and/or without the respective kernel patch ----------------------------------------------------------------------------------------------------------------------------------------------------- Min (s) Median (s) 90%ile (s) 99%ile (s) Max (s) Mean (s) Total (s) Count ----------------------------------------------------------------------------------------------------------------------------------------------------- flush zone with 1000 entries 2.499 4.990 5.209 6.435 7.150 5.008 1252.158 250 flush zone with no entry 4.120 4.572 4.783 5.156 5.364 4.559 1139.786 250 ----------------------------------------------------------------------------------------------------------------------------------------------------- [1]: https://lore.kernel.org/netdev/ZVeGFP2x-Wx6duYs@SIT-SDELAP4051.int.lidl.net/T/#u --- lib/netlink-conntrack.c | 49 +++++++++++++++++++++++++++++++++++++++-- 1 file changed, 47 insertions(+), 2 deletions(-) -- 2.42.0 Diese E Mail enthält möglicherweise vertrauliche Inhalte und ist nur für die Verwertung durch den vorgesehenen Empfänger bestimmt. Sollten Sie nicht der vorgesehene Empfänger sein, setzen Sie den Absender bitte unverzüglich in Kenntnis und löschen diese E Mail. Hinweise zum Datenschutz finden Sie hier. This e-mail may contain confidential content and is intended only for the specified recipient/s. If you are not the intended recipient, please inform the sender immediately and delete this e-mail. Information on data protection can be found here. diff --git a/lib/netlink-conntrack.c b/lib/netlink-conntrack.c index 492bfcffb..32be0d122 100644 --- a/lib/netlink-conntrack.c +++ b/lib/netlink-conntrack.c @@ -141,6 +141,9 @@ nl_ct_dump_start(struct nl_ct_dump_state **statep, const uint16_t *zone, nl_msg_put_nfgenmsg(&state->buf, 0, AF_UNSPEC, NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_GET, NLM_F_REQUEST); + if (zone) { + nl_msg_put_be16(&state->buf, CTA_ZONE, htons(*zone)); + } nl_dump_start(&state->dump, NETLINK_NETFILTER, &state->buf); ofpbuf_clear(&state->buf); @@ -283,23 +286,65 @@ nl_ct_flush_zone(uint16_t flush_zone) return err; } #else + +static bool netlink_flush_supports_zone(void) { + static bool valid, supported = false; + if (!valid) { + char *env = getenv("OVS_NETLINK_CONNTRAK_FLUSH_ZONE_SUPPORTED"); + if (env && env[0]) { + if (env[0] == 'T' || env[0] == 't') { + supported = true; + } + } + valid = true; + } + return supported; +} + int nl_ct_flush_zone(uint16_t flush_zone) { - /* Apparently, there's no netlink interface to flush a specific zone. + /* In older kernels, there was no netlink interface to flush a specific + * conntrack zone. * This code dumps every connection, checks the zone and eventually * delete the entry. + * In newer kernels there is the option to specifiy a zone for filtering + * during dumps. Older kernels ignore this option. We set it here in the + * hope we only get relevant entries back, but fall back to filtering here + * to keep compatibility. * - * This is race-prone, but it is better than using shell scripts. */ + * This is race-prone, but it is better than using shell scripts. + * + * Additionaly newer kenerls also support flushing a zone without listing + * it first. However it is not easily possible to discover if the kernel + * supports this feature or if it will flush the complete conntrack table. + * We therefor rely on an environment variable, allowing the user to + * provide us this information. In the future we can use kernel version + * numbers. */ struct nl_dump dump; struct ofpbuf buf, reply, delete; + int err; + + if (netlink_flush_supports_zone()) { + ofpbuf_init(&buf, NL_DUMP_BUFSIZE); + + nl_msg_put_nfgenmsg(&buf, 0, AF_UNSPEC, NFNL_SUBSYS_CTNETLINK, + IPCTNL_MSG_CT_DELETE, NLM_F_REQUEST); + nl_msg_put_be16(&buf, CTA_ZONE, htons(flush_zone)); + + err = nl_transact(NETLINK_NETFILTER, &buf, NULL); + ofpbuf_uninit(&buf); + + return err; + } ofpbuf_init(&buf, NL_DUMP_BUFSIZE); ofpbuf_init(&delete, NL_DUMP_BUFSIZE); nl_msg_put_nfgenmsg(&buf, 0, AF_UNSPEC, NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_GET, NLM_F_REQUEST); + nl_msg_put_be16(&buf, CTA_ZONE, htons(flush_zone)); nl_dump_start(&dump, NETLINK_NETFILTER, &buf); ofpbuf_clear(&buf);