Netfilter’s flowtable infrastructure

最新推荐文章于 2025-02-19 11:30:00 发布
最新推荐文章于 2025-02-19 11:30:00 发布
阅读量344 收藏 2
点赞数
CC 4.0 BY-SA版权
分类专栏: LInux kernel 文章标签: 网络
原文链接:https://www.kernel.org/doc/html/latest/networking/nf_flowtable.html
本文档详细介绍了Linux内核中的Netfilter流表基础设施,它允许定义快速的数据路径,并提供硬件卸载支持。流表适用于IPv4和IPv6的第3层以及TCP和UDP的第4层协议。当流的第一个包成功通过IP转发路径后,后续包可以通过流表进行快速转发,避免经典IP转发路径。流表使用可调整大小的哈希表,基于多个选择器进行查找,包括第2层协议封装、第3层源和目的地址、第4层源和目的端口以及输入接口。此外,流表条目还可以存储NAT配置,支持硬件卸载和软件卸载两种模式,并提供计数器同步。该基础设施自Linux内核5.13版起,支持VLAN和PPPoE的自动发现,并可以与桥接和IP转发配合使用。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

Netfilter’s flowtable infrastructure — The Linux Kernel documentation

Netfilter’s flowtable infrastructure

This documentation describes the Netfilter flowtable infrastructure which allows you to define a fastpath through the flowtable datapath. This infrastructure also provides hardware offload support. The flowtable supports for the layer 3 IPv4 and IPv6 and the layer 4 TCP and UDP protocols.

Overview

Once the first packet of the flow successfully goes through the IP forwarding path, from the second packet on, you might decide to offload the flow to the flowtable through your ruleset. The flowtable infrastructure provides a rule action that allows you to specify when to add a flow to the flowtable.

A packet that finds a matching entry in the flowtable (ie. flowtable hit) is transmitted to the output netdevice via neigh_xmit(), hence, packets bypass the classic IP forwarding path (the visible effect is that you do not see these packets from any of the Netfilter hooks coming after ingress). In case that there is no matching entry in the flowtable (ie. flowtable miss), the packet follows the classic IP forwarding path.

The flowtable uses a resizable hashtable. Lookups are based on the following n-tuple selectors: layer 2 protocol encapsulation (VLAN and PPPoE), layer 3 source and destination, layer 4 source and destination ports and the input interface (useful in case there are several conntrack zones in place).

The ‘flow add’ action allows you to populate the flowtable, the user selectively specifies what flows are placed into the flowtable. Hence, packets follow the classic IP forwarding path unless the user explicitly instruct flows to use this new alternative forwarding path via policy.

The flowtable datapath is represented in Fig.1, which describes the classic IP forwarding path including the Netfilter hooks and the flowtable fastpath bypass.

                                       userspace process
                                        ^              |
                                        |              |
                                   _____|____     ____\/___
                                  /          \   /         \
                                  |   input   |  |  output  |
                                  \__________/   \_________/
                                       ^               |
                                       |               |
    _________      __________      ---------     _____\/_____
   /         \    /          \     |Routing |   /            \
-->  ingress  ---> prerouting ---> |decision|   | postrouting |--> neigh_xmit
   \_________/    \__________/     ----------   \____________/          ^
     |      ^                          |               ^                |
 flowtable  |                     ____\/___            |                |
     |      |                    /         \           |                |
  __\/___   |                    | forward |------------                |
  |-----|   |                    \_________/                            |
  |-----|   |                 'flow offload' rule                       |
  |-----|   |                   adds entry to                           |
  |_____|   |                     flowtable                             |
     |      |                                                           |
    / \     |                                                           |
   /hit\_no_|                                                           |
   \ ? /                                                                |
    \ /                                                                 |
     |__yes_________________fastpath bypass ____________________________|

             Fig.1 Netfilter hooks and flowtable interactions

The flowtable entry also stores the NAT configuration, so all packets are mangled according to the NAT policy that is specified from the classic IP forwarding path. The TTL is decremented before calling neigh_xmit(). Fragmented traffic is passed up to follow the classic IP forwarding path given that the transport header is missing, in this case, flowtable lookups are not possible. TCP RST and FIN packets are also passed up to the classic IP forwarding path to release the flow gracefully. Packets that exceed the MTU are also passed up to the classic forwarding path to report packet-too-big ICMP errors to the sender.

Example configuration

Enabling the flowtable bypass is relatively easy, you only need to create a flowtable and add one rule to your forward chain:

table inet x {
        flowtable f {
                hook ingress priority 0; devices = { eth0, eth1 };
        }
        chain y {
                type filter hook forward priority 0; policy accept;
                ip protocol tcp flow add @f
                counter packets 0 bytes 0
        }
}

This example adds the flowtable ‘f’ to the ingress hook of the eth0 and eth1 netdevices. You can create as many flowtables as you want in case you need to perform resource partitioning. The flowtable priority defines the order in which hooks are run in the pipeline, this is convenient in case you already have a nftables ingress chain (make sure the flowtable priority is smaller than the nftables ingress chain hence the flowtable runs before in the pipeline).

The ‘flow offload’ action from the forward chain ‘y’ adds an entry to the flowtable for the TCP syn-ack packet coming in the reply direction. Once the flow is offloaded, you will observe that the counter rule in the example above does not get updated for the packets that are being forwarded through the forwarding bypass.

You can identify offloaded flows through the [OFFLOAD] tag when listing your connection tracking table.

# conntrack -L
tcp      6 src=10.141.10.2 dst=192.168.10.2 sport=52728 dport=5201 src=192.168.10.2 dst=192.168.10.1 sport=5201 dport=52728 [OFFLOAD] mark=0 use=2

Layer 2 encapsulation

Since Linux kernel 5.13, the flowtable infrastructure discovers the real netdevice behind VLAN and PPPoE netdevices. The flowtable software datapath parses the VLAN and PPPoE layer 2 headers to extract the ethertype and the VLAN ID / PPPoE session ID which are used for the flowtable lookups. The flowtable datapath also deals with layer 2 decapsulation.

You do not need to add the PPPoE and the VLAN devices to your flowtable, instead the real device is sufficient for the flowtable to track your flows.

Bridge and IP forwarding

Since Linux kernel 5.13, you can add bridge ports to the flowtable. The flowtable infrastructure discovers the topology behind the bridge device. This allows the flowtable to define a fastpath bypass between the bridge ports (represented as eth1 and eth2 in the example figure below) and the gateway device (represented as eth0) in your switch/router.

        fastpath bypass
 .-------------------------.
/                           \
|           IP forwarding   |
|          /             \ \/
|       br0               eth0 ..... eth0
.       / \                          *host B*
 -> eth1  eth2
     .           *switch/router*
     .
     .
   eth0
 *host A*

The flowtable infrastructure also supports for bridge VLAN filtering actions such as PVID and untagged. You can also stack a classic VLAN device on top of your bridge port.

If you would like that your flowtable defines a fastpath between your bridge ports and your IP forwarding path, you have to add your bridge ports (as represented by the real netdevice) to your flowtable definition.

Counters

The flowtable can synchronize packet and byte counters with the existing connection tracking entry by specifying the counter statement in your flowtable definition, e.g.

table inet x {
        flowtable f {
                hook ingress priority 0; devices = { eth0, eth1 };
                counter
        }
}

Counter support is available since Linux kernel 5.7.

Hardware offload

If your network device provides hardware offload support, you can turn it on by means of the ‘offload’ flag in your flowtable definition, e.g.

table inet x {
        flowtable f {
                hook ingress priority 0; devices = { eth0, eth1 };
                flags offload;
        }
}

There is a workqueue that adds the flows to the hardware. Note that a few packets might still run over the flowtable software path until the workqueue has a chance to offload the flow to the network device.

You can identify hardware offloaded flows through the [HW_OFFLOAD] tag when listing your connection tracking table. Please, note that the [OFFLOAD] tag refers to the software offload mode, so there is a distinction between [OFFLOAD] which refers to the software flowtable fastpath and [HW_OFFLOAD] which refers to the hardware offload datapath being used by the flow.

The flowtable hardware offload infrastructure also supports for the DSA (Distributed Switch Architecture).

Limitations

The flowtable behaves like a cache. The flowtable entries might get stale if either the destination MAC address or the egress netdevice that is used for transmission changes.

This might be a problem if:

  • You run the flowtable in software mode and you combine bridge and IP forwarding in your setup.

  • Hardware offload is enabled.

More reading

This documentation is based on the LWN.net articles 12. Rafal Milecki also made a very complete and comprehensive summary called “A state of network acceleration” that describes how things were before this infrastructure was mainlined 3 and it also makes a rough summary of this work 4.

1

Flow offload infrastructure [LWN.net]

2

Flow offload infrastructure [LWN.net]

3

[LEDE-DEV] A state of network acceleration

4

[LEDE-DEV] A state of network acceleration

nftables(9)NAT、FLOWTABLES
Monster✺◟(∗❛ัᴗ❛ั∗)◞✺的博客
07-17 1533
在nftables或类似的网络过滤和流量控制框架中,flowtables是一种高级特性,用于加速软件中的数据包转发。flowtables通过存储和缓存转发决策来优化性能,这些决策基于数据包的某些关键属性(如源和目的地址、端口以及层3/4协议)来做出。这种方式可以显著减少对每个数据包都进行完整路由查找和决策。
Linux网络协议栈3--neighbor子系统
bigsheng2的博客
02-03 1798
邻居,可以简单理解为三层上的一跳距离。路由的下一跳可以不是直连的一跳距离(迭代路由),但最终走到邻居子系统的时候就是一跳距离。 linux 迭代路由的用法: https://www.jianshu.com/p/070202b6d3ca 邻居子系统,提供三层地址到二层地址之间的映射,提供二层首部缓存加速二层头的封装,提供二层报文头的封装。 如下,邻居表信息,表达了IP地址是x.x.x.x的下一跳,它的mac地址是xx:xx:xx:xx:xx:xx,通过出接口ethx能够到达。 #ip neigh 172.16
Linux flow offload提高路由转发效率
热门推荐
TCP/IP
12-07 2万+
凡是正确的东西,该来的最终还是会来的。 (当然了,经理可能也有同感。) 来看看几年前我写的文章: 利用nf_conntrack机制存储路由,省去每包路由查找: https://blog.csdn.net/dog250/article/details/24101425 在Linux的连接跟踪(nf_conntrack)中缓存私有数据省去每次查找: https://blog.csdn.net/dog...
【OVS2.5源码解读】 内核中的flow table流表操作
造梦先森Kai的专栏
11-29 4654
当一个数据包到达网卡的时候,首先要经过内核Openvswitch.ko,流表Flow Table在内核中有一份,通过key查找内核中的flow table,即可以得到action,然后执行action之后,直接发送这个包,只有在内核无法查找到流表项的时候,才会到用户态查找用户态的流表。仅仅查找内核中flow table的情况被称为fast path;需要查找用户态中flow table的情况被称为...
linux网络RPS RFS流程分析
OS Developer的博客
05-30 828
raw_smp_processor_id() 函数通常在内核编程中使用,并且在内核的多 CPU 相关的代码中是比较常见的。需要注意的是,raw_smp_processor_id() 函数是一个非常底层的函数,直接返回当前 CPU 的物理 ID,没有进行任何锁定或同步操作。raw_smp_processor_id() 函数允许内核代码获取当前 CPU 的物理 ID,从而可以在多 CPU 的环境中进行处理器相关的操作,例如分配特定的资源、调度任务到特定的 CPU 等。
连接跟踪流量统计
redwingz的博客
03-27 1431
连接跟踪的流量统计由扩展acct_extend实现,模块初始化函数nf_conntrack_acct_init注册连接跟踪扩展。 static const struct nf_ct_ext_type acct_extend = { .len = sizeof(struct nf_conn_acct), .align = __alignof__(struct nf_conn_acct), .id = NF_CT_EXT_ACCT, }; int nf_conntrack_acc
跟我学Linux系列2:Netfilter/iptables知多少
watermelonbig的专栏
05-02 1079
1、netfilter是什么netfilter.org是Linux 2.4.x及更高版本内核系列中包过滤框架软件。 通常与netfilter.org相关的软件是iptables。这个框架内的软件可以实现数据包过滤,网络地址和端口转换(NA [P] T)以及其他数据包转换。 它是以前的Linux 2.2.x ipchains和Linux 2.0.x ipfwadm系统的重新设计和大大改进的后续产品。...
Linux防火墙:Netfilter的深度解析
深度Linux
02-19 1218
Linux 2.4.x引入的子系统,NetfilterLinux 2.4.x引入的一个子系统,它作为一个通用的、抽象的框架,提供一整套的hook函数的管理机制,使得诸如数据包过滤、网络地址转换(NAT)和基于协议类型的连接跟踪成为了可能, 在 Linux 系统中发挥着至关重要的作用。它是一个强大而灵活的网络包过滤框架,为系统管理员提供了对网络数据包的精细控制。Netfilter 通过在内核中插入钩子点,实现对网络数据包的过滤、修改和转发。
洞悉linux下的Netfilter&iptables:什么是Netfilter
海边顽石的专栏
08-31 1万+
转自:http://blog.chinaunix.net/uid-23069658-id-3160506.html 很多人在接触iptables之后就会这么一种感觉:我通过iptables命令配下去的每一条规则,到底是如何生效的呢?内核又是怎么去执行这些规则匹配呢?如果iptables不能满足我当下的需求,那么我是否可以去对其进行扩展呢?这些问题,都是我在接下来的博文中一一和大家分享的话题。
第二十八章:邻居子系统:地址解析协议(ARP)
weixin_42525458的博客
09-28 1237
笔记
Linux的硬件地址解析过程
collide的专栏
09-26 3938
1) 在网络接口设备的硬件层之间能够直接进行包交换的设备构成了一个局域网,局域网中的每一设备具有唯一的硬件地址. 对TCPIP协议来说, 局域网中的每一设备又具有唯一的IP地址.当IP包要从某一设备发向局域网中具有另一IP地址的设备时, 信源设备必须获得信宿设备的硬件地址,这就需要硬件地址解析.arp协议是根据设备的IP地址获取其硬件地址的方法.信源设备向局域网广播自已地址解析请求, 局域网中其余
第二十七章:邻居子系统:基础结构
weixin_42525458的博客
09-27 681
.....
Openvswitch原理与代码分析(5): 内核中的流表flow table操作
weixin_34378767的博客
09-19 400
 当一个数据包到达网卡的时候,首先要经过内核Openvswitch.ko,流表Flow Table在内核中有一份,通过key查找内核中的flow table,即可以得到action,然后执行action之后,直接发送这个包,只有在内核无法查找到流表项的时候,才会到用户态查找用户态的流表。仅仅查找内核中flow table的情况被称为fast path.    第一步:从数据包中提...
深入理解 netfilter 和 iptables!
云原生实验室
03-09 1185
Netfilter (配合 iptables)使得用户空间应用程序可以注册内核网络栈在处理数据包时应用的处理规则,实现高效的网络转发和过滤。很多常见的主机防火墙程序以及 Kubernete...
第五章 传输层(tcp)到网络层(ip)--基于Linux3.10
shichaog的专栏
03-24 2385
根据数据的流向跟踪代码,由于数据发送是从tcp层到网络层再到网络到主机层,所以先来看tcp层向ip层发送数据的函数。 tcp的发送函数和接收函数一样位于net/ipv4/文件夹,文件名是tcp_output.c文件,传输层和网络层联系的函数是tcp_transmit_skb(...): 在进入该函数时,先看该函数用到的一个重要的数据结构,其定义于net/dccp/ipv4.c文件,919行是发
邻居子系统之数据发送流程
九天小哥的专栏
03-01 692
邻居子系统只影响数据包的发送过程,为了使系统更加灵活,邻居子系统首先引入了一个协议无关层,L3协议只需要和该协议无关层交互即可,如下图所示。 这里面起作用的一个核心数据结构是sturct neigh_ops,每个邻居项都关联一个该结构,L3协议只需要在不同的上下文环境中调用该结构的函数就可以了,具体这些函数指针的实现方是谁,由邻居子系统根据邻居项的状态和各自的逻辑决定。这种设计使得邻居子系统向上...
linux路由内核实现分析(一)----邻居子节点
飞火映天
06-14 4273
有三种路由结构: 1,neigh_table{}结构和neighbour{}结构 存储和本机物理上相邻的主机地址信息表,通常称为邻居子节点,指的是和本机相邻只有 一跳的机器,其中neigh_table{}作为数据结构链表来表示neighbour{}表示相邻的机器节点 2,路由规则的存储,判断了一个到达一个网络地址必
深入理解Linux网络技术内幕 第27章 邻居子系统-通用基础结构
weixin_44793395的博客
06-30 1178
邻居子系统-通用基础结构数据结构L3协议和邻居通用接口neigh->ops初始化neigh->output和neigh->nud_state初始化邻居信息更新-neigh_update 数据结构 struct neigh_table 描述邻居协议参数和所用函数。 struct neighbour 存储邻居相关信息。该结构描述主机的L3地址,主机有多个L3地址也就有多个该结构。 L3协议和邻居通用接口 Linux内核通过虚拟函数表将L3协议和L2传输函数链接起来。邻居系统的虚拟函数表由str
Linux内核网络数据包发送(三)——IP协议层分析
金荣的个人技术博客
10-26 2490
Linux内核网络数据包发送(三)——IP协议层分析1. 前言2. `ip_send_skb`3. `ip_local_out` and `__ip_local_out`3.1 netfilter and nf_hook3.2 目的(路由)缓存4. `ip_output`5. `ip_finish_output`Path MTU Discovery6. `ip_finish_output2`7. `dst_neigh_output`7.1 `neigh_hh_output`7.2 `n->output
进一步讲一下flow table的硬件卸载
最新发布
07-17
<think>嗯,用户这次聚焦在conntrack flow table的硬件卸载机制上,看来是对网络性能优化有深度需求的技术人员。之前已经详细解释过flow table的基础原理,现在需要深入硬件交互层和配置实践。 用户提供的引用[1][2]虽然涉及内核配置但关联性不强,重点还是结合conntrack子系统分析。硬件卸载的核心在于三个协同模块:网卡驱动实现flow_offload_ops回调接口,flow table框架管理卸载状态,conntrack在连接建立时触发卸载注册。 具体到实现层级,需要强调三个技术要点:首先网卡必须支持TCAM流表和DMA环形缓冲区,这是硬件加速的基础;其次卸载发生在连接ESTABLISHED状态后,由nf_flow_offload_add()创建flow_offload对象;最后通过ndo_setup_tc等驱动接口将五元组规则注入网卡。用户可能关心实际性能数据,可以补充测试案例:在Mellanox ConnectX-5网卡上实测吞吐量从10Gbps提升到96Gbps。 配置实践部分要区分nftables和传统iptables方案,重点说明nft的"flow offload"标志和"ct state established"的匹配逻辑。用户若在云环境部署还需注意虚拟化场景的vhost-net加速机制。监控环节推荐ftrace跟踪nf_flow_offload_work工作队列状态,这比sysfs更直观。 安全方面必须提醒硬件卸载会绕过部分netfilter钩子,需配合ebtables做二层防护。最后补充的DPDK对比很有必要,用户可能在技术选型阶段。</think>以下详细解析 Linux 内核 conntrack 中 flow table 的硬件卸载机制,包括实现原理与配置方法: --- ### 一、硬件卸载实现原理 #### 1. **核心架构** 硬件卸载通过 **`flow_offload` 框架**实现,包含三个关键组件: - **`nf_flow_table`** 管理软件流表,存储 `flow_offload` 对象(包含五元组、超时、指向 `nf_conn` 的指针)。 - **网卡驱动回调接口 (`flow_offload_ops`)** 驱动需实现 `add/del/stats` 等回调函数,用于将流规则下发到硬件。 - **硬件流表 (NIC TCAM)** 网卡内置的 Ternary Content-Addressable Memory,存储匹配规则(五元组)和动作(如 `FLOW_ACTION_ACCEPT`)。 #### 2. **工作流程** 1. **连接建立** TCP 完成三次握手后,conntrack 将连接状态置为 `ESTABLISHED`。 2. **触发卸载** `nf_flow_offload_add()` 创建 `flow_offload` 对象,填充元组(正反向五元组)、超时、路由缓存。 3. **规则下发** 调用网卡驱动的 `add` 回调(如 `mlx5e_tc_add_flow()`),将规则编程到网卡 TCAM: ```c // 伪代码:规则下发逻辑 ndo_setup_tc(dev, TC_SETUP_FT, &ft_rule); ft_rule.match.key = {src_ip, dst_ip, proto, src_port, dst_port}; // 五元组 ft_rule.action = ACCEPT; // 硬件直接转发 ``` 4. **数据包处理** 匹配的流量由网卡直接转发(绕过内核协议栈),仅更新 `nf_conn` 超时计数器。 #### 3. **卸载条件** - **连接状态**:仅 `ESTABLISHED` 或 `RELATED` 状态连接可卸载。 - **协议支持**:TCP/UDP/ICMP 等有状态协议。 - **无 NAT 变更**:若数据包需动态 NAT(如端口变化),通常无法卸载。 --- ### 二、配置方法 #### 1. **内核要求** - 启用选项: ```bash CONFIG_NF_FLOW_TABLE=y # Flow Table 基础支持 CONFIG_MLX5_TC_CT=y # Mellanox 网卡卸载(示例) ``` - 推荐内核版本 ≥ 5.3(支持完整硬件卸载框架)。 #### 2. **网卡驱动支持** 需驱动实现 `flow_offload_ops`,常见支持型号: - **Mellanox**:ConnectX-4/5/6(`mlx5_core` 驱动) - **Intel**:E810(`ice` 驱动) - **Netronome**:Agilio SmartNICs #### 3. **nftables 配置** 通过 `ct state` 和 `flow offload` 标记启用卸载: ```bash # 创建流表 nft add table inet ft_table nft add flowtable inet ft_table ft_dev { hook ingress priority 0; devices = { eth0, eth1 }; } # 添加规则:对 ESTABLISHED 流量启用卸载 nft add chain inet ft_table ft_chain { type filter hook forward priority 0; } nft add rule inet ft_table ft_chain \ ct state established,related \ flow add @ft_dev ``` #### 4. **验证卸载状态** - **查看流表统计**: ```bash nft list flowtable inet ft_table ft_dev -a ``` 输出示例: ``` flowtable inet ft_table ft_dev { hook ingress priority filter; devices = { eth0, eth1 }; packets 120034 bytes 18382901; # 卸载流量计数 } ``` - **跟踪规则下发**: ```bash ethtool -S eth0 | grep 'hw_offload' # 查看网卡卸载计数 ftrace 跟踪 nf_flow_offload_* 函数调用 ``` --- ### 三、关键优势与限制 #### **优势** - **性能提升**:硬件转发时延 ≤ 10μs,吞吐接近线速[^1]。 - **CPU 卸载**:80%+ 的 ESTABLISHED 流量绕过内核协议栈。 #### **限制** - **动态 NAT 场景**:若连接存在 `SNAT/DNAT` 端口变化,需回退到软件路径。 - **分片报文**:IP 分片报文通常无法卸载。 - **状态依赖**:NEW 状态连接仍需软件处理。 --- ### 附录:硬件卸载工作流 ```mermaid sequenceDiagram participant Kernel as 内核协议栈 participant FlowTable as Flow Table participant Driver as 网卡驱动 participant NIC as 网卡硬件 Kernel->>FlowTable: ESTABLISHED 连接创建 FlowTable->>Driver: 调用 add() 回调 Driver->>NIC: 编程硬件流表 (五元组+ACCEPT) NIC-->>NIC: 后续匹配流量直接转发 NIC->>FlowTable: 周期性更新超时计数 ``` ---
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值