Reorder offload processing flow for earlier pickup

[brada4]

Do ct state dispatch before offload attempt on established states only.

Before:

• first data packet in connection commonly TLS client hello is attempted to be offloaded without assured ct status then follows slow path and response , normally tls server hello , offloads flow and follows the slow path again .
• It takes 2 slow paths to re-offload timer-retired or window-adjusted packets to re-enter offload table .

After:

• ct status is marked as assured and packet is offloaded and response does not traverse slow path .
• Retired flow is adjusted by single packet and subsequent exchange offloaded skipping attempt to stuff them back in unmodified ct+offload table .
• ICMP (frag needed for example) reach related flow and offload happens on next TCP/UDP packet as before (minus the unnecessary match against udp in present path) .
• Less(er) minutely hickups in games and improved UDP VPN latency .

Signed-Off-By: Andris PE neandris@gmail.com

[brada4]

@jow- PING, thanks.

[CallMeR]

Perhaps including flows with an established or related connection state in the offload could be a better choice :)

chain forward {
        ct state established,related flow add @ft 
        ct state vmap { established : accept, related : accept, invalid : drop }
    }

[brada4]

at present offload engine does not promote !(tcp udp) packets present in related (as opposed to helper expected packets which will be offloaded once they pass from NEW to established) at all, if scope changes this can be changed.

[brada4]

@CallMeR but you have an interesting point. Is omitting tcp,udp meta faster to skip offload than offloads own filter?

EDIT: yeah i know all examples have it, but you could be better

I do one state vmap dispatch, remember packet that initiates offload leaves nft only after slow path is complete. You can drop tcp one to trigger retransmit. In your example estb packet state will stll hit 2nd accept, same flow.

Some interesting examples:

counter
flow add counter # drop
counter

add offloads in a separate related branch
none offloads...

[brada4]

i mean have no meta here

[brada4]

In my tests fastest is

flow add @ft accept
accept

apachebench lan against nginx wan with 1000 connections for 1m total 1043v2 (old CPU-challenged router) timer resolution seems 1ms and its about 1/3ms average adding extra accept and 1/20ms average omitting meta filter.

[brada4]

@CallMeR send mail with name if you want credit for idea in description.

[CallMeR]

@CallMeR send mail with name if you want credit for idea in description.

Thank you! It is already enough for me if it can help make fw4 better :) Please feel free to submit this idea on your behalf.

[brada4]

Did it alr, thanks for insightful feedback.

[brada4]

Just being crybaby - no dnat in luci.

[brada4]

@jow- could you please attend this?

• locate offload yielding to kwork at the end of slowpath
• drop invalid asap which accidentally simplifies main state dispatch

Still:

• do we need loopback nmap pedantically support
• there is an opportunity to eg counter+drop lo forward based on sysctl value ie catch numbers before sysctl drops packets.

[jow-]

Didn't you just recently add the vmap dispatching? Now it is partially rolled back? Also please squash the back-and-forth-commits in this PR into a single commit and try to explain exactly what is improved and how.

Also please properly sign off your commits and ensure that your Git metadata is properly configured, right now your commit author is set to "Your Name".

[brada4]

vmap(a:x,b:x) is identical while harder to read than a,b x in representing a x;b x vmap(a:x,b:y) is quicker form of a x;b y Just that it gave nice text processing shortcut for 3 identical places. see now it is still present in pre-rendered places where verdict outcomes are different.

if there was a utility function simulating vmap that would collapse to comma list in cases of single outcome, that could be used say in place of lan->jump lan, wan->jump wan, iot-> jump iot, but for now it is pre-rendered vmap-s where multiple rules are otherwise unavoidable.

Changed gitconfig, sorry for that. Will make clean PR instead. You can squash this as you read it.

[brada4]

iifname vmap { "virbr0" : accept } is as fast as iif "virbr0" accept, but catches interface id change, go figure.