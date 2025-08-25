This feature enables tracking connections and storing information about the state of these connections. When used with OVS, BlueField can offload connection tracking, so that traffic of established connections bypasses the kernel and goes directly to hardware.

Both source NAT (SNAT) and destination NAT (DNAT) are supported with connection tracking offload.

This section provides an example of configuring OVS to offload all IP connections of host PF0.

Enable OVS HW offloading. Create OVS connection tracking bridge. Run: Copy Copied! $ ovs-vsctl add-br ctBr Add p0 and pf0hpf to the bridge. Run: Copy Copied! $ ovs-vsctl add-port ctBr p0 $ ovs-vsctl add-port ctBr pf0hpf Configure ARP packets to behave normally. Packets which do not comply are routed to table1. Run: Copy Copied! $ ovs-ofctl add-flow ctBr "table=0,arp,action=normal" $ ovs-ofctl add-flow ctBr "table=0,ip,ct_state=-trk,action=ct(table=1)" Configure RoCEv2 packets to behave normally. RoCEv2 packets follow UDP port 4791 and a different source port in each direction of the connection. RoCE traffic is not supported by CT. In order to run RoCE from the host add the following line before ovs-ofctl add-flow ctBr "table=0,ip,ct_state=-trk,action=ct(table=1)" : Copy Copied! $ ovs-ofctl add-flow ctBr table=0,udp,tp_dst=4791,action=normal This rule allows RoCEv2 UDP packets to skip connection tracking rules. Configure the new established flows to be admitted to the connection tracking bridge and to then behave normally. Run: Copy Copied! $ ovs-ofctl add-flow ctBr "table=1,priority=1,ip,ct_state=+trk+new,action=ct(commit),normal" Set already established flows to behave normally. Run: Copy Copied! $ ovs-ofctl add-flow ctBr "table=1,priority=1,ip,ct_state=+trk+est,action=normal"

This section provides an example of configuring OVS to offload all IP connections of host PF0, and performing source network address translation (SNAT). The server host sends traffic via source IP from 2.2.2.1 to 1.1.1.2 on another host. Arm performs SNAT and changes the source IP to 1.1.1.16. Note that static ARP or route table must be configured to find that route.

Configure untracked IP packets to do nat. Run: Copy Copied! ovs-ofctl add-flow ctBr "table=0,ip,ct_state=-trk,action=ct(table=1,nat)" Configure new established flows to do SNAT, and change source IP to 1.1.1.16. Run: Copy Copied! ovs-ofctl add-flow ctBr "table=1,in_port=pf0hpf,ip,ct_state=+trk+new,action=ct(commit,nat(src=1.1.1.16)), p0" Configure already established flows act normal. Run: Copy Copied! ovs-ofctl add-flow ctBr "table=1,ip,ct_state=+trk+est,action=normal" Conntrack shows the connection with SNAT applied. Run conntrack -L for Ubuntu 22.04 kernel or cat /proc/net/nf_conntrack for older kernel versions. Example output: Copy Copied! ipv4 2 tcp 6 src=2.2.2.1 dst=1.1.1.2 sport=34541 dport=5001 src=1.1.1.2 dst=1.1.1.16 sport=5001 dport=34541 [OFFLOAD] mark=0 zone=1 use=3

Start traffic on PF0 from the server host (e.g., iperf) with an external network. Note that only established connections can be offloaded. TCP should have already finished the handshake, UDP should have gotten the reply.

Note ICMP is not currently supported.

To check if specific connections are offloaded from Arm, run conntrack -L for Ubuntu 22.04 kernel or cat /proc/net/nf_conntrack for older kernel versions.

The following is example output of offloaded TCP connection:

Copy Copied! ipv4 2 tcp 6 src=1.1.1.2 dst=1.1.1.3 sport=51888 dport=5001 src=1.1.1.3 dst=1.1.1.2 sport=5001 dport=51888 [HW_OFFLOAD] mark=0 zone=0 use=3





Offloaded flows (including connection tracking) are added to virtual switch FDB flow tables. FDB tables have a set of flow groups. Each flow group saves the same traffic pattern flows. For example, for connection tracking offloaded flow, TCP and UDP are different traffic patterns which end up in two different flow groups.

A flow group has a limited size to save flow entries. By default, the driver has 4 big FDB flow groups. Each of these big flow groups can save at most 4000000/(4+1)=800k different 5-tuple flow entries. For scenarios with more than 4 traffic patterns, the driver provides a module parameter ( num_of_groups ) to allow customization and performance tune.

Note The size of each big flow groups can be calculated according to formula: size = 4000000/(num_of_groups+1)

To change the number of big FDB flow groups, run:

Copy Copied! $ echo <num_of_groups> > /sys/module/mlx5_core/parameters/num_of_groups

The change takes effect immediately if there is no flow inside the FDB table (no traffic running and all offloaded flows are aged out), and it can be dynamically changed without reloading the driver.

If there are residual offloaded flows when changing this parameter, then the new configuration only takes effect after all flows age out.

Aside from the aging of OVS, connection tracking offload has its own aging mechanism with a default aging time of 30 seconds.

Note The maximum number for tracked offloaded connections is limited to 1M by default.

The OS has a default setting of maximum tracked connections which may be configured by running:

Copy Copied! $ /sbin/sysctl -w net.netfilter.nf_conntrack_max=1000000

This changes the maximum tracked connections (both offloaded and non-offloaded) setting to 1 million.

The following option specifies the limit on the number of offloaded connections. For example:

Copy Copied! # devlink dev param set pci/${pci_dev} name ct_max_offloaded_conns value $max cmode runtime

This value is set to 1 million by default from BlueFiled. Users may choose a different number by using the devlink command.

Note Make sure net.netfilter.nf_conntrack_tcp_be_liberal=1 when using connection tracking.



