locked
Blocking TCP Chimney Offload on Vista RRS feed

  • Question

  • Hello,

    I wrote a user level program to disable chimney offload. My problem is determining whether the program has any effect.

    I can run netstat -t to see the connection created when mapping a network drive is offloaded on w2k3 with SNP. However, netstat -t shows the connection created when mapping a network drive as inhost on Vista. My w2k3 and Vista machines are the identical hardware configuration which include the Broadcom NetXtreme II network adapters. This NIC type supports connection offload.

    I have the following questions:

    1. Should mapping a network drive result in an offloaded connection on Vista? If not, do you have any suggestions as to how I can get Vista to offload connections?

    2. My user level program attempts to enable connection offload by calling FwpmFilterAdd0 twice: once for recv_accept and once for connect. This is the only combination of settings that I can get FwpmFilterAdd0 to return success. Does this code look correct?

        FWPM_FILTER0 filterV4Recv;
        ZeroMemory(&filterV4Recv,sizeof(filterV4Recv));

        UuidCreate(&filterV4Recv.filterKey);
        filterV4Recv.displayData.name         = L"CSA: Modify TCP chimney offload filter: V4 RECV";
        filterV4Recv.displayData.description = L"CSA: Modify TCP chimney offload filter: V4 RECV";
        filterV4Recv.layerKey                      = FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4;
        filterV4Recv.action.type                   = FWP_ACTION_CALLOUT_TERMINATING; /* only one that works */
        filterV4Recv.action.calloutKey          = FWPM_CALLOUT_TCP_CHIMNEY_ACCEPT_LAYER_V4;
        filterV4Recv.subLayerKey                = FWPM_SUBLAYER_TCP_CHIMNEY_OFFLOAD;
        filterV4Recv.rawContext                   = FWPM_CONTEXT_TCP_CHIMNEY_OFFLOAD_ENABLE;
        filterV4Recv.numFilterConditions       = 0;
        filterV4Recv.filterCondition                = NULL;

        status = FwpmFilterAdd0(engineHandle,
                                &filterV4Conn,
                                0,
                                &filterV4Conn.filterId);

        FWPM_FILTER0 filterV4Conn;
        ZeroMemory(&filterV4Conn,sizeof(filterV4Conn));

        UuidCreate(&filterV4Conn.filterKey);
        filterV4Conn.displayData.name         = L"CSA: Modify TCP chimney offload filter: V4 CONN";
        filterV4Conn.displayData.description = L"CSA: Modify TCP chimney offload filter: V4 CONN";
        filterV4Conn.layerKey                      = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
        filterV4Conn.action.type                   = FWP_ACTION_CALLOUT_TERMINATING; /* only one that works */
        filterV4Conn.action.calloutKey          = FWPM_CALLOUT_TCP_CHIMNEY_CONNECT_LAYER_V4;
        filterV4Conn.subLayerKey                = FWPM_SUBLAYER_TCP_CHIMNEY_OFFLOAD;
        filterV4Conn.rawContext                   = FWPM_CONTEXT_TCP_CHIMNEY_OFFLOAD_ENABLE;
        filterV4Conn.numFilterConditions       = 0;
        filterV4Conn.filterCondition               = NULL;

        status = FwpmFilterAdd0(engineHandle,
                                &filterV4Conn,
                                0,
                                &filterV4Conn.filterId);

    3. Is there anything else I need to do to either enable or disable chimney offload using WFP?

    4. I'm attempting to query the miniport driver for connection offload settings also using a user level program. For all miniport drivers, I'm calling DeviceIoControl with IOCTL_NDIS_QUERY_GLOBAL_STATS and oid code 0xfc030201 which is OID_TCP_CONNECTION_OFFLOAD_PARAMETERS. The returned buffer length is 20, but the data is all 0's. (The SDK says I need to sign up for TCP Chimney documentation. I've tried to sign up, but I've been in the pending state for the last 3 days and my request for help will take another 3 days.)
    a. Is this the right to determine whether TCP Chimney offload is enabled on Vista?
    b. Is there a WFP way to query for the current chimney offload state?

    5. TCP Chimney offload appears to me to be a server feature. The documentation states that Vista supports chimney offload, but is the documentation correct?


    Thanks,
    Dave
    Friday, August 17, 2007 2:40 PM

Answers

  • Dave,

     

    You do not need to disable chimney. WFP ensures that unless the callouts explicitly specify that they may be bypassed (using FWP_CALLOUT_FLAG_ALLOW_OFFLOAD), it will not do chimney offload.

     

    regards,

    Hemant

    Wednesday, August 22, 2007 10:24 PM

All replies

  • Hi Dave,
         Here are some pointers for your questions
    Netsh may be used for toggling chimney state.

    1) If the miniport’s capacity of offloadable connections has not been reached then yes, mapping a network drive should result in an offloaded connection. Otherwise stack heuristics govern which connection is offloaded. You can use netsh int tcp> add chimneyapplication disabled c:\path\database.exe to bypass the heuristics.

    2) The code looks okey. netsh can also be used to add filters to block or allow certain apps. You can also do this by setting a socket option on the offload preference to force offload or upload.

    3) Make sure that you don't have a callout that can make permit or block decisions tied to filters at transport (inbound and outbound TRANSPORT IPv4 and IPv6) or network layer(inbound and outbound IPPACKET IPv4 and IPv6) inspecting app traffic that you are trying to offload. If such a callout exists, the traffic can't be chimney offloaded since that would short circuit the inspection path.

    4) Chimney is enabled by default. netsh int tcp> show global shows the status.

    5) Its available for Vista as well.
    Regards,

    Hemant

    Monday, August 20, 2007 9:23 PM
  • Hi Hemant,

    Thanks for your reply.

    I have a WFP callout driver that includes IPPACKET filters. As you indicate, this must be the reason that I don't get an offloaded connection when mapping a network drive.

    My product is security related which is why I want to disable TCP Chimney offload. Is there any way traffic can get offloaded  when  my IPPACKET filters are configured?

    Dave
    Wednesday, August 22, 2007 6:35 PM
  • Dave,

     

    You do not need to disable chimney. WFP ensures that unless the callouts explicitly specify that they may be bypassed (using FWP_CALLOUT_FLAG_ALLOW_OFFLOAD), it will not do chimney offload.

     

    regards,

    Hemant

    Wednesday, August 22, 2007 10:24 PM