From: Kirill Tkhai <[email protected]> Rebasing and splitting netfilters sybsystem (port 66-diff-ve-net-netfilter-combined). Part 1.
https://jira.sw.ru/browse/PSBM-18322 Signed-off-by: Kirill Tkhai <[email protected]> (cherry picked from commit c34a99c00f9df6e538a46af5f92be2faacf5a3a5) VZ 8 rebase part https://jira.sw.ru/browse/PSBM-127783 Signed-off-by: Alexander Mikhalitsyn <[email protected]> --- net/netfilter/nf_conntrack_core.c | 20 +++++++++++--------- net/netfilter/nf_conntrack_netlink.c | 2 +- net/netfilter/nf_conntrack_standalone.c | 13 ++++++++++--- 3 files changed, 22 insertions(+), 13 deletions(-) diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 23cbe8ed81e2..6ac5168d6c84 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -182,8 +182,6 @@ static void nf_conntrack_all_unlock(void) unsigned int nf_conntrack_htable_size __read_mostly; EXPORT_SYMBOL_GPL(nf_conntrack_htable_size); -unsigned int nf_conntrack_max __read_mostly; -EXPORT_SYMBOL_GPL(nf_conntrack_max); seqcount_t nf_conntrack_generation __read_mostly; static unsigned int nf_conntrack_hash_rnd __read_mostly; @@ -1345,7 +1343,6 @@ static void gc_worker(struct work_struct *work) { unsigned int min_interval = max(HZ / GC_MAX_BUCKETS_DIV, 1u); unsigned int i, goal, buckets = 0, expired_count = 0; - unsigned int nf_conntrack_max95 = 0; struct conntrack_gc_work *gc_work; unsigned int ratio, scanned = 0; unsigned long next_run; @@ -1354,8 +1351,6 @@ static void gc_worker(struct work_struct *work) goal = nf_conntrack_htable_size / GC_MAX_BUCKETS_DIV; i = gc_work->last_bucket; - if (gc_work->early_drop) - nf_conntrack_max95 = nf_conntrack_max / 100u * 95u; do { struct nf_conntrack_tuple_hash *h; @@ -1373,8 +1368,13 @@ static void gc_worker(struct work_struct *work) hlist_nulls_for_each_entry_rcu(h, n, &ct_hash[i], hnnode) { struct net *net; + unsigned int nf_conntrack_max95 = 0; tmp = nf_ct_tuplehash_to_ctrack(h); + net = nf_ct_net(tmp); + + if (gc_work->early_drop) + nf_conntrack_max95 = net->ct.max / 100u * 95u; scanned++; if (test_bit(IPS_OFFLOAD_BIT, &tmp->status)) { @@ -1391,7 +1391,7 @@ static void gc_worker(struct work_struct *work) if (nf_conntrack_max95 == 0 || gc_worker_skip_ct(tmp)) continue; - net = nf_ct_net(tmp); + if (atomic_read(&net->ct.count) < nf_conntrack_max95) continue; @@ -1471,13 +1471,14 @@ __nf_conntrack_alloc(struct net *net, const struct nf_conntrack_tuple *repl, gfp_t gfp, u32 hash) { + unsigned int ct_max = net->ct.max ? net->ct.max : init_net.ct.max; struct nf_conn *ct; /* We don't want any race condition at early drop stage */ atomic_inc(&net->ct.count); - if (nf_conntrack_max && - unlikely(atomic_read(&net->ct.count) > nf_conntrack_max)) { + if (ct_max && + unlikely(atomic_read(&net->ct.count) > ct_max)) { if (!early_drop(net, hash)) { if (!conntrack_gc_work.early_drop) conntrack_gc_work.early_drop = true; @@ -2635,7 +2636,7 @@ int nf_conntrack_init_start(void) if (!nf_conntrack_hash) return -ENOMEM; - nf_conntrack_max = max_factor * nf_conntrack_htable_size; + init_net.ct.max = max_factor * nf_conntrack_htable_size; nf_conntrack_cachep = kmem_cache_create("nf_conntrack", sizeof(struct nf_conn), @@ -2735,6 +2736,7 @@ int nf_conntrack_init_net(struct net *net) BUILD_BUG_ON(IP_CT_UNTRACKED == IP_CT_NUMBER); atomic_set(&net->ct.count, 0); + net->ct.max = init_net.ct.max; net->ct.pcpu_lists = alloc_percpu(struct ct_pcpu); if (!net->ct.pcpu_lists) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 0fb92033409a..9de8059325da 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -2275,7 +2275,7 @@ ctnetlink_stat_ct_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type, if (nla_put_be32(skb, CTA_STATS_GLOBAL_ENTRIES, htonl(nr_conntracks))) goto nla_put_failure; - if (nla_put_be32(skb, CTA_STATS_GLOBAL_MAX_ENTRIES, htonl(nf_conntrack_max))) + if (nla_put_be32(skb, CTA_STATS_GLOBAL_MAX_ENTRIES, htonl(net->ct.max))) goto nla_put_failure; nlmsg_end(skb, nlh); diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index e4fcb939e19a..567d92b53016 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -520,7 +520,7 @@ static struct ctl_table_header *nf_ct_netfilter_header; static struct ctl_table nf_ct_sysctl_table[] = { { .procname = "nf_conntrack_max", - .data = &nf_conntrack_max, + .data = &init_net.ct.max, .maxlen = sizeof(int), .mode = 0644, .proc_handler = proc_dointvec, @@ -568,7 +568,7 @@ static struct ctl_table nf_ct_sysctl_table[] = { static struct ctl_table nf_ct_netfilter_table[] = { { .procname = "nf_conntrack_max", - .data = &nf_conntrack_max, + .data = &init_net.ct.max, .maxlen = sizeof(int), .mode = 0644, .proc_handler = proc_dointvec, @@ -576,6 +576,8 @@ static struct ctl_table nf_ct_netfilter_table[] = { { } }; +static int zero; + static int nf_conntrack_standalone_init_sysctl(struct net *net) { struct ctl_table *table; @@ -585,6 +587,7 @@ static int nf_conntrack_standalone_init_sysctl(struct net *net) if (!table) goto out_kmemdup; + table[0].data = &net->ct.max; table[1].data = &net->ct.count; table[3].data = &net->ct.sysctl_checksum; table[4].data = &net->ct.sysctl_log_invalid; @@ -594,8 +597,12 @@ static int nf_conntrack_standalone_init_sysctl(struct net *net) if (ve_net_hide_sysctl(net)) table[0].procname = NULL; - if (!net_eq(&init_net, net)) + if (!net_eq(&init_net, net)) { + table[0].proc_handler = proc_dointvec_minmax; + table[0].extra1 = &zero; + table[0].extra2 = &init_net.ct.max; table[2].mode = 0444; + } net->ct.sysctl_header = register_net_sysctl(net, "net/netfilter", table); if (!net->ct.sysctl_header) -- 2.28.0 _______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
