Re: [Devel] [PATCH 02/13] ve/netfilter: Implement pernet expect_max / virtualize "net.netfilter.nf_conntrack_expect_max" sysctl

[Konstantin Khorenko]

+++ b/include/net/netns/conntrack.h
@@ -106,11 +106,13 @@ struct ct_pcpu {

 struct netns_ct {
        atomic_t                count;
+       unsigned int            max;
        unsigned int            expect_count;
 #ifdef CONFIG_NF_CONNTRACK_EVENTS


Moved the hunk above into next patch.

--
Best regards,

Konstantin Khorenko,
Virtuozzo Linux Kernel Team

On 05/18/2021 08:54 PM, Alexander Mikhalitsyn wrote:

From: Konstantin Khorenko <khore...@virtuozzo.com>

Rebasing and splitting netfilters sybsystem
(port 66-diff-ve-net-netfilter-combined).
Part 1.

https://jira.sw.ru/browse/PSBM-18322

* diff-ve-nf-make-nf_ct_expect_max-sysctl-virtual
Author: Pavel Emelyanov
Subject: [PATCH rh6] ve: Make nf_ct_expect_max "virtualized"
Date: Wed, 06 Jul 2011 17:36:45 +0400

Make the respective sysctl be per-ct only. Real limit is still taken from
ve0 (init_net). Need to look at how this will work in the mainline.
https://jira.sw.ru/browse/PCLIN-29578

Signed-off-by: Kirill Tkhai <ktk...@parallels.com>
(cherry picked from commit 2cabd3c5f1a772f3dd7648acc345bca529aed254)

VZ 8 rebase part https://jira.sw.ru/browse/PSBM-127783

Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalit...@virtuozzo.com>
---
 include/net/netfilter/nf_conntrack_expect.h | 1 -
 include/net/netns/conntrack.h               | 2 ++
 net/netfilter/nf_conntrack_expect.c         | 7 +++----
 net/netfilter/nf_conntrack_standalone.c     | 3 ++-
 4 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_expect.h 
b/include/net/netfilter/nf_conntrack_expect.h
index 006e430d1cdf..a31f69e7ec65 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -12,7 +12,6 @@
 #include <net/netfilter/nf_conntrack_zones.h>

 extern unsigned int nf_ct_expect_hsize;
-extern unsigned int nf_ct_expect_max;
 extern struct hlist_head *nf_ct_expect_hash;

 struct nf_conntrack_expect {
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index 42c8b69c1113..447c3ec738da 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -106,11 +106,13 @@ struct ct_pcpu {

 struct netns_ct {
        atomic_t                count;
+       unsigned int            max;
        unsigned int            expect_count;
 #ifdef CONFIG_NF_CONNTRACK_EVENTS
        struct delayed_work ecache_dwork;
        bool ecache_dwork_pending;
 #endif
+       unsigned int            expect_max;
 #ifdef CONFIG_SYSCTL
        struct ctl_table_header *sysctl_header;
        struct ctl_table_header *acct_sysctl_header;
diff --git a/net/netfilter/nf_conntrack_expect.c 
b/net/netfilter/nf_conntrack_expect.c
index b8c739f31d43..59338d01888b 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -43,8 +43,6 @@ EXPORT_SYMBOL_GPL(nf_ct_expect_hsize);
 struct hlist_head *nf_ct_expect_hash __read_mostly;
 EXPORT_SYMBOL_GPL(nf_ct_expect_hash);

-unsigned int nf_ct_expect_max __read_mostly;
-
 static struct kmem_cache *nf_ct_expect_cachep __read_mostly;
 static unsigned int nf_ct_expect_hashrnd __read_mostly;

@@ -451,7 +449,7 @@ static inline int __nf_ct_expect_check(struct 
nf_conntrack_expect *expect)
                }
        }

-       if (net->ct.expect_count >= nf_ct_expect_max) {
+       if (net->ct.expect_count >= init_net.ct.expect_max) {
                net_veboth_ratelimited(KERN_WARNING "VE%s "
                                        "nf_conntrack: expectation table 
full\n",
                                        net->owner_ve->ve_name);
@@ -682,6 +680,7 @@ module_param_named(expect_hashsize, nf_ct_expect_hsize, 
uint, 0400);
 int nf_conntrack_expect_pernet_init(struct net *net)
 {
        net->ct.expect_count = 0;
+       net->ct.expect_max = init_net.ct.expect_max;
        return exp_proc_init(net);
 }

@@ -697,7 +696,7 @@ int nf_conntrack_expect_init(void)
                if (!nf_ct_expect_hsize)
                        nf_ct_expect_hsize = 1;
        }
-       nf_ct_expect_max = nf_ct_expect_hsize * 4;
+       init_net.ct.expect_max = nf_ct_expect_hsize * 4;
        nf_ct_expect_cachep = kmem_cache_create("nf_conntrack_expect",
                                sizeof(struct nf_conntrack_expect),
                                0, 0, NULL);
diff --git a/net/netfilter/nf_conntrack_standalone.c 
b/net/netfilter/nf_conntrack_standalone.c
index c0e9ba243667..e4fcb939e19a 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -557,7 +557,7 @@ static struct ctl_table nf_ct_sysctl_table[] = {
        },
        {
                .procname       = "nf_conntrack_expect_max",
-               .data           = &nf_ct_expect_max,
+               .data           = &init_net.ct.expect_max,
                .maxlen         = sizeof(int),
                .mode           = 0644,
                .proc_handler   = proc_dointvec,
@@ -588,6 +588,7 @@ static int nf_conntrack_standalone_init_sysctl(struct net 
*net)
        table[1].data = &net->ct.count;
        table[3].data = &net->ct.sysctl_checksum;
        table[4].data = &net->ct.sysctl_log_invalid;
+       table[5].data = &net->ct.expect_max;

        /* Don't export sysctls to unprivileged users */
        if (ve_net_hide_sysctl(net))

_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel