This series is a collection of all the various conncount patches that have
been floating around recently.
The overall goal is to simplify nf_conncount instead of just addressing
bugs. This series removes quite a few lines of code and conditionals.
Most importantly, 'conn' list traversal now requires the node list_lock.
Second, the garbage collection cannot race with the packet path anymore,
collection of conn objects acquires the list_lock, and tree pruning
only occurs after the tree lock has been acquired.
While looking at this, I found a few more, albeit minor, bugs,
these are fixed here as well.
I've mangled Pablos patches a little so they apply on top
of the other ones, but otherwise no major changes happened.
I've tested this with parallel synfloods against a VM (with no patches,
KASAN splats happen almost instantly).
Please see individual patches for more details.
I'd like to thank everyone that has contributed patches and ideas for this.
More comments, reviews and tests are much appreciated.
Florian Westphal (5):
netfilter: nf_conncount: don't skip eviction when age is negative
netfilter: nf_conncount: split gc in two phases
netfilter: nf_conncount: restart search when nodes have been erased
netfilter: nf_conncount: merge lookup and add functions
netfilter: nf_conncount: fix argument order to find_next_bit
Pablo Neira Ayuso (2):
netfilter: nf_conncount: move all list iterations under spinlock
netfilter: nf_conncount: speculative garbage collection on empty lists
Shawn Bohrer (1):
nf_conncount: replace CONNCOUNT_LOCK_SLOTS with CONNCOUNT_SLOTS
include/net/netfilter/nf_conntrack_count.h | 19 -
net/netfilter/nf_conncount.c | 290 ++++++++++++-----------------
net/netfilter/nft_connlimit.c | 14 -
3 files changed, 134 insertions(+), 189 deletions(-)
