Upstream commit:
commit f330a7fdbe1611104622faff7e614a246a7d20f0
Author: Florian Westphal <[email protected]>
Date: Thu Aug 25 15:33:31 2016 +0200
netfilter: conntrack: get rid of conntrack timer
With stats enabled this eats 80 bytes on x86_64 per nf_conn entry, as
Eric Dumazet pointed out during netfilter workshop 2016.
Eric also says: "Another reason was the fact that Thomas was about to
change max timer range [..]" (500462a9de657f8, 'timers: Switch to
a non-cascading wheel').
Remove the timer and use a 32bit jiffies value containing timestamp until
entry is valid.
During conntrack lookup, even before doing tuple comparision, check
the timeout value and evict the entry in case it is too old.
The dying bit is used as a synchronization point to avoid races where
multiple cpus try to evict the same entry.
Because lookup is always lockless, we need to bump the refcnt once
when we evict, else we could try to evict already-dead entry that
is being recycled.
This is the standard/expected way when conntrack entries are destroyed.
Followup patches will introduce garbage colliction via work queue
and further places where we can reap obsoleted entries (e.g. during
netlink dumps), this is needed to avoid expired conntracks from hanging
around for too long when lookup rate is low after a busy period.
Signed-off-by: Florian Westphal <[email protected]>
Acked-by: Eric Dumazet <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>
Upstream commit f330a7fdbe16 ("netfilter: conntrack: get rid of
conntrack timer") changes the way nf_ct_delete() is called. Prior to
commit the call pattern was like this:
if (del_timer(&ct->timeout))
nf_ct_delete(ct, ...);
After this change nf_ct_delete() is called directly:
nf_ct_delete(ct, ...);
This patch provides a replacement implementation for nf_ct_delete()
that first calls the del_timer(). This replacement is only used if
the struct nf_conn has member 'timeout' of type 'struct timer_list'.
The following patch introduces the first caller to nf_ct_delete() in
the OVS kernel module.
Signed-off-by: Jarno Rajahalme <[email protected]>
---
acinclude.m4 | 4 ++++
.../linux/compat/include/net/netfilter/nf_conntrack_core.h | 10 ++++++++++
2 files changed, 14 insertions(+)
diff --git a/acinclude.m4 b/acinclude.m4
index 926ec8a..b73eff1 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -523,6 +523,10 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [
OVS_FIND_FIELD_IFELSE([$KSRC/include/linux/netfilter_ipv6.h], [nf_ipv6_ops],
[fragment.*sock],
[OVS_DEFINE([HAVE_NF_IPV6_OPS_FRAGMENT])])
+ OVS_FIND_FIELD_IFELSE([$KSRC/include/net/netfilter/nf_conntrack.h],
+ [nf_conn], [struct timer_list[[ \t]]*timeout],
+ [OVS_DEFINE([HAVE_NF_CONN_TIMER])])
+
OVS_FIND_PARAM_IFELSE([$KSRC/include/net/netfilter/nf_conntrack.h],
[nf_ct_tmpl_alloc], [nf_conntrack_zone],
[OVS_DEFINE([HAVE_NF_CT_TMPL_ALLOC_TAKES_STRUCT_ZONE])])
diff --git a/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h
b/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h
index 09a53c3..a84a477 100644
--- a/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h
+++ b/datapath/linux/compat/include/net/netfilter/nf_conntrack_core.h
@@ -67,4 +67,14 @@ static inline bool rpl_nf_ct_get_tuple(const struct sk_buff
*skb,
#define nf_ct_get_tuple rpl_nf_ct_get_tuple
#endif /* HAVE_NF_CT_GET_TUPLEPR_TAKES_STRUCT_NET */
+#ifdef HAVE_NF_CONN_TIMER
+static inline bool rpl_nf_ct_delete(struct nf_conn *ct, u32 portid, int report)
+{
+ if (del_timer(&ct->timeout))
+ return nf_ct_delete(ct, portid, report);
+ return false;
+}
+#define nf_ct_delete rpl_nf_ct_delete
+#endif /* HAVE_NF_CONN_TIMER */
+
#endif /* _NF_CONNTRACK_CORE_WRAPPER_H */
--
2.1.4
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
