On 28 February 2017 at 17:17, Jarno Rajahalme <[email protected]> wrote: > Upstream commit: > > commit f330a7fdbe1611104622faff7e614a246a7d20f0 > Author: Florian Westphal <[email protected]> > Date: Thu Aug 25 15:33:31 2016 +0200 > > netfilter: conntrack: get rid of conntrack timer > > With stats enabled this eats 80 bytes on x86_64 per nf_conn entry, as > Eric Dumazet pointed out during netfilter workshop 2016. > > Eric also says: "Another reason was the fact that Thomas was about to > change max timer range [..]" (500462a9de657f8, 'timers: Switch to > a non-cascading wheel'). > > Remove the timer and use a 32bit jiffies value containing timestamp until > entry is valid. > > During conntrack lookup, even before doing tuple comparision, check > the timeout value and evict the entry in case it is too old. > > The dying bit is used as a synchronization point to avoid races where > multiple cpus try to evict the same entry. > > Because lookup is always lockless, we need to bump the refcnt once > when we evict, else we could try to evict already-dead entry that > is being recycled. > > This is the standard/expected way when conntrack entries are destroyed. > > Followup patches will introduce garbage colliction via work queue > and further places where we can reap obsoleted entries (e.g. during > netlink dumps), this is needed to avoid expired conntracks from hanging > around for too long when lookup rate is low after a busy period. > > Signed-off-by: Florian Westphal <[email protected]> > Acked-by: Eric Dumazet <[email protected]> > Signed-off-by: Pablo Neira Ayuso <[email protected]> > > Upstream commit f330a7fdbe16 ("netfilter: conntrack: get rid of > conntrack timer") changes the way nf_ct_delete() is called. Prior to > commit the call pattern was like this: > > if (del_timer(&ct->timeout)) > nf_ct_delete(ct, ...); > > After this change nf_ct_delete() is called directly: > > nf_ct_delete(ct, ...); > > This patch provides a replacement implementation for nf_ct_delete() > that first calls the del_timer(). This replacement is only used if > the struct nf_conn has member 'timeout' of type 'struct timer_list'. > > The following patch introduces the first caller to nf_ct_delete() in > the OVS kernel module. > > Linux <3.12 does not have nf_ct_delete() at all, so we inline it if it > does not exist. The inlined code is from 3.11 death_by_timeout(), > which in later versions simply calls nf_ct_delete(). > > Signed-off-by: Jarno Rajahalme <[email protected]>
For reference, I see that commit 02982c27ba1e1bd9f9d4747214e19ca83aa88d0e is the patch in 3.12 which introduced nf_ct_delete(), where you can see the original code that is being inlined here. Acked-by: Joe Stringer <[email protected]> _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
