Hi IIya,
Any idea for this series ? BR wenxu From: [email protected] Date: 2022-02-09 14:39:41 To: [email protected],[email protected] Cc: [email protected] Subject: [PATCH v11 2/2] conntrack: prefer dst port range during unique tuple search>From: wenxu <[email protected]> > >This commit splits the nested loop used to search the unique ports for >the reverse tuple. >It affects only the dnat action, giving more precedence to the dnat >range, similarly to the kernel dp, instead of searching through the >default ephemeral source range for each destination port. > >Signed-off-by: wenxu <[email protected]> >--- > lib/conntrack.c | 55 +++++++++++++++++++++++++++++++++++++++++++------------ > 1 file changed, 43 insertions(+), 12 deletions(-) > >diff --git a/lib/conntrack.c b/lib/conntrack.c >index 44f99f3..9987ab8 100644 >--- a/lib/conntrack.c >+++ b/lib/conntrack.c >@@ -2396,6 +2396,26 @@ next_addr_in_range_guarded(union ct_addr *curr, union >ct_addr *min, > > return exhausted; > } >+ >+static bool >+nat_get_unique_l4(struct conntrack *ct, struct conn *nat_conn, >+ ovs_be16 *port, uint16_t curr, uint16_t min, >+ uint16_t max) >+{ >+ uint16_t orig = curr; >+ >+ FOR_EACH_PORT_IN_RANGE(curr, min, max) { >+ *port = htons(curr); >+ if (!conn_lookup(ct, &nat_conn->rev_key, >+ time_msec(), NULL, NULL)) { >+ return true; >+ } >+ } >+ >+ *port = htons(orig); >+ >+ return false; >+} > > /* This function tries to get a unique tuple. > * Every iteration checks that the reverse tuple doesn't >@@ -2411,9 +2431,11 @@ next_addr_in_range_guarded(union ct_addr *curr, union >ct_addr *min, > * > * In case of DNAT: > * - For each dst IP address in the range (if any). >- * - For each dport in range (if any). >- * - Try to find a source port in the ephemeral range >- * (after testing the port used by the sender). >+ * - For each dport in range (if any) tries to find >+ * an unique tuple. >+ * - Eventually, if the previous attempt fails, >+ * tries to find a source port in the ephemeral >+ * range (after testing the port used by the sender). > * > * If none can be found, return exhaustion to the caller. */ > static bool >@@ -2444,6 +2466,11 @@ nat_get_unique_tuple(struct conntrack *ct, const struct >conn *conn, > set_dport_range(nat_info, &conn->key, hash, &curr_dport, > &min_dport, &max_dport); > >+ if (pat_proto) { >+ nat_conn->rev_key.src.port = htons(curr_dport); >+ nat_conn->rev_key.dst.port = htons(curr_sport); >+ } >+ > another_round: > store_addr_to_key(&curr_addr, &nat_conn->rev_key, > nat_info->nat_action); >@@ -2457,15 +2484,19 @@ another_round: > goto next_addr; > } > >- FOR_EACH_PORT_IN_RANGE(curr_dport, min_dport, max_dport) { >- nat_conn->rev_key.src.port = htons(curr_dport); >- FOR_EACH_PORT_IN_RANGE(curr_sport, min_sport, max_sport) { >- nat_conn->rev_key.dst.port = htons(curr_sport); >- if (!conn_lookup(ct, &nat_conn->rev_key, >- time_msec(), NULL, NULL)) { >- return true; >- } >- } >+ bool found = false; >+ if (nat_info->nat_action & NAT_ACTION_DST_PORT) { >+ found = nat_get_unique_l4(ct, nat_conn, &nat_conn->rev_key.src.port, >+ curr_dport, min_dport, max_dport); >+ } >+ >+ if (!found) { >+ found = nat_get_unique_l4(ct, nat_conn, &nat_conn->rev_key.dst.port, >+ curr_sport, min_sport, max_sport); >+ } >+ >+ if (found) { >+ return true; > } > > /* Check if next IP is in range and respin. Otherwise, notify >-- >1.8.3.1 > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
