This series is fixing two different problems. The first issue is related to duplicated entries when used for non-confirmed connections in nft_connlimit and xt_connlimit. Now, nf_conncount_add() checks whether the connection is confirmed or not. If the connection is confirmed, skip the add.
In order to do that, the nf_conncount API is now receiving struct nf_conn as argument instead of tuple and zone. In addition, nf_conncount_count() also needs to receive the net because it calls nf_conncount_gc_list() inside it if ct is NULL. The second issue this series is fixing is related to nft_connlimit/xt_connlimit not updating the list of connection for confirmed connections breaking softlimiting use-cases like limiting the bandwidth when too many connections are open. This has been tested on datapath using connlimit in nftables and iptables. I have stressed the system up to 2000 connections. CC'ing openvswitch maintainers as this change on the API required me to touch their code. I am not very familiar with the internals of openvswitch but I believe this should be fine for them. If you could provide some testing from openvswitch side it would be really helpful. Fernando Fernandez Mancera (3): netfilter: nf_conncount: only track connection if it is not confirmed netfilter: nf_conncount: make nf_conncount_gc_list() to disable BH netfilter: nft_connlimit: update connection list if add was skipped include/net/netfilter/nf_conntrack_count.h | 10 +-- net/netfilter/nf_conncount.c | 94 +++++++++++++--------- net/netfilter/nft_connlimit.c | 49 ++++++----- net/netfilter/xt_connlimit.c | 28 ++++--- net/openvswitch/conntrack.c | 14 ++-- 5 files changed, 106 insertions(+), 89 deletions(-) -- 2.51.0 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
