Committed to 3.10.0-1127.8.2.vz7.151.4 kernel.
--
Best regards,
Konstantin Khorenko,
Virtuozzo Linux Kernel Team
On 05/22/2020 11:10 AM, Konstantin Khorenko wrote:
There is some software which creates new net namespaces often,
for example:
- "very secure FTP daemon" (vsftpd) - be default
From: Vasily Khoruzhick
If there's no entry to drop in bucket that corresponds to the hash,
early_drop() should look for it in other buckets. But since it increments
hash instead of bucket number, it actually looks in the same bucket 8
times: hsize is 16k by default (14 bits) and hash is 32-bit
From: Florian Westphal
When iterating, skip conntrack entries living in a different netns.
We could ignore netns and kill some other non-assured one, but it
has two problems:
- a netns can kill non-assured conntracks in other namespace
- we would start to 'over-subscribe' the
From: Florian Westphal
Once we place all conntracks into same table iteration becomes more
costly because the table contains conntracks that we are not interested
in (belonging to other netns).
So don't bother scanning if the current namespace has no entries.
Signed-off-by: Florian Westphal
From: Florian Westphal
We already include netns address in the hash, so we only need to use
net_eq in find_appropriate_src and can then put all entries into
same table.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
https://jira.sw.ru/browse/PSBM-103515
(cherry picked from
From: Liping Zhang
We should skip the conntracks that belong to a different namespace,
otherwise other unrelated netns's conntrack entries will be dumped via
/proc/net/nf_conntrack.
Fixes: 56d52d4892d0 ("netfilter: conntrack: use a single hashtable for all
namespaces")
Signed-off-by: Liping
From: Florian Westphal
Once we place all conntracks into a global hash table we want them to be
spread across entire hash table, even if namespaces have overlapping ip
addresses.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
https://jira.sw.ru/browse/PSBM-103515
(cherry
There is some software which creates new net namespaces often,
for example:
- "very secure FTP daemon" (vsftpd) - be default create a new
network namespace per connection.
- "phpsessionclean.service" (ionclean) - native php mechanism for old sessions
garbage collection, if
Original commit:
Subject: [PATCH 09837/10555] [net] netfilter: nf_conntrack: don't resize NULL
or freed hashtable
Message-id:
Patchwork-id: 226249
O-Subject: [RHEL7.6 net] netfilter: nf_conntrack: don't resize NULL or freed
hashtable
Bugzilla: 1601662
RH-Acked-by: Marcelo Leitner
This patch adds OVERLAY_FS_DYNAMIC_RESOLVE_PATH_OPTIONS compile-time option,
and "dyn_path_opts" runtime module option. These options corresponds
"dynamic path resolving in lowerdir, upperdir, workdir mount options" mode.
If enabled, user may see real full paths relatively to the mount namespace
From: Florian Westphal
We already include netns address in the hash and compare the netns pointers
during lookup, so even if namespaces have overlapping addresses entries
will be spread across the table.
Assuming 64k bucket size, this change saves 0.5 mbyte per namespace on a
64bit system.
NAT
From: Zhang Chunyu
Add arpt_MARK to xt_mark.
The corresponding userspace update is available at:
http://git.netfilter.org/arptables/commit/?id=4bb2f8340783fd3a3f70aa6f8807428a280f8474
Signed-off-by: Zhang Chunyu
Signed-off-by: Pablo Neira Ayuso
https://jira.sw.ru/browse/PSBM-103515
From: Florian Westphal
Use a private seed and init it using get_random_once.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
https://jira.sw.ru/browse/PSBM-103515
(cherry picked from commit 7001c6d109ea41a88e7156f467cf9fb5f37f5036)
Signed-off-by: Konstantin Khorenko
---
From: Florian Westphal
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
https://jira.sw.ru/browse/PSBM-103515
(cherry picked from commit 03d7dc5cdfe6fd4e5bd04cfc2be7ae259f956428)
Signed-off-by: Konstantin Khorenko
---
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c |
From: Florian Westphal
This prepares for upcoming change that places all conntracks into a
single, global table. For this to work we will need to also compare
net pointer during lookup. To avoid open-coding such check use the
nf_ct_key_equal helper and then later extend it to also consider
From: Florian Westphal
Will be needed soon when we place all in the same hash table.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
https://jira.sw.ru/browse/PSBM-103515
(cherry picked from commit 464c38556e06723b4c77d36fecff140b8527bc59)
Signed-off-by: Konstantin Khorenko
From: Andrey Ryabinin
Loading the nf_conntrack module with doubled hashsize parameter, i.e.
modprobe nf_conntrack hashsize=12345 hashsize=12345
causes NULL-ptr deref.
If 'hashsize' specified twice, the nf_conntrack_set_hashsize() function
will be called also twice.
The first
From: Florian Westphal
An earlier patch changed lookup side to also net_eq() namespaces after
obtaining a reference on the conntrack, so a single kmemcache can be used.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
https://jira.sw.ru/browse/PSBM-103515
(cherry picked from
From: Florian Westphal
We already include netns address in the hash and compare the netns pointers
during lookup, so even if namespaces have overlapping addresses entries
will be spread across the expectation table.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
From: Florian Westphal
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
https://jira.sw.ru/browse/PSBM-103515
(cherry picked from commit a9a083c3878f28e9d368f6dfb1a79a6f04ad8123)
Signed-off-by: Konstantin Khorenko
---
net/netfilter/nf_conntrack_expect.c | 17
From: Florian Westphal
The iteration process is lockless, so we test if the conntrack object is
eligible for printing (e.g. is AF_INET) after obtaining the reference
count.
Once we put all conntracks into same hash table we might see more
entries that need to be skipped.
So add a helper and
From: Florian Westphal
Once we place all conntracks in the same hash table we must also compare
the netns pointer to skip conntracks that belong to a different namespace.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
https://jira.sw.ru/browse/PSBM-103515
(cherry picked
The commit is pushed to "branch-rh7-3.10.0-1127.8.2.vz7.151.x-ovz" and will
appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1127.8.2.vz7.151.4
-->
commit 9f50c56e038585e8a1e0e0978074b7ddfdfe0ffb
Author: Vasily Averin
Date: Fri May 22 13:37:04 2020 +0300
ext4:
+int print_paths_option(struct seq_file *m, const char *name, struct
ovl_fs *ofs)
+{
+ unsigned int order = ilog2(ofs->numlower) + 1;
+ char *res = (char*)__get_free_pages(GFP_TEMPORARY, order);
+ char *tmp = (char*)__get_free_page(GFP_TEMPORARY);
+ char *pathname;
+ int len;
+
The commit is pushed to "branch-rh7-3.10.0-1127.8.2.vz7.151.x-ovz" and will
appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1127.8.2.vz7.151.4
-->
commit 489f5563377d926bb4aef653e230c6c779ca70b6
Author: Konstantin Khorenko
Date: Fri May 22 13:30:19 2020 +0300
Nice job. Please see comments inline.
On 5/22/20 11:01 AM, Alexander Mikhalitsyn wrote:
This patch adds OVERLAY_FS_DYNAMIC_RESOLVE_PATH_OPTIONS compile-time option,
and "dyn_path_opts" runtime module option. These options corresponds
"dynamic path resolving in lowerdir, upperdir, workdir mount
On 5/22/20 11:01 AM, Alexander Mikhalitsyn wrote:
> +int print_paths_option(struct seq_file *m, const char *name, struct ovl_fs
> *ofs)
> +{
> + unsigned int order = ilog2(ofs->numlower) + 1;
> + char *res = (char*)__get_free_pages(GFP_TEMPORARY, order);
> + char *tmp =
This patch adds OVERLAY_FS_DYNAMIC_RESOLVE_PATH_OPTIONS compile-time option,
and "dyn_path_opts" runtime module option. These options corresponds
"dynamic path resolving in lowerdir, upperdir, workdir mount options" mode.
If enabled, user may see real full paths relatively to the mount namespace
Thank you for your review.
I've sent a new patch version (2) where I've fixed all issues.
From: Pavel Tikhomirov
Sent: Friday, May 22, 2020 15:22
To: Alexander Mikhalitsyn; devel@openvz.org
Cc: Konstantin Khorenko
Subject: Re: [PATCH] overlayfs: add
Thank you very much for review. I've fixed that.
From: Vasily Averin
Sent: Friday, May 22, 2020 16:34
To: Alexander Mikhalitsyn; devel@openvz.org
Subject: Re: [Devel] [PATCH] overlayfs: add dynamic path resolving in mount
options
On 5/22/20 11:01 AM,
>From ms commit 916633a40370 "locking/rwsem: Provide down_write_killable()"
Signed-off-by: Kirill Tkhai
---
include/linux/lockdep.h | 15 +++
1 file changed, 15 insertions(+)
diff --git a/include/linux/lockdep.h b/include/linux/lockdep.h
index 1c49aac45896..242f69bddecf 100644
From: Miguel Bernal Marin
ms commit 30c23f29d2d5
Since GCC version 3.1 it is possible to specify input and output
operands using symbolic names, which can be referenced within the
assembler code.
Converting to named operands makes it easier to understand and maintain
the code in the future.
ms commit 19c60923010b
Similar to __down_write_killable(), add read killable primitive:
extract current __down_read() code to macros and teach it to get
different functions as slow_path argument:
store ax register to ret, and add sp register and preserve its value.
Add
ms commit 76f8507f7a64
Similar to down_read() and down_write_killable(),
add killable version of down_read(), based on
__down_read_killable() function, added in previous
patches.
Signed-off-by: Kirill Tkhai
Signed-off-by: Peter Zijlstra (Intel)
Cc: Linus Torvalds
Cc: Peter Zijlstra
Cc:
From: Andrey Ryabinin
ms commit 196bd485ee4f (part)
Currently we use current_stack_pointer() function to get the value
of the stack pointer register. Since commit:
f5caf621ee35 ("x86/asm: Fix inline asm call constraints for Clang")
... we have a stack register variable declared. It can be
This ports support for down_read_killable(),
which is a prerequisite for pernet_ops_rwsem.
https://jira.sw.ru/browse/PSBM-104158
---
Andrey Ryabinin (1):
x86/asm: Use register variable to get stack pointer value
Kirill Tkhai (4):
locking/rwsem-xadd: Add killable versions of
ms commit 83ced169d9a0
Rename rwsem_down_read_failed() in __rwsem_down_read_failed_common()
and teach it to abort waiting in case of pending signals and killable
state argument passed.
Note, that we shouldn't wake anybody up in EINTR path, as:
We check for (waiter.task) under spinlock before we
37 matches
Mail list logo
