This break the "-w" option's semantic, i.e. if the user input
"iptables -w 1", and concurrency happen,
we will just only wait 10ms and return an error.
If there's any chance this patch can break existing setups then we
can't take this.
I'd suggest you add support to express millisecond
Once we place all conntracks into a global hash table we want them to be
spread across entire hash table, even if namespaces have overlapping ip
addresses.
We add nf_conntrack_netns_hash helper to later re-use it for nat bysrc
and expectation hash handling. The helper also allows us to avoid the
We already include netns address in the hash and compare the netns pointers
during lookup, so even if namespaces have overlapping addresses entries
will be spread across the table.
Assuming 64k bucket size, this change saves 0.5 mbyte per namespace on a
64bit system.
NAT bysrc and expectation
Once we place all conntracks in the same hash table we must also compare
the netns pointer to skip conntracks that belong to a different namespace.
Signed-off-by: Florian Westphal
---
.../netfilter/nf_conntrack_l3proto_ipv4_compat.c | 8 ++--
Once we place all conntracks into same table iteration becomes more
costly because the table contains conntracks that we are not interested
in (belonging to other netns).
So don't bother scanning if the current namespace has no entries.
Signed-off-by: Florian Westphal
---
No need to disable BH here anymore:
stats are switched to _ATOMIC variant (== this_cpu_inc()), which
nowadays generates same code as the non _ATOMIC NF_STAT, at least on x86.
Signed-off-by: Florian Westphal
---
net/netfilter/nf_conntrack_core.c | 25 -
1
The iteration process is lockless, so we test if the conntrack object is
eligible for printing (e.g. is AF_INET) after obtaining the reference
count.
Once we put all conntracks into same hash table we might see more
entries that need to be skipped.
So add a helper and first perform the test in a
When resizing the conntrack hash table at runtime via
echo 42 > /sys/module/nf_conntrack/parameters/hashsize, we are racing with
the conntrack lookup path -- reads can happen in parallel and nothing
prevents readers from observing a the newly allocated hash but the old
size (or vice versa).
So
When iterating, skip conntrack entries living in a different netns.
We could ignore netns and kill some other non-assured one, but it
has two problems:
- a netns can kill non-assured conntracks in other namespace
- we would start to 'over-subscribe' the affected/overlimit netns.
Signed-off-by:
[ CCing netdev so netns folks can have a look too ]
This patch series removes the per-netns connection tracking tables.
All conntrack objects are then stored in one global global table.
This avoids the infamous 'vmalloc' when lots of namespaces are used:
We no longer allocate a new conntrack
On Thu, Apr 28, 2016 at 12:07:10PM +0200, Arturo Borrero Gonzalez wrote:
> On 28 April 2016 at 11:27, Pablo Neira Ayuso wrote:
> > On Thu, Apr 28, 2016 at 11:14:38AM +0200, Arturo Borrero Gonzalez wrote:
> >> If we include tests/ in the release tarball, downstream
On Thu, Apr 28, 2016 at 11:14:38AM +0200, Arturo Borrero Gonzalez wrote:
> If we include tests/ in the release tarball, downstream distributors
> can run the testsuites themselves while developing the packages.
>
> This way, tests can be run in a more integrated environment and they can
>
If we include tests/ in the release tarball, downstream distributors
can run the testsuites themselves while developing the packages.
This way, tests can be run in a more integrated environment and they can
discover errors related to the integration with the given distribution itself.
If we include tests/ in the release tarball, downstream distributors
can run the testsuites themselves while developing the packages.
This way, tests can be run in a more integrated environment and they can
discover errors related to the integration with the given distribution itself.
On 14 April 2016 at 12:24, Pablo Neira Ayuso wrote:
>
> Thanks for coming up with this Arturo.
>
> I have a better way to fix this by not adding/removing the objects to
> the lists.
>
> Ping me back if I don't come up with the fix anytime soon.
ping :-)
--
Arturo Borrero
2014-12-08 16:36 GMT+01:00 Florian Westphal :
> ... to avoid per-packet FIB lookup if possible.
>
> The cached dst is re-used provided the input interface
> is the same as that of the previous packet in the same direction.
>
> If not, the cached dst is invalidated.
It looks like
Commit 69b34fb996b2 ("netfilter: xt_LOG: add net namespace support for
xt_LOG") disabled logging packets using the LOG target from non-init
namespaces. The motivation was to prevent containers from flooding
kernel log of the host. The plan was to keep it that way until syslog
namespace
On 27 April 2016 at 19:14, Pablo Neira Ayuso wrote:
> On Wed, Apr 20, 2016 at 03:43:00PM +0200, Arturo Borrero Gonzalez wrote:
>> Currently, if we choose a set name larger than allowed, the error message is:
>> Error: Could not process rule: Numerical result out of range
>>
18 matches
Mail list logo