This patch is originally from Florian Westphal.
This patch does the following three tasks.
It applies the same early exit technique for nf_conncount_lookup().
Since now we keep the number of connections in 'struct nf_conncount_list',
we no longer need to return the count in
This patch is originally from Florian Westphal.
This patch does the following 3 main tasks.
1) Add list lock to 'struct nf_conncount_list' so that we can
alter the lists containing the individual connections without holding the
main tree lock. It would be useful when we only need to add/remove
This patch is originally from Florian Westphal.
We use an extra function with early exit for garbage collection.
It is not necessary to traverse the full list for every node since
it is enough to zap a couple of entries for garbage collection.
Signed-off-by: Yi-Hung Wei
Signed-off-by: Florian
Original patch is from Florian Westphal.
This patch switches from hlist to plain list to store the list of
connections with the same filtering key in nf_conncount. With the
plain list, we can insert new connections at the tail, so over time
the beginning of list holds long-running connections and
This patch series apply the following techniques to optimize nf_conncount
performance.
* Early exit for garbage collection
In order to reduce gc time, we skip traversing the full list on
every node when doing garbage collection, since it is enough to zap
a couple of expired entries.
* Split tree
This patch is originally from Florian Westphal.
When we have a very coarse grouping, e.g. by large subnets, zone id,
etc, it's likely that we do not need to do tree rotation because
we'll find a node where we can attach new entry. Based on this
observation, we split tree traversal and insertion.
This patch is originally from Florian Westphal.
This is a preparation patch to allow lockless traversal
of the tree via RCU.
Signed-off-by: Yi-Hung Wei
Signed-off-by: Florian Westphal
---
net/netfilter/nf_conncount.c | 52 +---
1 file changed, 25
On Mon, Jul 2, 2018 at 9:49 AM, Florian Westphal wrote:
> Yi-Hung Wei wrote:
>> This patch series apply the following techniques to optimize nf_conncount
>> performance.
>
> Looks good to me, thanks Yi-Hung for working on this.
>
> Maybe just avoid the race in patch 6/7, its possible its needed
On Friday 2018-06-29 12:36, Florian Westphal wrote:
>
>My only concern is someone complaining/asking where the ebt_foo.so files
>went.
That's an easy part. — The hard part is conveying to, and convincing distro
people that certain *new* files need to be in certain subpackages of theirs...
;-)
Hi,
On Thu, 28 Jun 2018, Stefano Brivio wrote:
> Commit 45040978c899 ("netfilter: ipset: Fix set:list type crash
> when flush/dump set in parallel") postponed decreasing set
> reference counters to the RCU callback.
>
> An 'ipset del' command can terminate before the RCU grace period
> is
The help text contains several \xa0 bytes, which are not valid UTF-8
characters but could have been non-breaking spaces in Latin 1
encoding. I see no reason to use non-breaking spaces here, so replace
them with regular spaces.
Fixes: 30edf801d7ed ("netfilter: ipvs: Add configurations of Maglev
Yi-Hung Wei wrote:
> This patch series apply the following techniques to optimize nf_conncount
> performance.
>
> * Early exit for garbage collection
> In order to reduce gc time, we skip traversing the full list on
> every node when doing garbage collection, since it is enough to zap
> a couple
Yi-Hung Wei wrote:
> From: Florian Westphal
>
> This patch adds list lock to 'struct nf_conncount_list' so that we can
> alter the lists containing the individual connections without holding the
> main tree lock. It would be useful when we only need to add/remove to/from
> a list without
Florian Westphal wrote:
> Jan Engelhardt wrote:
> > Well yeah there is, I tried it, and then thought,
> > gee, I am a German, I should be solving the issue thoroughly
> > rather than just bandaiding an old Makefile.
> Ok, I see, your series supersedes that 'bandaid patch'.
> Let me re-consider
Arushi Singhal wrote:
> Shell prompt ends with:
> "%", indicates a C shell.
> "$", indicates shell that's compatible with the Bash.
> "#", indicates shell is running as the system's root.
> So, "%" is replaced with "$" or "#".
Applied.
--
To unsubscribe from this list: send the line "unsubscribe
This patch enables the clash resolution for NAT (disabled in
"590b52e10d41") if clashing conntracks match (i.e. both tuples are equal)
and a protocol allows it.
The clash might happen for a connections-less protocol (e.g. UDP) when
two threads in parallel writes to the same socket and consequent
> Martynas Pumputis wrote:
>> This patch enables the clash resolution for NAT (disabled in
>> "590b52e10d41") if clashing conntracks match (i.e. both tuples are equal)
>> and a protocol allows it.
>>
>> In this case it is safe to perform the resolution, as the losing CT
>> describes the same
2018-07-02 20:45 GMT+09:00 Florian Westphal :
> Taehee Yoo wrote:
>> In order to destroy elements of set, a rhashtable_free_and_destroy()
>> is used. the rhashtable_free_and_destroy() cancels a re-hash deferred work
>> then walks and destroys elements. at this moment, some elements are
>> still
Taehee Yoo wrote:
> In order to destroy elements of set, a rhashtable_free_and_destroy()
> is used. the rhashtable_free_and_destroy() cancels a re-hash deferred work
> then walks and destroys elements. at this moment, some elements are
> still in a future_tbl. that elements are not destroyed.
Taehee Yoo wrote:
> set->nelems is increased when set->size is given.
> so that checking set->size routine should be added.
Does it make sense to have sets with no upper size?
I think it makes more sense to enforce an upper bound
so that set->size is always nonzero.
--
To unsubscribe from this
Martynas Pumputis wrote:
> This patch enables the clash resolution for NAT (disabled in
> "590b52e10d41") if clashing conntracks match (i.e. both tuples are equal)
> and a protocol allows it.
>
> In this case it is safe to perform the resolution, as the losing CT
> describes the same mangling as
This patch enables the clash resolution for NAT (disabled in
"590b52e10d41") if clashing conntracks match (i.e. both tuples are equal)
and a protocol allows it.
In this case it is safe to perform the resolution, as the losing CT
describes the same mangling as the winning CT, so no modifications
Signed-off-by: Máté Eckl
---
tests/py/inet/tproxy.t | 20 +++
tests/py/inet/tproxy.t.payload | 46 ++
tests/py/ip/tproxy.t | 14 +++
tests/py/ip/tproxy.t.payload | 36 ++
tests/py/ip6/tproxy.t
23 matches
Mail list logo