On Thu, Aug 18, 2016 at 05:59:30PM +0200, Pablo M. Bermudo Garay wrote:
> 2016-08-17 16:23 GMT+02:00 Pablo Neira Ayuso :
> > On Tue, Aug 16, 2016 at 07:44:32PM +0200, Pablo M. Bermudo Garay wrote:
> >> The comment_xlate function was not supporting this option that is
> >> necessary in some situatio
With stats enabled this eats 80 bytes on x86_64 per nf_conn entry.
Remove it and use a 32bit jiffies value containing timestamp until
entry is valid.
During conntrack lookup, even before doing tuple comparision, check
the timeout value and evict the entry in case it is too old.
The dying bit is
Conntrack gc worker to evict stale entries.
GC happens once every 5 seconds, but we only scan at most 1/64th of the
table (and not more than 8k) buckets to avoid hogging cpu.
This means that a complete scan of the table will take several minutes
of wall-clock time.
Considering that the gc run wi
When dumping we already have to look at the entire table, so we might
as well toss those entries whose timeout value is in the past.
We also look at every entry during resize operations.
However, eviction there is not as simple because we hold the
global resize lock so we can't evict without addin
The reliable event delivery mode currently (ab)uses the DYING bit to
detect which entries on the dying list have to be skipped when
re-delivering events from the eache worker in reliable event mode.
Currently when we delete the conntrack from main table we only set this
bit if we could also delive
If we evicted a large fraction of the scanned conntrack entries re-schedule
the next gc cycle for immediate execution.
This triggers during tests where load is high, then drops to zero and
many connections will be in TW/CLOSE state with < 30 second timeouts.
Without this change it will take sever
During NFWS 2016 it was mentioned that per-conntrack timers have
two drawbacks:
- the 5-day default established timeout is very large and brings
extra constraints for the timer subsystem.
- most distros enable timer stats so timer struct eats 80 bytes
in each conntrack object.
This series
After timer removal this just calls nf_ct_delete so remove the __ prefix
version and make nf_ct_kill a shorthand for nf_ct_delete.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack.h | 13 +++--
net/netfilter/nf_conntrack_core.c| 12 +---
2 files changed,
On Fri, 2016-08-19 at 13:36 +0200, Florian Westphal wrote:
> With stats enabled this eats 80 bytes on x86_64 per nf_conn entry.
>
> Remove it and use a 32bit jiffies value containing timestamp until
> entry is valid.
Great work !
...
> +/* caller must hold rcu readlock and none of the nf_conntr
On Fri, 2016-08-19 at 13:36 +0200, Florian Westphal wrote:
> Conntrack gc worker to evict stale entries.
...
> +
> + hlist_nulls_for_each_entry_rcu(h, n, &ct_hash[i], hnnode) {
> + tmp = nf_ct_tuplehash_to_ctrack(h);
> +
> + if (nf_ct_is_expired
From: Gao Feng
There are two structures which define the GRE header and PPTP
header. So it is unneccessary to define duplicated structures in
netfilter again.
Signed-off-by: Gao Feng
---
v1: Intial patch
include/linux/netfilter/nf_conntrack_proto_gre.h | 63 +---
include/
Eric Dumazet wrote:
> > +/* caller must hold rcu readlock and none of the nf_conntrack_locks */
> > +static void nf_ct_gc_expired(struct nf_conn *ct)
> > +{
> > + if (!atomic_inc_not_zero(&ct->ct_general.use))
> > + return;
> > +
> > + if (nf_ct_should_gc(ct))
> > + nf_ct_k
My email server reports the last same patch email failed to send.
So I just sent it again.
I am sorry, if anyone receives duplicated ones.
Regards
Feng
On Fri, Aug 19, 2016 at 11:01 PM, wrote:
> From: Gao Feng
>
> There are two structures which define the GRE header and PPTP
> header. So it i
Eric Dumazet wrote:
> On Fri, 2016-08-19 at 13:36 +0200, Florian Westphal wrote:
> > Conntrack gc worker to evict stale entries.
>
> ...
>
> > +
> > + hlist_nulls_for_each_entry_rcu(h, n, &ct_hash[i], hnnode) {
> > + tmp = nf_ct_tuplehash_to_ctrack(h);
> > +
> > +
On Fri, 2016-08-19 at 17:16 +0200, Florian Westphal wrote:
> Hmm, nf_conntrack_find caller needs to hold rcu_read_lock,
> in case object is free'd SLAB_DESTROY_BY_RCU should delay actual release
> of the page.
Well, point is that SLAB_DESTROY_BY_RCU means that we have no grace
period, and obj
Eric Dumazet wrote:
> On Fri, 2016-08-19 at 17:16 +0200, Florian Westphal wrote:
>
> > Hmm, nf_conntrack_find caller needs to hold rcu_read_lock,
> > in case object is free'd SLAB_DESTROY_BY_RCU should delay actual release
> > of the page.
>
> Well, point is that SLAB_DESTROY_BY_RCU means th
16 matches
Mail list logo