Re: [PATCH iptables 1/2] xtables-translate: add escape_quotes option to comment_xlate

On Thu, Aug 18, 2016 at 05:59:30PM +0200, Pablo M. Bermudo Garay wrote: > 2016-08-17 16:23 GMT+02:00 Pablo Neira Ayuso : > > On Tue, Aug 16, 2016 at 07:44:32PM +0200, Pablo M. Bermudo Garay wrote: > >> The comment_xlate function was not supporting this option that is > >> necessary in some situatio

[PATCH nf-next 2/6] netfilter: conntrack: get rid of conntrack timer

With stats enabled this eats 80 bytes on x86_64 per nf_conn entry. Remove it and use a 32bit jiffies value containing timestamp until entry is valid. During conntrack lookup, even before doing tuple comparision, check the timeout value and evict the entry in case it is too old. The dying bit is

[PATCH nf-next 4/6] netfilter: conntrack: add gc worker to remove timed-out entries

Conntrack gc worker to evict stale entries. GC happens once every 5 seconds, but we only scan at most 1/64th of the table (and not more than 8k) buckets to avoid hogging cpu. This means that a complete scan of the table will take several minutes of wall-clock time. Considering that the gc run wi

[PATCH nf-next 3/6] netfilter: evict stale entries on netlink dumps

When dumping we already have to look at the entire table, so we might as well toss those entries whose timeout value is in the past. We also look at every entry during resize operations. However, eviction there is not as simple because we hold the global resize lock so we can't evict without addin

[PATCH nf-next 1/6] netfilter: don't rely on DYING bit to detect when destroy event was sent

The reliable event delivery mode currently (ab)uses the DYING bit to detect which entries on the dying list have to be skipped when re-delivering events from the eache worker in reliable event mode. Currently when we delete the conntrack from main table we only set this bit if we could also delive

[PATCH nf-next 5/6] netfilter: conntrack: resched gc again if eviction rate is high

If we evicted a large fraction of the scanned conntrack entries re-schedule the next gc cycle for immediate execution. This triggers during tests where load is high, then drops to zero and many connections will be in TW/CLOSE state with < 30 second timeouts. Without this change it will take sever

[PATCH nf-next 0/6] conntrack: get rid of per-object timer

During NFWS 2016 it was mentioned that per-conntrack timers have two drawbacks: - the 5-day default established timeout is very large and brings extra constraints for the timer subsystem. - most distros enable timer stats so timer struct eats 80 bytes in each conntrack object. This series

[PATCH nf-next 6/6] netfilter: remove __nf_ct_kill_acct helper

After timer removal this just calls nf_ct_delete so remove the __ prefix version and make nf_ct_kill a shorthand for nf_ct_delete. Signed-off-by: Florian Westphal --- include/net/netfilter/nf_conntrack.h | 13 +++-- net/netfilter/nf_conntrack_core.c| 12 +--- 2 files changed,

Re: [PATCH nf-next 2/6] netfilter: conntrack: get rid of conntrack timer

On Fri, 2016-08-19 at 13:36 +0200, Florian Westphal wrote: > With stats enabled this eats 80 bytes on x86_64 per nf_conn entry. > > Remove it and use a 32bit jiffies value containing timestamp until > entry is valid. Great work ! ... > +/* caller must hold rcu readlock and none of the nf_conntr

Re: [PATCH nf-next 4/6] netfilter: conntrack: add gc worker to remove timed-out entries

On Fri, 2016-08-19 at 13:36 +0200, Florian Westphal wrote: > Conntrack gc worker to evict stale entries. ... > + > + hlist_nulls_for_each_entry_rcu(h, n, &ct_hash[i], hnnode) { > + tmp = nf_ct_tuplehash_to_ctrack(h); > + > + if (nf_ct_is_expired

[PATCH 1/1] netfilter: gre: Use the consitent GRE and PPTP struct instead of the structures defined in netfilter

From: Gao Feng There are two structures which define the GRE header and PPTP header. So it is unneccessary to define duplicated structures in netfilter again. Signed-off-by: Gao Feng --- v1: Intial patch include/linux/netfilter/nf_conntrack_proto_gre.h | 63 +--- include/

Re: [PATCH nf-next 2/6] netfilter: conntrack: get rid of conntrack timer

Eric Dumazet wrote: > > +/* caller must hold rcu readlock and none of the nf_conntrack_locks */ > > +static void nf_ct_gc_expired(struct nf_conn *ct) > > +{ > > + if (!atomic_inc_not_zero(&ct->ct_general.use)) > > + return; > > + > > + if (nf_ct_should_gc(ct)) > > + nf_ct_k

Re: [PATCH 1/1] netfilter: gre: Use the consitent GRE and PPTP struct instead of the structures defined in netfilter

My email server reports the last same patch email failed to send. So I just sent it again. I am sorry, if anyone receives duplicated ones. Regards Feng On Fri, Aug 19, 2016 at 11:01 PM, wrote: > From: Gao Feng > > There are two structures which define the GRE header and PPTP > header. So it i

Re: [PATCH nf-next 4/6] netfilter: conntrack: add gc worker to remove timed-out entries

Eric Dumazet wrote: > On Fri, 2016-08-19 at 13:36 +0200, Florian Westphal wrote: > > Conntrack gc worker to evict stale entries. > > ... > > > + > > + hlist_nulls_for_each_entry_rcu(h, n, &ct_hash[i], hnnode) { > > + tmp = nf_ct_tuplehash_to_ctrack(h); > > + > > +

Re: [PATCH nf-next 2/6] netfilter: conntrack: get rid of conntrack timer

On Fri, 2016-08-19 at 17:16 +0200, Florian Westphal wrote: > Hmm, nf_conntrack_find caller needs to hold rcu_read_lock, > in case object is free'd SLAB_DESTROY_BY_RCU should delay actual release > of the page. Well, point is that SLAB_DESTROY_BY_RCU means that we have no grace period, and obj

Re: [PATCH nf-next 2/6] netfilter: conntrack: get rid of conntrack timer

Eric Dumazet wrote: > On Fri, 2016-08-19 at 17:16 +0200, Florian Westphal wrote: > > > Hmm, nf_conntrack_find caller needs to hold rcu_read_lock, > > in case object is free'd SLAB_DESTROY_BY_RCU should delay actual release > > of the page. > > Well, point is that SLAB_DESTROY_BY_RCU means th