Re: [PATCH nf 2/2] netfilter: nf_conncount: fix list_del corruption in conn_free

ter input meter test { ip id ct count over 2 } counter > > [ ... ] > > Fixes: 5c789e131cbb ("netfilter: nf_conncount: Add list lock and gc worker, > and RCU for init tree search") > Signed-off-by: Taehee Yoo > --- LGTM. Acked-by: Yi-Hung Wei

Re: [PATCH nf 1/2] netfilter: nf_conncount: use spin_lock_bh instead of spin_lock

t over 2 } \ >counter > > Fixes: 5c789e131cbb ("netfilter: nf_conncount: Add list lock and gc worker, > and RCU for init tree search") > Signed-off-by: Taehee Yoo Thanks for the fix. Acked-by: Yi-Hung Wei

[PATCH nf-next 3/6] netfilter: nf_conncount: Early exit in nf_conncount_lookup() and cleanup

(). Moreover, we expose the garbage collection function nf_conncount_gc_list() for nft_connlimit. Signed-off-by: Yi-Hung Wei Signed-off-by: Florian Westphal --- include/net/netfilter/nf_conntrack_count.h | 11 + net/netfilter/nf_conncount.c | 38

[PATCH nf-next 6/6] netfilter: nf_conncount: Add list lock and gc worker, and RCU for init tree search

. This worker is schedule when there are excessive tree node that needed to be recycled. Moreover,the rbnode reclaim logic is moved from search tree to insert tree to avoid race condition. Signed-off-by: Yi-Hung Wei Signed-off-by: Florian Westphal --- include/net/netfilter/nf_conntrack_count.h | 17

[PATCH nf-next 1/6] netfilter: nf_conncount: Early exit for garbage collection

This patch is originally from Florian Westphal. We use an extra function with early exit for garbage collection. It is not necessary to traverse the full list for every node since it is enough to zap a couple of entries for garbage collection. Signed-off-by: Yi-Hung Wei Signed-off-by: Florian

[PATCH nf-next 2/6] netfilter: nf_conncount: Switch to plain list

and those are expired, while the newly creates ones are at the end. Later on, we could probably move checked ones to the end of the list, so the next run has higher chance to reclaim stale entries in the front. Signed-off-by: Yi-Hung Wei Signed-off-by: Florian Westphal --- include/net/netfilter

[PATCH nf-next 0/6] netfilter: nf_conncount: optimize nf_conncount performance

Merge patch 7 and patch 6 to one commit to avoid a race condition. Yi-Hung Wei (6): netfilter: nf_conncount: Early exit for garbage collection netfilter: nf_conncount: Switch to plain list netfilter: nf_conncount: Early exit in nf_conncount_lookup() and cleanup netfilter: nf_conncount:

[PATCH nf-next 5/6] netfilter: nf_conncount: Split insert and traversal

. Later on, we can make traversal lockless (tree protected by RCU), and add extra lock in the individual nodes to protect list insertion/deletion, thereby allowing parallel insert/delete in different tree nodes. Signed-off-by: Yi-Hung Wei Signed-off-by: Florian Westphal --- net/netfilter

[PATCH nf-next 4/6] netfilter: nf_conncount: Move locking into count_tree()

This patch is originally from Florian Westphal. This is a preparation patch to allow lockless traversal of the tree via RCU. Signed-off-by: Yi-Hung Wei Signed-off-by: Florian Westphal --- net/netfilter/nf_conncount.c | 52 +--- 1 file changed, 25

Re: [RFC nf-next 0/7] netfilter: nf_conncount: optimize nf_conncount performance

On Mon, Jul 2, 2018 at 9:49 AM, Florian Westphal wrote: > Yi-Hung Wei wrote: >> This patch series apply the following techniques to optimize nf_conncount >> performance. > > Looks good to me, thanks Yi-Hung for working on this. > > Maybe just avoid the race in patch 6

Re: [PATCH nf v2] netfilter: nf_conncount: fix garbage collection confirm race

On Wed, Jun 20, 2018 at 2:32 PM, Florian Westphal wrote: Thanks for v2. It takes care of a corner case so that a duplicated entry won't be re-added in the second time. Just some nits in the commit message as below. Acked-by: Yi-Hung Wei > When doing list walk, we lookup the tu

[RFC nf-next 0/7] netfilter: nf_conncount: optimize nf_conncount performance

the number of nodes that can be freed exceeds a threshold. This patch series has dependency on the following commmit in nf git tree. 21ba8847 ("netfilter: nf_conncount: Fix garbage collection with zones") Yi-Hung Wei (7): netfilter: nf_conncount: Early exit for garbage collection

[RFC nf-next 1/7] netfilter: nf_conncount: Early exit for garbage collection

From: Florian Westphal We use an extra function with early exit for garbage collection. It is not necessary to traverse the full list for every node since it is enough to zap a couple of entries for garbage collection. Signed-off-by: Florian Westphal Signed-off-by: Yi-Hung Wei --- net

[RFC nf-next 6/7] netfilter: nf_conncount: Add list lock and use RCU for init tree search

. This patch also use RCU for the initial tree search. We also update nft_connlimit accordingly since we longer need to maintain a list lock in nft_connlimit now. Signed-off-by: Florian Westphal Signed-off-by: Yi-Hung Wei --- include/net/netfilter/nf_conntrack_count.h | 3 +- net/netfilter

[RFC nf-next 5/7] netfilter: nf_conncount: Split insert and traversal

traversal lockless (tree protected by RCU), and add extra lock in the individual nodes to protect list insertion/deletion, thereby allowing parallel insert/delete in different tree nodes. Signed-off-by: Florian Westphal Signed-off-by: Yi-Hung Wei --- net/netfilter/nf_conncount.c | 87

[RFC nf-next 2/7] netfilter: nf_conncount: Switch to plain list

are expired, while the newly creates ones are at the end. Later on, we could probably move checked ones to the end of the list, so the next run has higher chance to reclaim stale entries in the front. Signed-off-by: Florian Westphal Signed-off-by: Yi-Hung Wei --- include/net/netfilter

[RFC nf-next 7/7] netfilter: nf_conncount: Add garbage collection worker

From: Florian Westphal Add garbage collection worker. Move the rbnode reclaim logic from search tree to insert tree to avoid race condition. Signed-off-by: Florian Westphal Signed-off-by: Yi-Hung Wei --- include/net/netfilter/nf_conntrack_count.h | 14 ++- net/netfilter/nf_conncount.c

[RFC nf-next 4/7] netfilter: nf_conncount: Move locking into count_tree()

From: Florian Westphal This is a preparation patch to allow lockless traversal of the tree via RCU. Signed-off-by: Florian Westphal Signed-off-by: Yi-Hung Wei --- net/netfilter/nf_conncount.c | 52 +--- 1 file changed, 25 insertions(+), 27 deletions

[RFC nf-next 3/7] netfilter: nf_conncount: Early exit in nf_conncount_lookup() and cleanup

the garbage collection function nf_conncount_gc_list() for nft_connlimit. Signed-off-by: Florian Westphal Signed-off-by: Yi-Hung Wei --- include/net/netfilter/nf_conntrack_count.h | 11 ++ net/netfilter/nf_conncount.c | 34 ++ net/netfilter

[PATCH nf] netfilter: Fix nf_conncount garbage collection

Currently, we use check_hlist() for garbage colleciton. However, we use the ‘zone’ from the counted entry to query the existence of existing entries in the hlist. This could be wrong when they are in different zones, and this patch fixes this issue. Signed-off-by: Yi-Hung Wei --- This fix

[PATCH nf-next v2 1/2] netfilter: Refactor nf_conncount

Remove parameter 'family' in nf_conncount_count() and count_tree(). It is because the parameter is not useful after commit 625c556118f3 ("netfilter: connlimit: split xt_connlimit into front and backend"). Signed-off-by: Yi-Hung Wei <yihung@gmail.com> --- inclu

[PATCH nf-next v2 2/2] nf_conncount: Support count only use case

changes are made on nf_conncount_count() to support the case where 'tuple' is NULL. This could be useful for querying statistics or debugging purpose. Signed-off-by: Yi-Hung Wei <yihung@gmail.com> --- net/netfilter/nf_conncount.c | 10 -- 1 file changed, 8 insertions(+), 2 del

Re: [PATCH nf-next 2/2] nf_conncount: Support count only use case

On Thu, Mar 1, 2018 at 12:09 AM, Florian Westphal <f...@strlen.de> wrote: > Yi-Hung Wei <yihung@gmail.com> wrote: >> Currently, nf_conncount_count() counts the number of connections that >> matches key and inserts a conntrack 'tuple' associated with the key

Re: [PATCH nf-next 1/2] netfilter: nf_conncount: Refactor nf_conncount

On Thu, Mar 1, 2018 at 12:07 AM, Florian Westphal wrote: >> 2. Move nf_ct_netns_get/put() to the user of nf_conncount. >> Since nf_conncount now supports general keys, if the key is not related >> to a particular NFPROTO_*, then it is not necessary to do >> nf_ct_netns_get/put()

[PATCH nf-next 2/2] nf_conncount: Support count only use case

a 'tuple'. Therefore, proper changes are made on nf_conncount_count() to support the case where 'tuple' is NULL. Signed-off-by: Yi-Hung Wei <yihung@gmail.com> --- net/netfilter/nf_conncount.c | 10 -- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/net/net

[PATCH nf-next 1/2] netfilter: nf_conncount: Refactor nf_conncount

eful after that commit. 2. Move nf_ct_netns_get/put() to the user of nf_conncount. Since nf_conncount now supports general keys, if the key is not related to a particular NFPROTO_*, then it is not necessary to do nf_ct_netns_get/put() in nf_conncount. Signed-off-by: Yi-Hung Wei <yihung.

Re: [PATCH v5 nf-next] netfilter: connlimit: split xt_connlimit into front and backend

key, including > concatenations. > > For xt_connlimit, pass in the zone and the ip/ipv6 address. > > With help from Yi-Hung Wei. > > Signed-off-by: Florian Westphal <f...@strlen.de> > --- Thanks for working on this again. It looks good to me. Acked-by: Yi-Hung Wei <yihung@g

Re: [PATCH v4 nf-next] netfilter: connlimit: split xt_connlimit into front and backend

On Fri, Dec 8, 2017 at 3:15 AM, Florian Westphal wrote: > --- /dev/null > +++ b/include/net/netfilter/nf_conntrack_count.h > @@ -0,0 +1,17 @@ > +#ifdef _NF_CONNTRACK_COUNT_H #ifndef? Looks like a typo in v4. > diff --git a/net/netfilter/xt_connlimit.c

Re: [PATCH v3 nf-next] netfilter: connlimit: split xt_connlimit into front/backend

On Wed, Dec 6, 2017 at 4:41 AM, Florian Westphal wrote: > +static int __init nf_conncount_modinit(void) > +{ > + int ret, i; > + > + BUILD_BUG_ON(CONNCOUNT_LOCK_SLOTS > CONNCOUNT_SLOTS); > + BUILD_BUG_ON((CONNCOUNT_SLOTS % CONNCOUNT_LOCK_SLOTS) != 0); > + > +

Re: [PATCH nf-next v2] netfilter: connlimit: split xt_connlimit into front/backend

Thanks for working on this patch. > --- /dev/null > +++ b/include/net/netfilter/nf_conntrack_count.h > @@ -0,0 +1,13 @@ Should it have something like the following in the header file? #ifdef _NF_CONNTRACK_COUNT_H #define _NF_CONNTRACK_COUNT_H > +struct nf_conncount_data; > + > +struct

Re: [RFC] connlimit for nftables and limiting ct count by zone

> I think we could possible use maps to fetch values based on a key, e.g. > > nft add map filter zonelimits { type typeof(ct zone) : typeof(ct count); > flags interval\;} > nft add element filter zonelimits { 1-100 : 5 } > nft add element filter zonelimits { 101 : 6 } > > nft add rule

Re: [RFC] connlimit for nftables and limiting ct count by zone

On Mon, Oct 16, 2017 at 7:42 AM, Florian Westphal wrote: > During NFWS we briefly discussed iptables '-m connlimit' and how > to apply this to nftables. > > There is also a use case to make nf_conntrack_max more fine-grained > by making this setting apply per conntrack zone. > >