ter input meter test { ip id ct count over 2 } counter
>
> [ ... ]
>
> Fixes: 5c789e131cbb ("netfilter: nf_conncount: Add list lock and gc worker,
> and RCU for init tree search")
> Signed-off-by: Taehee Yoo
> ---
LGTM.
Acked-by: Yi-Hung Wei
t over 2 } \
>counter
>
> Fixes: 5c789e131cbb ("netfilter: nf_conncount: Add list lock and gc worker,
> and RCU for init tree search")
> Signed-off-by: Taehee Yoo
Thanks for the fix.
Acked-by: Yi-Hung Wei
().
Moreover, we expose the garbage collection function nf_conncount_gc_list()
for nft_connlimit.
Signed-off-by: Yi-Hung Wei
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_count.h | 11 +
net/netfilter/nf_conncount.c | 38
. This worker is schedule when there
are excessive tree node that needed to be recycled.
Moreover,the rbnode reclaim logic is moved from search tree to insert tree
to avoid race condition.
Signed-off-by: Yi-Hung Wei
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_count.h | 17
This patch is originally from Florian Westphal.
We use an extra function with early exit for garbage collection.
It is not necessary to traverse the full list for every node since
it is enough to zap a couple of entries for garbage collection.
Signed-off-by: Yi-Hung Wei
Signed-off-by: Florian
and those are
expired, while the newly creates ones are at the end.
Later on, we could probably move checked ones to the end of the list,
so the next run has higher chance to reclaim stale entries in the front.
Signed-off-by: Yi-Hung Wei
Signed-off-by: Florian Westphal
---
include/net/netfilter
Merge patch 7 and patch 6 to one commit to avoid a race condition.
Yi-Hung Wei (6):
netfilter: nf_conncount: Early exit for garbage collection
netfilter: nf_conncount: Switch to plain list
netfilter: nf_conncount: Early exit in nf_conncount_lookup() and
cleanup
netfilter: nf_conncount:
.
Later on, we can make traversal lockless (tree protected
by RCU), and add extra lock in the individual nodes to protect list
insertion/deletion, thereby allowing parallel insert/delete in different
tree nodes.
Signed-off-by: Yi-Hung Wei
Signed-off-by: Florian Westphal
---
net/netfilter
This patch is originally from Florian Westphal.
This is a preparation patch to allow lockless traversal
of the tree via RCU.
Signed-off-by: Yi-Hung Wei
Signed-off-by: Florian Westphal
---
net/netfilter/nf_conncount.c | 52 +---
1 file changed, 25
On Mon, Jul 2, 2018 at 9:49 AM, Florian Westphal wrote:
> Yi-Hung Wei wrote:
>> This patch series apply the following techniques to optimize nf_conncount
>> performance.
>
> Looks good to me, thanks Yi-Hung for working on this.
>
> Maybe just avoid the race in patch 6
On Wed, Jun 20, 2018 at 2:32 PM, Florian Westphal wrote:
Thanks for v2. It takes care of a corner case so that a duplicated
entry won't be re-added in the second time.
Just some nits in the commit message as below.
Acked-by: Yi-Hung Wei
> When doing list walk, we lookup the tu
the number of
nodes that can be freed exceeds a threshold.
This patch series has dependency on the following commmit in nf git tree.
21ba8847 ("netfilter: nf_conncount: Fix garbage collection with zones")
Yi-Hung Wei (7):
netfilter: nf_conncount: Early exit for garbage collection
From: Florian Westphal
We use an extra function with early exit for garbage collection.
It is not necessary to traverse the full list for every node since
it is enough to zap a couple of entries for garbage collection.
Signed-off-by: Florian Westphal
Signed-off-by: Yi-Hung Wei
---
net
.
This patch also use RCU for the initial tree search.
We also update nft_connlimit accordingly since we longer need to maintain
a list lock in nft_connlimit now.
Signed-off-by: Florian Westphal
Signed-off-by: Yi-Hung Wei
---
include/net/netfilter/nf_conntrack_count.h | 3 +-
net/netfilter
traversal lockless (tree protected
by RCU), and add extra lock in the individual nodes to protect list
insertion/deletion, thereby allowing parallel insert/delete in different
tree nodes.
Signed-off-by: Florian Westphal
Signed-off-by: Yi-Hung Wei
---
net/netfilter/nf_conncount.c | 87
are
expired, while the newly creates ones are at the end.
Later on, we could probably move checked ones to the end of the list,
so the next run has higher chance to reclaim stale entries in the front.
Signed-off-by: Florian Westphal
Signed-off-by: Yi-Hung Wei
---
include/net/netfilter
From: Florian Westphal
Add garbage collection worker.
Move the rbnode reclaim logic from search tree to insert tree
to avoid race condition.
Signed-off-by: Florian Westphal
Signed-off-by: Yi-Hung Wei
---
include/net/netfilter/nf_conntrack_count.h | 14 ++-
net/netfilter/nf_conncount.c
From: Florian Westphal
This is a preparation patch to allow lockless traversal
of the tree via RCU.
Signed-off-by: Florian Westphal
Signed-off-by: Yi-Hung Wei
---
net/netfilter/nf_conncount.c | 52 +---
1 file changed, 25 insertions(+), 27 deletions
the garbage collection function nf_conncount_gc_list()
for nft_connlimit.
Signed-off-by: Florian Westphal
Signed-off-by: Yi-Hung Wei
---
include/net/netfilter/nf_conntrack_count.h | 11 ++
net/netfilter/nf_conncount.c | 34 ++
net/netfilter
Currently, we use check_hlist() for garbage colleciton. However, we
use the ‘zone’ from the counted entry to query the existence of
existing entries in the hlist. This could be wrong when they are in
different zones, and this patch fixes this issue.
Signed-off-by: Yi-Hung Wei
---
This fix
Remove parameter 'family' in nf_conncount_count() and count_tree().
It is because the parameter is not useful after commit 625c556118f3
("netfilter: connlimit: split xt_connlimit into front and backend").
Signed-off-by: Yi-Hung Wei <yihung@gmail.com>
---
inclu
changes are made on nf_conncount_count() to support the case where
'tuple' is NULL. This could be useful for querying statistics or
debugging purpose.
Signed-off-by: Yi-Hung Wei <yihung@gmail.com>
---
net/netfilter/nf_conncount.c | 10 --
1 file changed, 8 insertions(+), 2 del
On Thu, Mar 1, 2018 at 12:09 AM, Florian Westphal <f...@strlen.de> wrote:
> Yi-Hung Wei <yihung@gmail.com> wrote:
>> Currently, nf_conncount_count() counts the number of connections that
>> matches key and inserts a conntrack 'tuple' associated with the key
On Thu, Mar 1, 2018 at 12:07 AM, Florian Westphal wrote:
>> 2. Move nf_ct_netns_get/put() to the user of nf_conncount.
>> Since nf_conncount now supports general keys, if the key is not related
>> to a particular NFPROTO_*, then it is not necessary to do
>> nf_ct_netns_get/put()
a 'tuple'. Therefore, proper changes are made on
nf_conncount_count() to support the case where 'tuple' is NULL.
Signed-off-by: Yi-Hung Wei <yihung@gmail.com>
---
net/netfilter/nf_conncount.c | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/net/net
eful after that commit.
2. Move nf_ct_netns_get/put() to the user of nf_conncount.
Since nf_conncount now supports general keys, if the key is not related
to a particular NFPROTO_*, then it is not necessary to do
nf_ct_netns_get/put() in nf_conncount.
Signed-off-by: Yi-Hung Wei <yihung.
key, including
> concatenations.
>
> For xt_connlimit, pass in the zone and the ip/ipv6 address.
>
> With help from Yi-Hung Wei.
>
> Signed-off-by: Florian Westphal <f...@strlen.de>
> ---
Thanks for working on this again. It looks good to me.
Acked-by: Yi-Hung Wei <yihung@g
On Fri, Dec 8, 2017 at 3:15 AM, Florian Westphal wrote:
> --- /dev/null
> +++ b/include/net/netfilter/nf_conntrack_count.h
> @@ -0,0 +1,17 @@
> +#ifdef _NF_CONNTRACK_COUNT_H
#ifndef? Looks like a typo in v4.
> diff --git a/net/netfilter/xt_connlimit.c
On Wed, Dec 6, 2017 at 4:41 AM, Florian Westphal wrote:
> +static int __init nf_conncount_modinit(void)
> +{
> + int ret, i;
> +
> + BUILD_BUG_ON(CONNCOUNT_LOCK_SLOTS > CONNCOUNT_SLOTS);
> + BUILD_BUG_ON((CONNCOUNT_SLOTS % CONNCOUNT_LOCK_SLOTS) != 0);
> +
> +
Thanks for working on this patch.
> --- /dev/null
> +++ b/include/net/netfilter/nf_conntrack_count.h
> @@ -0,0 +1,13 @@
Should it have something like the following in the header file?
#ifdef _NF_CONNTRACK_COUNT_H
#define _NF_CONNTRACK_COUNT_H
> +struct nf_conncount_data;
> +
> +struct
> I think we could possible use maps to fetch values based on a key, e.g.
>
> nft add map filter zonelimits { type typeof(ct zone) : typeof(ct count);
> flags interval\;}
> nft add element filter zonelimits { 1-100 : 5 }
> nft add element filter zonelimits { 101 : 6 }
>
> nft add rule
On Mon, Oct 16, 2017 at 7:42 AM, Florian Westphal wrote:
> During NFWS we briefly discussed iptables '-m connlimit' and how
> to apply this to nftables.
>
> There is also a use case to make nf_conntrack_max more fine-grained
> by making this setting apply per conntrack zone.
>
>
32 matches
Mail list logo