Re: [PATCH] remove exessive timer updates (3/4)

[Martin Josefsson <gandalf@wlug.westbo.se>]

[-- Attachment #1: Type: text/plain, Size: 1376 bytes --]

On Wed, 2002-06-12 at 11:10, Martin Josefsson wrote:
> On Wed, 2002-06-12 at 00:21, Henrik Nordstrom wrote:
>
> > Haven't looked at the patch, but one thing to look out for is to make 
> > sure timer transitions is not lost.
> > 
> > Unlike atime updates, conntrack timers vary in length depending on the 
> > state. It would not be fun if a TIME_WAIT state got a timeout of 
> > ESTABLISHED only because the transition was too quick to be noticed 
> > by the timer update filter..
> 
> Yes I thought about it yesterday and I'll send Harald a new patch which
> will allow us to force an update.

Here's that patch, it's against current cvs. (the patch is a little
messy because ip_ct_death_by_timeout isn't separated from ip_ct_refresh
in the patch anymore)

It adds a new parameter to ip_ct_refresh called force, if set to
non-zero a timer update will be forced.

I hope the tcp-change is correct, I havn't tested this patch yet but it
does compile :) I'm going to test it in a few minutes.

ip_ct_refresh(conntrack, tcp_timeouts[newconntrack], newconntrack !=
oldtcpstate);

so if the state changes we force a timer update, otherwise we only
update if there's been >HZ jiffies since the last update.

Harald, does the tcp change in the patch look like it could work?

-- 
/Martin

Never argue with an idiot. They drag you down to their level, then beat
you with experience.

[-- Attachment #2: ip_ct_refresh_optimization.patch-diff-2 --]
[-- Type: text/plain, Size: 10785 bytes --]

--- netfilter/userspace/patch-o-matic/optimizations/ip_ct_refresh_optimization.patch.orig	Tue Jun 11 10:02:57 2002
+++ netfilter/userspace/patch-o-matic/optimizations/ip_ct_refresh_optimization.patch	Wed Jun 12 20:45:29 2002
@@ -1,17 +1,20 @@
---- linux-2.4.19-pre9/include/linux/netfilter_ipv4/ip_conntrack.h.orig	Mon Jun  3 21:46:59 2002
-+++ linux-2.4.19-pre9/include/linux/netfilter_ipv4/ip_conntrack.h	Mon Jun  3 21:46:37 2002
-@@ -226,6 +226,9 @@
- extern void ip_ct_refresh(struct ip_conntrack *ct,
- 			  unsigned long extra_jiffies);
+--- linux-2.4.19-pre10/include/linux/netfilter_ipv4/ip_conntrack.h.orig	Wed Jun 12 20:25:54 2002
++++ linux-2.4.19-pre10/include/linux/netfilter_ipv4/ip_conntrack.h	Wed Jun 12 20:26:20 2002
+@@ -224,7 +224,10 @@
  
-+/* Kill conntrack */
-+extern void ip_ct_death_by_timeout(unsigned long ul_conntrack);
+ /* Refresh conntrack for this many jiffies */
+ extern void ip_ct_refresh(struct ip_conntrack *ct,
+-			  unsigned long extra_jiffies);
++			  unsigned long extra_jiffies, int force);
 +
++/* Kill conntrack */   
++extern void ip_ct_death_by_timeout(unsigned long ul_conntrack);
+ 
  /* These are for NAT.  Icky. */
  /* Call me when a conntrack is destroyed. */
- extern void (*ip_conntrack_destroyed)(struct ip_conntrack *conntrack);
---- linux-2.4.19-pre9/net/ipv4/netfilter/ip_conntrack_core.c.orig	Mon Jun  3 20:32:28 2002
-+++ linux-2.4.19-pre9/net/ipv4/netfilter/ip_conntrack_core.c	Tue Jun  4 20:56:18 2002
+diff --exclude=*.orig -ur linux-2.4.19-pre10/net/ipv4/netfilter.orig/ip_conntrack_core.c linux-2.4.19-pre10/net/ipv4/netfilter/ip_conntrack_core.c
+--- linux-2.4.19-pre10/net/ipv4/netfilter.orig/ip_conntrack_core.c	Wed Jun 12 20:22:08 2002
++++ linux-2.4.19-pre10/net/ipv4/netfilter/ip_conntrack_core.c	Wed Jun 12 20:36:23 2002
 @@ -267,7 +267,7 @@
  	atomic_dec(&ip_conntrack_count);
  }
@@ -21,7 +24,7 @@
  {
  	struct ip_conntrack *ct = (void *)ul_conntrack;
  
-@@ -527,7 +527,7 @@
+@@ -528,7 +528,7 @@
  		return dropped;
  
  	if (del_timer(&h->ctrack->timeout)) {
@@ -30,7 +33,7 @@
  		dropped = 1;
  	}
  	ip_conntrack_put(h->ctrack);
-@@ -617,7 +617,7 @@
+@@ -618,7 +618,7 @@
  	/* Don't set timer yet: wait for confirmation */
  	init_timer(&conntrack->timeout);
  	conntrack->timeout.data = (unsigned long)conntrack;
@@ -39,7 +42,29 @@
  
  	INIT_LIST_HEAD(&conntrack->sibling_list);
  
-@@ -1198,7 +1189,7 @@
+@@ -1072,7 +1072,7 @@
+ }
+ 
+ /* Refresh conntrack for this many jiffies. */
+-void ip_ct_refresh(struct ip_conntrack *ct, unsigned long extra_jiffies)
++void ip_ct_refresh(struct ip_conntrack *ct, unsigned long extra_jiffies, int force)
+ {
+ 	IP_NF_ASSERT(ct->timeout.data == (unsigned long)ct);
+ 
+@@ -1081,8 +1081,10 @@
+ 	if (!is_confirmed(ct))
+ 		ct->timeout.expires = extra_jiffies;
+ 	else {
+-		/* Need del_timer for race avoidance (may already be dying). */
+-		if (del_timer(&ct->timeout)) {
++		/* Don't update timer for each packet, only if it's been >HZ
++		 * ticks since last update or we are forcing.
++		 * Need del_timer for race avoidance (may already be dying). */
++		if ((force || time_after(jiffies, ct->timeout.expires - extra_jiffies + HZ)) && del_timer(&ct->timeout)) {
+ 			ct->timeout.expires = jiffies + extra_jiffies;
+ 			add_timer(&ct->timeout);
+ 		}
+@@ -1188,7 +1190,7 @@
  	while ((h = get_next_corpse(kill, data)) != NULL) {
  		/* Time to push up daises... */
  		if (del_timer(&h->ctrack->timeout))
@@ -48,8 +73,9 @@
  		/* ... else the timer will get him soon. */
  
  		ip_conntrack_put(h->ctrack);
---- linux-2.4.19-pre9/net/ipv4/netfilter/ip_conntrack_standalone.c.orig	Mon Jun  3 21:43:04 2002
-+++ linux-2.4.19-pre9/net/ipv4/netfilter/ip_conntrack_standalone.c	Mon Jun  3 21:47:43 2002
+diff --exclude=*.orig -ur linux-2.4.19-pre10/net/ipv4/netfilter.orig/ip_conntrack_standalone.c linux-2.4.19-pre10/net/ipv4/netfilter/ip_conntrack_standalone.c
+--- linux-2.4.19-pre10/net/ipv4/netfilter.orig/ip_conntrack_standalone.c	Wed Jun 12 20:22:08 2002
++++ linux-2.4.19-pre10/net/ipv4/netfilter/ip_conntrack_standalone.c	Mon Jun  3 21:47:43 2002
 @@ -362,6 +362,7 @@
  EXPORT_SYMBOL(ip_conntrack_helper_unregister);
  EXPORT_SYMBOL(ip_ct_selective_cleanup);
@@ -58,45 +84,92 @@
  EXPORT_SYMBOL(ip_ct_find_proto);
  EXPORT_SYMBOL(ip_ct_find_helper);
  EXPORT_SYMBOL(ip_conntrack_expect_related);
---- linux-2.4.19-pre9/net/ipv4/netfilter/ip_conntrack_core.c.orig	Mon Jun  3 20:32:28 2002
-+++ linux-2.4.19-pre9/net/ipv4/netfilter/ip_conntrack_core.c	Mon Jun  3 20:48:13 2002
-@@ -1091,8 +1091,10 @@
- 	if (!is_confirmed(ct))
- 		ct->timeout.expires = extra_jiffies;
- 	else {
--		/* Need del_timer for race avoidance (may already be dying). */
--		if (del_timer(&ct->timeout)) {
-+		/* Don't update timer for each packet, only if it's been >HZ
-+		 * ticks since last update.
-+		 * Need del_timer for race avoidance (may already be dying). */
-+		if (time_after(jiffies, ct->timeout.expires - extra_jiffies + HZ) && del_timer(&ct->timeout)) {
- 			ct->timeout.expires = jiffies + extra_jiffies;
- 			add_timer(&ct->timeout);
- 		}
---- netfilter/userspace/patch-o-matic/extra/pptp-conntrack-nat.patch.orig	Thu Jun  6 14:03:35 2002
-+++ netfilter/userspace/patch-o-matic/extra/pptp-conntrack-nat.patch	Thu Jun  6 14:05:17 2002
-@@ -572,7 +572,7 @@
- diff -Nru --exclude .depend --exclude '*.o' --exclude '*.ver' --exclude '.*.flags' --exclude '*.orig' --exclude '*.rej' --exclude '*~' linux-2.4.18-newnat/net/ipv4/netfilter/ip_conntrack_pptp.c linux-2.4.18-pptp3.01//net/ipv4/netfilter/ip_conntrack_pptp.c
- --- linux-2.4.18-newnat/net/ipv4/netfilter/ip_conntrack_pptp.c	Thu Jan  1 01:00:00 1970
- +++ linux-2.4.18-pptp3.01//net/ipv4/netfilter/ip_conntrack_pptp.c	Mon Apr  8 16:40:37 2002
--@@ -0,0 +1,540 @@
-+@@ -0,0 +1,542 @@
- +/*
- + * ip_conntrack_pptp.c	- Version $Revision: 1.1 $
- + *
-@@ -682,11 +682,13 @@
- +		if (!exp->sibling)
- +			continue;
- +
--+		DEBUGP("setting timeout of conntrack %p to 0\n",
-++		DEBUGP("killing conntrack %p\n",
- +			exp->sibling);
- +		exp->sibling->proto.gre.timeout = 0;
- +		exp->sibling->proto.gre.stream_timeout = 0;
--+		ip_ct_refresh(exp->sibling, 0);
-++
-++		if (del_timer(&exp->sibling->timeout))
-++			ip_ct_death_by_timeout((unsigned long)exp->sibling);
- +	}
- +
- +	return 0;
+diff --exclude=*.orig -ur linux-2.4.19-pre10/net/ipv4/netfilter.orig/ip_conntrack_pptp.c linux-2.4.19-pre10/net/ipv4/netfilter/ip_conntrack_pptp.c
+--- linux-2.4.19-pre10/net/ipv4/netfilter.orig/ip_conntrack_pptp.c	Wed Jun 12 20:23:10 2002
++++ linux-2.4.19-pre10/net/ipv4/netfilter/ip_conntrack_pptp.c	Mon Jun  3 21:48:38 2002
+@@ -107,11 +107,13 @@
+ 		if (!exp->sibling)
+ 			continue;
+ 
+-		DEBUGP("setting timeout of conntrack %p to 0\n",
++		DEBUGP("killing conntrack %p\n",
+ 			exp->sibling);
+ 		exp->sibling->proto.gre.timeout = 0;
+ 		exp->sibling->proto.gre.stream_timeout = 0;
+-		ip_ct_refresh(exp->sibling, 0);
++
++		if (del_timer(&exp->sibling->timeout))
++			ip_ct_death_by_timeout((unsigned long)exp->sibling);
+ 	}
+ 
+ 	return 0;
+diff --exclude=*.orig -ur linux-2.4.19-pre10/net/ipv4/netfilter.orig/ip_conntrack_proto_generic.c linux-2.4.19-pre10/net/ipv4/netfilter/ip_conntrack_proto_generic.c
+--- linux-2.4.19-pre10/net/ipv4/netfilter.orig/ip_conntrack_proto_generic.c	Sat Apr 13 19:08:16 2002
++++ linux-2.4.19-pre10/net/ipv4/netfilter/ip_conntrack_proto_generic.c	Wed Jun 12 20:32:55 2002
+@@ -43,7 +43,7 @@
+ 		       struct iphdr *iph, size_t len,
+ 		       enum ip_conntrack_info conntrackinfo)
+ {
+-	ip_ct_refresh(conntrack, GENERIC_TIMEOUT);
++	ip_ct_refresh(conntrack, GENERIC_TIMEOUT, 0);
+ 	return NF_ACCEPT;
+ }
+ 
+diff --exclude=*.orig -ur linux-2.4.19-pre10/net/ipv4/netfilter.orig/ip_conntrack_proto_gre.c linux-2.4.19-pre10/net/ipv4/netfilter/ip_conntrack_proto_gre.c
+--- linux-2.4.19-pre10/net/ipv4/netfilter.orig/ip_conntrack_proto_gre.c	Sat May 18 23:14:38 2002
++++ linux-2.4.19-pre10/net/ipv4/netfilter/ip_conntrack_proto_gre.c	Wed Jun 12 20:33:18 2002
+@@ -232,11 +232,11 @@
+ 	/* If we've seen traffic both ways, this is a GRE connection.
+ 	 * Extend timeout. */
+ 	if (ct->status & IPS_SEEN_REPLY) {
+-		ip_ct_refresh(ct, ct->proto.gre.stream_timeout);
++		ip_ct_refresh(ct, ct->proto.gre.stream_timeout, 0);
+ 		/* Also, more likely to be important, and not a probe. */
+ 		set_bit(IPS_ASSURED_BIT, &ct->status);
+ 	} else
+-		ip_ct_refresh(ct, ct->proto.gre.timeout);
++		ip_ct_refresh(ct, ct->proto.gre.timeout, 0);
+ 	
+ 	return NF_ACCEPT;
+ }
+diff --exclude=*.orig -ur linux-2.4.19-pre10/net/ipv4/netfilter.orig/ip_conntrack_proto_icmp.c linux-2.4.19-pre10/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
+--- linux-2.4.19-pre10/net/ipv4/netfilter.orig/ip_conntrack_proto_icmp.c	Sat Apr 13 19:08:16 2002
++++ linux-2.4.19-pre10/net/ipv4/netfilter/ip_conntrack_proto_icmp.c	Wed Jun 12 20:33:34 2002
+@@ -82,7 +82,7 @@
+ 			ct->timeout.function((unsigned long)ct);
+ 	} else {
+ 		atomic_inc(&ct->proto.icmp.count);
+-		ip_ct_refresh(ct, ICMP_TIMEOUT);
++		ip_ct_refresh(ct, ICMP_TIMEOUT, 0);
+ 	}
+ 
+ 	return NF_ACCEPT;
+diff --exclude=*.orig -ur linux-2.4.19-pre10/net/ipv4/netfilter.orig/ip_conntrack_proto_tcp.c linux-2.4.19-pre10/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
+--- linux-2.4.19-pre10/net/ipv4/netfilter.orig/ip_conntrack_proto_tcp.c	Wed May 22 14:55:14 2002
++++ linux-2.4.19-pre10/net/ipv4/netfilter/ip_conntrack_proto_tcp.c	Wed Jun 12 20:32:39 2002
+@@ -229,7 +229,7 @@
+ 		    && tcph->ack_seq == conntrack->proto.tcp.handshake_ack)
+ 			set_bit(IPS_ASSURED_BIT, &conntrack->status);
+ 
+-		ip_ct_refresh(conntrack, tcp_timeouts[newconntrack]);
++		ip_ct_refresh(conntrack, tcp_timeouts[newconntrack], newconntrack != oldtcpstate);
+ 	}
+ 
+ 	return NF_ACCEPT;
+diff --exclude=*.orig -ur linux-2.4.19-pre10/net/ipv4/netfilter.orig/ip_conntrack_proto_udp.c linux-2.4.19-pre10/net/ipv4/netfilter/ip_conntrack_proto_udp.c
+--- linux-2.4.19-pre10/net/ipv4/netfilter.orig/ip_conntrack_proto_udp.c	Sat Apr 13 19:08:16 2002
++++ linux-2.4.19-pre10/net/ipv4/netfilter/ip_conntrack_proto_udp.c	Wed Jun 12 20:34:39 2002
+@@ -52,11 +52,11 @@
+ 	/* If we've seen traffic both ways, this is some kind of UDP
+ 	   stream.  Extend timeout. */
+ 	if (conntrack->status & IPS_SEEN_REPLY) {
+-		ip_ct_refresh(conntrack, UDP_STREAM_TIMEOUT);
++		ip_ct_refresh(conntrack, UDP_STREAM_TIMEOUT, 0);
+ 		/* Also, more likely to be important, and not a probe */
+ 		set_bit(IPS_ASSURED_BIT, &conntrack->status);
+ 	} else
+-		ip_ct_refresh(conntrack, UDP_TIMEOUT);
++		ip_ct_refresh(conntrack, UDP_TIMEOUT, 0);
+ 
+ 	return NF_ACCEPT;
+ }