From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 1/2] netfilter: nf_conntrack: improve nf_conn object traceability
Date: Mon, 3 Dec 2012 15:17:22 +0100 [thread overview]
Message-ID: <20121203141722.GC11627@breakpoint.cc> (raw)
In-Reply-To: <20121203132853.GA985@1984>
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > > i.o.w., conntrack objects that were in hash table are now always moved
> > > to the dying list. Shouldn't nf_ct_release_dying_list() be adjusted,
> > > too? It still seems to assume that the dying list only contains
> > > alive conntack objects whose events have not been delivered yet.
> >
> > I see, you mean that nf_ct_release_dying_list should delete objects
> > from the dying list. Yes, I'll fix that. Thanks for the spot.
>
> destroy_conntrack will delete the object from the dying list, so I
> think the code is fine.
>
> Am I missing anything?
Nope, you're right.
I was wondering what happens when nf_ct_release_dying_list()
nf_ct_kill()s entries which are currently going through destroy_conntrack()
on another cpu (i was concerned that we're putting an entry that
already has 0-refcnt). However, since nf_ct_kill calls del_timer,
it should just return without doing anything for those conntracks.
I think nf_ct_release_dying_list can be removed:
1 For those entries that are about to go through destroy_conntrack()
nothing happens (since ct->timeout is no longer pending)
2. For those entries that are waiting for event-redelivery,
nothing happens either :-) [ for the same reason -- ct->timeout
is not pending anymore ].
Those objects that sit on the dying list because they wait for event
re-delivery, will expire normally via ecache->timeout:
nf_conntrack_cleanup_net() will schedule() until all ecache->timeout
timers have fired. This shouldn't take too long, and no re-arming
of the ecache timer will happen since no listeners exist at that point.
Does that sound right, or am I missing anything?
Cheers,
Florian
next prev parent reply other threads:[~2012-12-03 14:17 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-29 13:51 [PATCH 0/2] improve conntrack object traceability pablo
2012-11-29 13:51 ` [PATCH 1/2] netfilter: nf_conntrack: improve nf_conn " pablo
2012-12-03 11:06 ` Florian Westphal
2012-12-03 12:50 ` Pablo Neira Ayuso
2012-12-03 13:28 ` Pablo Neira Ayuso
2012-12-03 14:17 ` Florian Westphal [this message]
2012-12-03 14:33 ` Pablo Neira Ayuso
2012-11-29 13:51 ` [PATCH 2/2] netfilter: ctnetlink: dump entries from the dying and unconfirmed lists pablo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121203141722.GC11627@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.