From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH nf-next 5/9] netfilter: conntrack: small refactoring of conntrack seq_printf
Date: Tue, 3 May 2016 20:12:50 +0200 [thread overview]
Message-ID: <20160503181250.GA4508@salvia> (raw)
In-Reply-To: <1461863628-23350-6-git-send-email-fw@strlen.de>
On Thu, Apr 28, 2016 at 07:13:44PM +0200, Florian Westphal wrote:
> The iteration process is lockless, so we test if the conntrack object is
> eligible for printing (e.g. is AF_INET) after obtaining the reference
> count.
>
> Once we put all conntracks into same hash table we might see more
> entries that need to be skipped.
>
> So add a helper and first perform the test in a lockless fashion
> for fast skip.
>
> Once we obtain the reference count, just repeat the check.
>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
> .../netfilter/nf_conntrack_l3proto_ipv4_compat.c | 24 +++++++++++++++++-----
> 1 file changed, 19 insertions(+), 5 deletions(-)
>
> diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
> index f0dfe92..483cf79 100644
> --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
> +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
> @@ -114,6 +114,19 @@ static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
> }
> #endif
>
> +static bool ct_seq_should_skip(const struct nf_conn *ct,
> + const struct nf_conntrack_tuple_hash *hash)
> +{
> + /* we only want to print DIR_ORIGINAL */
> + if (NF_CT_DIRECTION(hash))
> + return true;
> +
> + if (nf_ct_l3num(ct) != AF_INET)
> + return true;
> +
> + return false;
> +}
> +
> static int ct_seq_show(struct seq_file *s, void *v)
> {
> struct nf_conntrack_tuple_hash *hash = v;
> @@ -123,14 +136,15 @@ static int ct_seq_show(struct seq_file *s, void *v)
> int ret = 0;
>
> NF_CT_ASSERT(ct);
> - if (unlikely(!atomic_inc_not_zero(&ct->ct_general.use)))
> + if (ct_seq_should_skip(ct, hash))
> return 0;
>
> + if (unlikely(!atomic_inc_not_zero(&ct->ct_general.use)))
> + return 0;
>
> - /* we only want to print DIR_ORIGINAL */
> - if (NF_CT_DIRECTION(hash))
> - goto release;
> - if (nf_ct_l3num(ct) != AF_INET)
> + /* check if we raced w. object reuse */
> + if (!nf_ct_is_confirmed(ct) ||
This refactoring includes this new check, is this intentional?
> + ct_seq_should_skip(ct, hash))
> goto release;
>
> l3proto = __nf_ct_l3proto_find(nf_ct_l3num(ct));
> --
> 2.7.3
>
next prev parent reply other threads:[~2016-05-03 18:13 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-28 17:13 [PATCH nf-next 0/9] netfilter: remove per-netns conntrack tables, part 1 Florian Westphal
2016-04-28 17:13 ` [PATCH nf-next 1/9] netfilter: conntrack: keep BH enabled during lookup Florian Westphal
2016-04-28 17:13 ` [PATCH nf-next 2/9] netfilter: conntrack: fix lookup race during hash resize Florian Westphal
2016-04-28 17:13 ` [PATCH nf-next 3/9] netfilter: conntrack: don't attempt to iterate over empty table Florian Westphal
2016-05-03 17:03 ` Pablo Neira Ayuso
2016-05-03 17:17 ` Florian Westphal
2016-05-03 17:41 ` Pablo Neira Ayuso
2016-05-03 17:55 ` Florian Westphal
2016-05-03 22:27 ` Pablo Neira Ayuso
2016-04-28 17:13 ` [PATCH nf-next 4/9] netfilter: conntrack: use nf_ct_key_equal() in more places Florian Westphal
2016-04-28 17:13 ` [PATCH nf-next 5/9] netfilter: conntrack: small refactoring of conntrack seq_printf Florian Westphal
2016-05-03 18:12 ` Pablo Neira Ayuso [this message]
2016-05-03 22:27 ` Florian Westphal
2016-05-04 9:19 ` Pablo Neira Ayuso
2016-05-03 22:28 ` Pablo Neira Ayuso
2016-04-28 17:13 ` [PATCH nf-next 6/9] netfilter: conntrack: check netns when comparing conntrack objects Florian Westphal
2016-04-28 17:13 ` [PATCH nf-next 7/9] netfilter: conntrack: make netns address part of hash Florian Westphal
2016-04-28 17:13 ` [PATCH nf-next 8/9] netfilter: conntrack: use a single hashtable for all namespaces Florian Westphal
2016-04-29 15:04 ` Florian Westphal
2016-04-28 17:13 ` [PATCH nf-next 9/9] netfilter: conntrack: consider ct netns in early_drop logic Florian Westphal
2016-05-02 16:39 ` [PATCH v2 nf-next 7/9] netfilter: conntrack: make netns address part of hash Florian Westphal
2016-05-02 16:51 ` Eric Dumazet
2016-05-02 21:52 ` Florian Westphal
2016-05-02 16:39 ` [PATCH v2 nf-next 8/9] netfilter: conntrack: use a single hashtable for all namespaces Florian Westphal
2016-05-02 16:40 ` [PATCH v2 nf-next 9/9] netfilter: conntrack: consider ct netns in early_drop logic Florian Westphal
2016-05-02 22:25 ` [PATCH v3 nf-next 7/9] netfilter: conntrack: make netns address part of hash Florian Westphal
2016-05-03 22:30 ` [PATCH nf-next 0/9] netfilter: remove per-netns conntrack tables, part 1 Pablo Neira Ayuso
2016-05-05 11:54 ` Pablo Neira Ayuso
2016-05-05 20:27 ` Brian Haley
2016-05-05 20:54 ` Florian Westphal
2016-05-05 22:22 ` Brian Haley
2016-05-05 22:36 ` Florian Westphal
2016-05-05 22:55 ` Brian Haley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160503181250.GA4508@salvia \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.