* [PATCH nf-next 0/2] netfilter: conntrack: speed up netns dismantle
@ 2021-11-17 11:23 Florian Westphal
2021-11-17 11:23 ` [PATCH nf-next 1/2] netfilter: conntrack: split nf_conntrack_cleanup_net_list Florian Westphal
2021-11-17 11:23 ` [PATCH nf-next 2/2] netfilter: conntrack: speed up netns cleanup Florian Westphal
0 siblings, 2 replies; 3+ messages in thread
From: Florian Westphal @ 2021-11-17 11:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
On netns exit the conntrack table is iterated once for every netns on
the exit list. We can use same 'trick' as tcp metrics and use the netns
refcount to detect which net namespaces are exiting instead.
This allows to iterate the table only once regardless of how many net
namespaces require cleanup.
Florian Westphal (2):
netfilter: conntrack: split nf_conntrack_cleanup_net_list
netfilter: conntrack: speed up netns cleanup
net/netfilter/nf_conntrack_core.c | 40 +++++++++++++++++++++++--------
1 file changed, 30 insertions(+), 10 deletions(-)
--
2.32.0
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH nf-next 1/2] netfilter: conntrack: split nf_conntrack_cleanup_net_list
2021-11-17 11:23 [PATCH nf-next 0/2] netfilter: conntrack: speed up netns dismantle Florian Westphal
@ 2021-11-17 11:23 ` Florian Westphal
2021-11-17 11:23 ` [PATCH nf-next 2/2] netfilter: conntrack: speed up netns cleanup Florian Westphal
1 sibling, 0 replies; 3+ messages in thread
From: Florian Westphal @ 2021-11-17 11:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Preparation patch to keep size of next change down.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/netfilter/nf_conntrack_core.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 770a63103c7a..c560bce9ebcb 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -2476,6 +2476,18 @@ void nf_conntrack_cleanup_end(void)
kmem_cache_destroy(nf_conntrack_cachep);
}
+static void __nf_conntrack_cleanup_net_list(struct list_head *net_exit_list)
+{
+ struct net *net;
+
+ list_for_each_entry(net, net_exit_list, exit_list) {
+ nf_conntrack_ecache_pernet_fini(net);
+ nf_conntrack_expect_pernet_fini(net);
+ free_percpu(net->ct.stat);
+ free_percpu(net->ct.pcpu_lists);
+ }
+}
+
/*
* Mishearing the voices in his head, our hero wonders how he's
* supposed to kill the mall.
@@ -2513,12 +2525,7 @@ void nf_conntrack_cleanup_net_list(struct list_head *net_exit_list)
goto i_see_dead_people;
}
- list_for_each_entry(net, net_exit_list, exit_list) {
- nf_conntrack_ecache_pernet_fini(net);
- nf_conntrack_expect_pernet_fini(net);
- free_percpu(net->ct.stat);
- free_percpu(net->ct.pcpu_lists);
- }
+ __nf_conntrack_cleanup_net_list(net_exit_list);
}
void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls)
--
2.32.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH nf-next 2/2] netfilter: conntrack: speed up netns cleanup
2021-11-17 11:23 [PATCH nf-next 0/2] netfilter: conntrack: speed up netns dismantle Florian Westphal
2021-11-17 11:23 ` [PATCH nf-next 1/2] netfilter: conntrack: split nf_conntrack_cleanup_net_list Florian Westphal
@ 2021-11-17 11:23 ` Florian Westphal
1 sibling, 0 replies; 3+ messages in thread
From: Florian Westphal @ 2021-11-17 11:23 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Only do a single table iteration. Detect the "dead" namespaces by checking
the reference count.
This reaps all conntrack entries of dead namespaces in a single
cycle rather than having one full scan per netns.
This is similar to what tcp metrics table is doing.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/netfilter/nf_conntrack_core.c | 21 +++++++++++++++++----
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index c560bce9ebcb..38f97c1d9b3f 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -2448,6 +2448,9 @@ EXPORT_SYMBOL_GPL(nf_ct_iterate_destroy);
static int kill_all(struct nf_conn *i, void *data)
{
+ if (!data)
+ return !check_net(nf_ct_net(i));
+
return net_eq(nf_ct_net(i), data);
}
@@ -2494,10 +2497,18 @@ static void __nf_conntrack_cleanup_net_list(struct list_head *net_exit_list)
*/
void nf_conntrack_cleanup_net(struct net *net)
{
+ struct nf_conntrack_net *cnet = nf_ct_pernet(net);
LIST_HEAD(single);
+ synchronize_net();
+
+ while (atomic_read(&cnet->count) != 0) {
+ nf_ct_iterate_cleanup(kill_all, net, 0, 0);
+ schedule();
+ }
+
list_add(&net->exit_list, &single);
- nf_conntrack_cleanup_net_list(&single);
+ __nf_conntrack_cleanup_net_list(&single);
}
void nf_conntrack_cleanup_net_list(struct list_head *net_exit_list)
@@ -2516,9 +2527,11 @@ void nf_conntrack_cleanup_net_list(struct list_head *net_exit_list)
list_for_each_entry(net, net_exit_list, exit_list) {
struct nf_conntrack_net *cnet = nf_ct_pernet(net);
- nf_ct_iterate_cleanup(kill_all, net, 0, 0);
- if (atomic_read(&cnet->count) != 0)
- busy = 1;
+ if (atomic_read(&cnet->count) != 0) {
+ nf_ct_iterate_cleanup(kill_all, NULL, 0, 0);
+ if (atomic_read(&cnet->count) != 0)
+ busy = 1;
+ }
}
if (busy) {
schedule();
--
2.32.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-11-17 11:36 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-11-17 11:23 [PATCH nf-next 0/2] netfilter: conntrack: speed up netns dismantle Florian Westphal
2021-11-17 11:23 ` [PATCH nf-next 1/2] netfilter: conntrack: split nf_conntrack_cleanup_net_list Florian Westphal
2021-11-17 11:23 ` [PATCH nf-next 2/2] netfilter: conntrack: speed up netns cleanup Florian Westphal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.