[PATCH nf-next 0/2] netfilter: conntrack: speed up netns dismantle

[PATCH nf-next 0/2] netfilter: conntrack: speed up netns dismantle

[Florian Westphal]

On netns exit the conntrack table is iterated once for every netns on
the exit list.  We can use same 'trick' as tcp metrics and use the netns
refcount to detect which net namespaces are exiting instead.

This allows to iterate the table only once regardless of how many net
namespaces require cleanup.

Florian Westphal (2):
  netfilter: conntrack: split nf_conntrack_cleanup_net_list
  netfilter: conntrack: speed up netns cleanup

 net/netfilter/nf_conntrack_core.c | 40 +++++++++++++++++++++++--------
 1 file changed, 30 insertions(+), 10 deletions(-)

-- 
2.32.0

[PATCH nf-next 1/2] netfilter: conntrack: split nf_conntrack_cleanup_net_list

[Florian Westphal]

Preparation patch to keep size of next change down.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_conntrack_core.c | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 770a63103c7a..c560bce9ebcb 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -2476,6 +2476,18 @@ void nf_conntrack_cleanup_end(void)
 	kmem_cache_destroy(nf_conntrack_cachep);
 }
 
+static void __nf_conntrack_cleanup_net_list(struct list_head *net_exit_list)
+{
+	struct net *net;
+
+	list_for_each_entry(net, net_exit_list, exit_list) {
+		nf_conntrack_ecache_pernet_fini(net);
+		nf_conntrack_expect_pernet_fini(net);
+		free_percpu(net->ct.stat);
+		free_percpu(net->ct.pcpu_lists);
+	}
+}
+
 /*
  * Mishearing the voices in his head, our hero wonders how he's
  * supposed to kill the mall.
@@ -2513,12 +2525,7 @@ void nf_conntrack_cleanup_net_list(struct list_head *net_exit_list)
 		goto i_see_dead_people;
 	}
 
-	list_for_each_entry(net, net_exit_list, exit_list) {
-		nf_conntrack_ecache_pernet_fini(net);
-		nf_conntrack_expect_pernet_fini(net);
-		free_percpu(net->ct.stat);
-		free_percpu(net->ct.pcpu_lists);
-	}
+	__nf_conntrack_cleanup_net_list(net_exit_list);
 }
 
 void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls)
-- 
2.32.0

[PATCH nf-next 2/2] netfilter: conntrack: speed up netns cleanup

[Florian Westphal]

Only do a single table iteration. Detect the "dead" namespaces by checking
the reference count.

This reaps all conntrack entries of dead namespaces in a single
cycle rather than having one full scan per netns.

This is similar to what tcp metrics table is doing.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_conntrack_core.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index c560bce9ebcb..38f97c1d9b3f 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -2448,6 +2448,9 @@ EXPORT_SYMBOL_GPL(nf_ct_iterate_destroy);
 
 static int kill_all(struct nf_conn *i, void *data)
 {
+	if (!data)
+		return !check_net(nf_ct_net(i));
+
 	return net_eq(nf_ct_net(i), data);
 }
 
@@ -2494,10 +2497,18 @@ static void __nf_conntrack_cleanup_net_list(struct list_head *net_exit_list)
  */
 void nf_conntrack_cleanup_net(struct net *net)
 {
+	struct nf_conntrack_net *cnet = nf_ct_pernet(net);
 	LIST_HEAD(single);
 
+	synchronize_net();
+
+	while (atomic_read(&cnet->count) != 0) {
+		nf_ct_iterate_cleanup(kill_all, net, 0, 0);
+		schedule();
+	}
+
 	list_add(&net->exit_list, &single);
-	nf_conntrack_cleanup_net_list(&single);
+	__nf_conntrack_cleanup_net_list(&single);
 }
 
 void nf_conntrack_cleanup_net_list(struct list_head *net_exit_list)
@@ -2516,9 +2527,11 @@ void nf_conntrack_cleanup_net_list(struct list_head *net_exit_list)
 	list_for_each_entry(net, net_exit_list, exit_list) {
 		struct nf_conntrack_net *cnet = nf_ct_pernet(net);
 
-		nf_ct_iterate_cleanup(kill_all, net, 0, 0);
-		if (atomic_read(&cnet->count) != 0)
-			busy = 1;
+		if (atomic_read(&cnet->count) != 0) {
+			nf_ct_iterate_cleanup(kill_all, NULL, 0, 0);
+			if (atomic_read(&cnet->count) != 0)
+				busy = 1;
+		}
 	}
 	if (busy) {
 		schedule();
-- 
2.32.0