From: Florian Westphal <fw@strlen.de>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf-next 0/7] metfilter: remove pcpu dying list
Date: Wed, 9 Feb 2022 17:26:03 +0100 [thread overview]
Message-ID: <20220209162603.GA11480@breakpoint.cc> (raw)
In-Reply-To: <20220209161057.30688-1-fw@strlen.de>
Florian Westphal <fw@strlen.de> wrote:
> This is part 1 of a series that aims to remove both the unconfirmed
> and dying lists.
The unconfirmed list is requirement only because some extensions place
pointers to objects that reside in kernel modules without taking any
references, e.g. the conntrack helpers or timeout policies.
For normal conntracks, rmmod code path can walk the table and
set the affected pointers in the extension to NULL.
For the unconfirmed conntracks, this list gets used to flag those
conntracks as dying so tehy won't get inserted into the table anymore.
The replacement idea for the unconfirmed list is as follows (I have no
code yet):
1. add a generation id to the ct extension area, set at allocation
time.
2. extend nf_ct_ext_find(): if conntrack is unconfirmed, only return
the extension area if ext->genid == global_id.
3. at confirm time, delete the nf_conn entry if ext->genid != global_id.
4. whenever a helper module is removed (or other problematic user such
as the timeout conntrack module), increment the global_id.
I.e. "walk unconfirmed list and flag entries as dying' becomes
'global_extid++'.
This allows to detect conntracks that were not yet in the hashtable
but might reference a (now stale) pointer to a removed helper/timeout
policy object without the need to a special unconfirmed list.
After these changes change, the percpu lists can be removed which avoids
need for extra list insert/remove + spinlock at conntrack allocation
time.
Let me know if you spot a problem with the scheme above.
next prev parent reply other threads:[~2022-02-09 16:26 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-09 16:10 [PATCH nf-next 0/7] metfilter: remove pcpu dying list Florian Westphal
2022-02-09 16:10 ` [PATCH nf-next 1/7] nfnetlink: handle already-released nl socket Florian Westphal
2022-02-09 16:10 ` [PATCH nf-next 2/7] netfilter: ctnetlink: make ecache event cb global again Florian Westphal
2022-02-09 16:10 ` [PATCH nf-next 3/7] netfilter: ecache: move to separate structure Florian Westphal
2022-02-09 16:10 ` [PATCH nf-next 4/7] netfilter: ecache: use dedicated list for event redelivery Florian Westphal
2022-02-09 16:10 ` [PATCH nf-next 5/7] netfilter: conntrack: split inner loop of list dumping to own function Florian Westphal
2022-02-09 16:10 ` [PATCH nf-next 6/7] netfilter: conntrack: include ecache dying list in dumps Florian Westphal
2022-02-09 16:10 ` [PATCH nf-next 7/7] netfilter: conntrack: remove the percpu dying list Florian Westphal
2022-02-09 16:26 ` Florian Westphal [this message]
2022-02-24 16:04 ` [PATCH nf-next 0/7] metfilter: remove pcpu " Pablo Neira Ayuso
2022-02-24 16:15 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220209162603.GA11480@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.