conntrack match and locking

conntrack match and locking

[Chris Wilson]

Hi all,

The conntrack match from POM-ng doesn't appear to do any locking while 
accessing conntrack structures. Is that a problem? If so, how can I fix 
it? I can submit a patch if someone can tell me what lock(s) I need to 
hold.

Cheers, Chris.
-- 
_  __ __     _
 / __/ / ,__(_)_  | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_  ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\__/_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |

Re: conntrack match and locking

[Henrik Nordstrom]

On Mon, 24 May 2004, Chris Wilson wrote:

> Hi all,
> 
> The conntrack match from POM-ng doesn't appear to do any locking while 
> accessing conntrack structures. Is that a problem?

Not really a problem, the conntrack is locked by the reference from the
skb (packet), and we know there is no others (legally) messing with this
skb while iptables processes it.

Regards
Henrik

Re: conntrack match and locking

[Patrick McHardy]

Chris Wilson wrote:
> Hi all,
> 
> The conntrack match from POM-ng doesn't appear to do any locking while 
> accessing conntrack structures. Is that a problem? If so, how can I fix 
> it? I can submit a patch if someone can tell me what lock(s) I need to 
> hold.

Actually it doesn't require locking. Everything it looks at it is either
read-only after the connection has been confirmed, or modified without
locking (status).

Regards
Patrick

> 
> Cheers, Chris.

Re: conntrack match and locking

[Chris Wilson]

Hi Henrik,

> > The conntrack match from POM-ng doesn't appear to do any locking while 
> > accessing conntrack structures. Is that a problem?
> 
> Not really a problem, the conntrack is locked by the reference from the
> skb (packet), and we know there is no others (legally) messing with this
> skb while iptables processes it.

Is there some documentation which describes this process? I didn't find 
anything in the netfilter hacking HOWTO. Are the conntrack entries 
(original and reply) actually spin_locked, or just held in memory by the 
reference? If two packets are being processed at the same time on an SMP 
machine, who holds what locks?

Thanks very much for your help,

Cheers, Chris.
-- 
_  __ __     _
 / __/ / ,__(_)_  | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_  ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\__/_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |

Re: conntrack match and locking

[Henrik Nordstrom]

On Thu, 27 May 2004, Chris Wilson wrote:

> Is there some documentation which describes this process? I didn't find 
> anything in the netfilter hacking HOWTO. Are the conntrack entries 
> (original and reply) actually spin_locked, or just held in memory by the 
> reference?

There is just one conntrack. The reply and original directions is just 
different fields within the same conntrack.

The conntrakc is just held in memory by the reference. Most fields is 
read-only except for a few atomic status fields and expected connection 
references (expected connection updates is protected by another lock and 
the reference)

> If two packets are being processed at the same time on an SMP 
> machine, who holds what locks?

Both holds a reference. The reference counter is atomic and protected
during increase by a read lock on the global conntrack hash table.

Regards
Henrik

Re: conntrack match and locking

[Pablo Neira]

Hi Chris,

Chris Wilson wrote:

>Is there some documentation which describes this process? I didn't find 
>anything in the netfilter hacking HOWTO.
>

no, only source code, have a look at netfilter-docbook patch which has 
comments about all functions used in ip_conntrack_core.c, but the 
current schema used is not documented.

> Are the conntrack entries 
>(original and reply) actually spin_locked, or just held in memory by the 
>reference?
>

Actually this is the process, when we read a conntrack from the 
conntrack table we read_lock the table and increase its refcount (see 
ip_conntrack_get). We don't lock a conntrack, we lock the table while 
reading the conntrack/tuples pair.

To write a conntrack, that is, we want to add/destroy/modify a conntrack 
, we write lock the table.

At this moment we lock the whole table, Joszef has some patches to make 
fine grain locking (instead of locking the whole table, per bucket 
locking) in pom-ng still in testing phase.

> If two packets are being processed at the same time on an SMP 
>machine, who holds what locks?
>  
>

As I told you, we only lock the table when reading/writing new entries, 
once we get the conntrack, we increase the refcount. Have also a look at 
ip_conntrack_put to understand the way refcounts are used when 
destroying a conntrack.

regards,
Pablo

Re: conntrack match and locking

[Pablo Neira]

Hi!

Pablo Neira wrote:

> Actually this is the process, when we read a conntrack from the 
> conntrack table we read_lock the table and increase its refcount (see 
> ip_conntrack_get). We don't lock a conntrack, we lock the table while 
> reading the conntrack/tuples pair.


sorry, see ip_conntrack_find_get! :-)

regards,
Pablo