* conntrack match and locking
@ 2004-05-24 15:29 Chris Wilson
2004-05-26 16:06 ` Henrik Nordstrom
2004-05-27 1:32 ` Patrick McHardy
0 siblings, 2 replies; 7+ messages in thread
From: Chris Wilson @ 2004-05-24 15:29 UTC (permalink / raw)
To: Netfilter Developers
Hi all,
The conntrack match from POM-ng doesn't appear to do any locking while
accessing conntrack structures. Is that a problem? If so, how can I fix
it? I can submit a patch if someone can tell me what lock(s) I need to
hold.
Cheers, Chris.
--
_ __ __ _
/ __/ / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\__/_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: conntrack match and locking
2004-05-24 15:29 conntrack match and locking Chris Wilson
@ 2004-05-26 16:06 ` Henrik Nordstrom
2004-05-27 10:11 ` Chris Wilson
2004-05-27 1:32 ` Patrick McHardy
1 sibling, 1 reply; 7+ messages in thread
From: Henrik Nordstrom @ 2004-05-26 16:06 UTC (permalink / raw)
To: Chris Wilson; +Cc: Netfilter Developers
On Mon, 24 May 2004, Chris Wilson wrote:
> Hi all,
>
> The conntrack match from POM-ng doesn't appear to do any locking while
> accessing conntrack structures. Is that a problem?
Not really a problem, the conntrack is locked by the reference from the
skb (packet), and we know there is no others (legally) messing with this
skb while iptables processes it.
Regards
Henrik
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: conntrack match and locking
2004-05-26 16:06 ` Henrik Nordstrom
@ 2004-05-27 10:11 ` Chris Wilson
2004-05-27 10:28 ` Henrik Nordstrom
2004-05-28 12:06 ` Pablo Neira
0 siblings, 2 replies; 7+ messages in thread
From: Chris Wilson @ 2004-05-27 10:11 UTC (permalink / raw)
To: Henrik Nordstrom; +Cc: Netfilter Developers
Hi Henrik,
> > The conntrack match from POM-ng doesn't appear to do any locking while
> > accessing conntrack structures. Is that a problem?
>
> Not really a problem, the conntrack is locked by the reference from the
> skb (packet), and we know there is no others (legally) messing with this
> skb while iptables processes it.
Is there some documentation which describes this process? I didn't find
anything in the netfilter hacking HOWTO. Are the conntrack entries
(original and reply) actually spin_locked, or just held in memory by the
reference? If two packets are being processed at the same time on an SMP
machine, who holds what locks?
Thanks very much for your help,
Cheers, Chris.
--
_ __ __ _
/ __/ / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\__/_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: conntrack match and locking
2004-05-27 10:11 ` Chris Wilson
@ 2004-05-27 10:28 ` Henrik Nordstrom
2004-05-28 12:06 ` Pablo Neira
1 sibling, 0 replies; 7+ messages in thread
From: Henrik Nordstrom @ 2004-05-27 10:28 UTC (permalink / raw)
To: Chris Wilson; +Cc: Netfilter Developers
On Thu, 27 May 2004, Chris Wilson wrote:
> Is there some documentation which describes this process? I didn't find
> anything in the netfilter hacking HOWTO. Are the conntrack entries
> (original and reply) actually spin_locked, or just held in memory by the
> reference?
There is just one conntrack. The reply and original directions is just
different fields within the same conntrack.
The conntrakc is just held in memory by the reference. Most fields is
read-only except for a few atomic status fields and expected connection
references (expected connection updates is protected by another lock and
the reference)
> If two packets are being processed at the same time on an SMP
> machine, who holds what locks?
Both holds a reference. The reference counter is atomic and protected
during increase by a read lock on the global conntrack hash table.
Regards
Henrik
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: conntrack match and locking
2004-05-27 10:11 ` Chris Wilson
2004-05-27 10:28 ` Henrik Nordstrom
@ 2004-05-28 12:06 ` Pablo Neira
2004-05-28 12:39 ` Pablo Neira
1 sibling, 1 reply; 7+ messages in thread
From: Pablo Neira @ 2004-05-28 12:06 UTC (permalink / raw)
To: Chris Wilson, Netfilter Development Mailinglist
Hi Chris,
Chris Wilson wrote:
>Is there some documentation which describes this process? I didn't find
>anything in the netfilter hacking HOWTO.
>
no, only source code, have a look at netfilter-docbook patch which has
comments about all functions used in ip_conntrack_core.c, but the
current schema used is not documented.
> Are the conntrack entries
>(original and reply) actually spin_locked, or just held in memory by the
>reference?
>
Actually this is the process, when we read a conntrack from the
conntrack table we read_lock the table and increase its refcount (see
ip_conntrack_get). We don't lock a conntrack, we lock the table while
reading the conntrack/tuples pair.
To write a conntrack, that is, we want to add/destroy/modify a conntrack
, we write lock the table.
At this moment we lock the whole table, Joszef has some patches to make
fine grain locking (instead of locking the whole table, per bucket
locking) in pom-ng still in testing phase.
> If two packets are being processed at the same time on an SMP
>machine, who holds what locks?
>
>
As I told you, we only lock the table when reading/writing new entries,
once we get the conntrack, we increase the refcount. Have also a look at
ip_conntrack_put to understand the way refcounts are used when
destroying a conntrack.
regards,
Pablo
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: conntrack match and locking
2004-05-28 12:06 ` Pablo Neira
@ 2004-05-28 12:39 ` Pablo Neira
0 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira @ 2004-05-28 12:39 UTC (permalink / raw)
To: Pablo Neira, Netfilter Development Mailinglist
Hi!
Pablo Neira wrote:
> Actually this is the process, when we read a conntrack from the
> conntrack table we read_lock the table and increase its refcount (see
> ip_conntrack_get). We don't lock a conntrack, we lock the table while
> reading the conntrack/tuples pair.
sorry, see ip_conntrack_find_get! :-)
regards,
Pablo
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: conntrack match and locking
2004-05-24 15:29 conntrack match and locking Chris Wilson
2004-05-26 16:06 ` Henrik Nordstrom
@ 2004-05-27 1:32 ` Patrick McHardy
1 sibling, 0 replies; 7+ messages in thread
From: Patrick McHardy @ 2004-05-27 1:32 UTC (permalink / raw)
To: Chris Wilson; +Cc: Netfilter Developers
Chris Wilson wrote:
> Hi all,
>
> The conntrack match from POM-ng doesn't appear to do any locking while
> accessing conntrack structures. Is that a problem? If so, how can I fix
> it? I can submit a patch if someone can tell me what lock(s) I need to
> hold.
Actually it doesn't require locking. Everything it looks at it is either
read-only after the connection has been confirmed, or modified without
locking (status).
Regards
Patrick
>
> Cheers, Chris.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2004-05-28 12:39 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-05-24 15:29 conntrack match and locking Chris Wilson
2004-05-26 16:06 ` Henrik Nordstrom
2004-05-27 10:11 ` Chris Wilson
2004-05-27 10:28 ` Henrik Nordstrom
2004-05-28 12:06 ` Pablo Neira
2004-05-28 12:39 ` Pablo Neira
2004-05-27 1:32 ` Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.