* [patch] Fix ipt_ACCOUNT for large networks - 2nd try
@ 2005-04-05 7:48 Thomas Jarosch
2005-04-11 13:30 ` Carl-Daniel Hailfinger
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Thomas Jarosch @ 2005-04-05 7:48 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
Hi Patrick,
attached is a patch to fix the ACCOUNT target for large networks.
This time for good ;-) Discard the patch I sent yesterday.
It runs stable now on a network with ~1300 active clients. Quoting the user:
"Nevertheless, from performance point of view, ipt_ACCOUNT rocks. I have a
distribution for routers (Route Hat) and last night switched from ipt_account
to ipt_ACCOUNT completely. What took half a minute before now takes 300ms
i.e. 100 times faster, same router, same net. Gr8 work :-)"
Cheers,
Thomas
Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
diff -u -r -b ACCOUNT/linux/net/ipv4/netfilter/ipt_ACCOUNT.c ACCOUNT.1.4/linux/net/ipv4/netfilter/ipt_ACCOUNT.c
--- ACCOUNT/linux/net/ipv4/netfilter/ipt_ACCOUNT.c 2004-06-13 22:41:21.000000000 +0200
+++ ACCOUNT.1.4/linux/net/ipv4/netfilter/ipt_ACCOUNT.c 2005-04-05 09:33:52.000000000 +0200
@@ -3,7 +3,7 @@
* See http://www.intra2net.com/opensource/ipt_account *
* for further information *
* *
- * Copyright (C) 2004 by Intra2net AG *
+ * Copyright (C) 2004-2005 by Intra2net AG *
* opensource@intra2net.com *
* *
* This program is free software; you can redistribute it and/or modify *
@@ -694,7 +694,8 @@
/* Copy 8 bit network data into a prepared buffer.
We only copy entries != 0 to increase performance.
*/
-static int ipt_acc_handle_copy_data(void *to_user, int *pos,
+static int ipt_acc_handle_copy_data(void *to_user, u_int32_t *to_user_pos,
+ u_int32_t *tmpbuf_pos,
struct ipt_acc_mask_24 *data,
u_int32_t net_ip, u_int32_t net_OR_mask)
{
@@ -712,13 +713,15 @@
handle_ip.dst_bytes = data->ip[i].dst_bytes;
/* Temporary buffer full? Flush to userspace */
- if (*pos+handle_ip_size >= PAGE_SIZE) {
- *pos = 0;
- if (copy_to_user(to_user, ipt_acc_tmpbuf, *pos))
+ if (*tmpbuf_pos+handle_ip_size >= PAGE_SIZE) {
+ if (copy_to_user(to_user + *to_user_pos, ipt_acc_tmpbuf,
+ *tmpbuf_pos))
return -EFAULT;
+ *to_user_pos = *to_user_pos + *tmpbuf_pos;
+ *tmpbuf_pos = 0;
}
- memcpy(ipt_acc_tmpbuf+*pos, &handle_ip, handle_ip_size);
- *pos += handle_ip_size;
+ memcpy(ipt_acc_tmpbuf+*tmpbuf_pos, &handle_ip, handle_ip_size);
+ *tmpbuf_pos += handle_ip_size;
}
}
@@ -731,7 +734,7 @@
*/
static int ipt_acc_handle_get_data(u_int32_t handle, void *to_user)
{
- u_int32_t tmpbuf_pos=0, net_ip;
+ u_int32_t to_user_pos=0, tmpbuf_pos=0, net_ip;
unsigned char depth;
if (handle >= ACCOUNT_MAX_HANDLES) {
@@ -752,12 +755,13 @@
if (depth == 0) {
struct ipt_acc_mask_24 *network =
(struct ipt_acc_mask_24*)ipt_acc_handles[handle].data;
- if (ipt_acc_handle_copy_data(to_user, &tmpbuf_pos, network, net_ip, 0))
+ if (ipt_acc_handle_copy_data(to_user, &to_user_pos, &tmpbuf_pos,
+ network, net_ip, 0))
return -1;
/* Flush remaining data to userspace */
if (tmpbuf_pos)
- if (copy_to_user(to_user, ipt_acc_tmpbuf, tmpbuf_pos))
+ if (copy_to_user(to_user+to_user_pos, ipt_acc_tmpbuf, tmpbuf_pos))
return -1;
return 0;
@@ -772,15 +776,15 @@
if (network_16->mask_24[b]) {
struct ipt_acc_mask_24 *network =
(struct ipt_acc_mask_24*)network_16->mask_24[b];
- if (ipt_acc_handle_copy_data(to_user, &tmpbuf_pos, network,
- net_ip, (b << 16)))
+ if (ipt_acc_handle_copy_data(to_user, &to_user_pos,
+ &tmpbuf_pos, network, net_ip, (b << 16)))
return -1;
}
}
/* Flush remaining data to userspace */
if (tmpbuf_pos)
- if (copy_to_user(to_user, ipt_acc_tmpbuf, tmpbuf_pos))
+ if (copy_to_user(to_user+to_user_pos, ipt_acc_tmpbuf, tmpbuf_pos))
return -1;
return 0;
@@ -799,7 +803,8 @@
if (network_16->mask_24[b]) {
struct ipt_acc_mask_24 *network =
(struct ipt_acc_mask_24*)network_16->mask_24[b];
- if (ipt_acc_handle_copy_data(to_user, &tmpbuf_pos,
+ if (ipt_acc_handle_copy_data(to_user,
+ &to_user_pos, &tmpbuf_pos,
network, net_ip, (a << 8) | (b << 16)))
return -1;
}
@@ -809,7 +814,7 @@
/* Flush remaining data to userspace */
if (tmpbuf_pos)
- if (copy_to_user(to_user, ipt_acc_tmpbuf, tmpbuf_pos))
+ if (copy_to_user(to_user+to_user_pos, ipt_acc_tmpbuf, tmpbuf_pos))
return -1;
return 0;
diff -u -r -b ACCOUNT/linux/include/linux/netfilter_ipv4/ipt_ACCOUNT.h ACCOUNT.1.4/linux/include/linux/netfilter_ipv4/ipt_ACCOUNT.h
--- ACCOUNT/linux/include/linux/netfilter_ipv4/ipt_ACCOUNT.h 2004-06-13 22:41:21.000000000 +0200
+++ ACCOUNT.1.4/linux/include/linux/netfilter_ipv4/ipt_ACCOUNT.h 2005-04-05 09:24:20.995818974 +0200
@@ -1,5 +1,5 @@
/***************************************************************************
- * Copyright (C) 2004 by Intra2net AG *
+ * Copyright (C) 2004-2005 by Intra2net AG *
* opensource@intra2net.com *
* *
* This program is free software; you can redistribute it and/or modify *
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [patch] Fix ipt_ACCOUNT for large networks - 2nd try
2005-04-05 7:48 [patch] Fix ipt_ACCOUNT for large networks - 2nd try Thomas Jarosch
@ 2005-04-11 13:30 ` Carl-Daniel Hailfinger
2005-04-11 18:13 ` Thomas Jarosch
2005-04-14 23:44 ` Carl-Daniel Hailfinger
2005-04-24 16:52 ` Patrick McHardy
2 siblings, 1 reply; 8+ messages in thread
From: Carl-Daniel Hailfinger @ 2005-04-11 13:30 UTC (permalink / raw)
To: Thomas Jarosch; +Cc: netfilter-devel
Hi Thomas,
Thomas Jarosch schrieb:
>
> attached is a patch to fix the ACCOUNT target for large networks.
> This time for good ;-) Discard the patch I sent yesterday.
>
> It runs stable now on a network with ~1300 active clients. Quoting the user:
> "Nevertheless, from performance point of view, ipt_ACCOUNT rocks. I have a
> distribution for routers (Route Hat) and last night switched from ipt_account
> to ipt_ACCOUNT completely. What took half a minute before now takes 300ms
> i.e. 100 times faster, same router, same net. Gr8 work :-)"
When reading the source, it seems to me that ACCOUNT has some room
for improvement:
- It is handling some sparsely populated networks inefficiently.
Consider e.g. a 192.168/16 network with 512 clients spread over
the whole range like 192.168.0.10,192.168.0.25,192.168.1.12 etc.
This needs as much memory as a fully populated network of the same
size.
- It can only handle /8,/16 and /24 networks.
- It can't account based on MAC or MAC/IP.
- It is impossible to select what is accounted for (packets/bytes,
in/out) and what should be added to the counters (layer 2 frame
length, layer 3 packet length...).
Oh, and I'd like to run the code on a 64bit machine with a 2.6 kernel.
Do you accept patches for the above items or are they already done/
being worked on by somebody else?
Regards,
Carl-Daniel
--
http://www.hailfinger.org/
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [patch] Fix ipt_ACCOUNT for large networks - 2nd try
2005-04-11 13:30 ` Carl-Daniel Hailfinger
@ 2005-04-11 18:13 ` Thomas Jarosch
0 siblings, 0 replies; 8+ messages in thread
From: Thomas Jarosch @ 2005-04-11 18:13 UTC (permalink / raw)
To: netfilter-devel; +Cc: Harald Welte
Hi Carl-Daniel,
> When reading the source, it seems to me that ACCOUNT has some room
> for improvement:
>
> - It is handling some sparsely populated networks inefficiently.
> Consider e.g. a 192.168/16 network with 512 clients spread over
> the whole range like 192.168.0.10,192.168.0.25,192.168.1.12 etc.
> This needs as much memory as a fully populated network of the same
> size.
> - It can only handle /8,/16 and /24 networks.
> - It can't account based on MAC or MAC/IP.
> - It is impossible to select what is accounted for (packets/bytes,
> in/out) and what should be added to the counters (layer 2 frame
> length, layer 3 packet length...).
>
> Oh, and I'd like to run the code on a 64bit machine with a 2.6 kernel.
>
> Do you accept patches for the above items or are they already done/
> being worked on by somebody else?
I'll gladly accept patches to it. Guess nobody is currently doing any
development (except for bugfixes) as it's working perfect for us.
IIRC the future of the accounting code is conntrack_acct.
Packets have to pass conntrack anyway, so doing the accounting
there is a good idea. Maybe it's better to test/enhance conntrack_acct?
(Not that I don't like my own ipt_ACCOUNT code ;-))
The question is, can the accounting information in conntrack_acct
be queried after the connection is closed/gone? From looking at the source,
it seems the accounting information has the same lifetime
as the conntrack of a connection. Harald, is that true?
The nice part about ACCOUNT is that you can really specify what gets
accounted and what not. This might be hard to achieve with conntrack_acct.
A userspace tool might have to split the data afterwards.
Cheers,
Thomas
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [patch] Fix ipt_ACCOUNT for large networks - 2nd try
2005-04-05 7:48 [patch] Fix ipt_ACCOUNT for large networks - 2nd try Thomas Jarosch
2005-04-11 13:30 ` Carl-Daniel Hailfinger
@ 2005-04-14 23:44 ` Carl-Daniel Hailfinger
2005-04-15 8:29 ` Thomas Jarosch
2005-04-24 16:54 ` Patrick McHardy
2005-04-24 16:52 ` Patrick McHardy
2 siblings, 2 replies; 8+ messages in thread
From: Carl-Daniel Hailfinger @ 2005-04-14 23:44 UTC (permalink / raw)
To: Thomas Jarosch; +Cc: netfilter-devel, Patrick McHardy
Thomas Jarosch schrieb:
> Hi Patrick,
>
> attached is a patch to fix the ACCOUNT target for large networks.
> This time for good ;-) Discard the patch I sent yesterday.
>
> It runs stable now on a network with ~1300 active clients. Quoting the user:
> "Nevertheless, from performance point of view, ipt_ACCOUNT rocks. I have a
> distribution for routers (Route Hat) and last night switched from ipt_account
> to ipt_ACCOUNT completely. What took half a minute before now takes 300ms
> i.e. 100 times faster, same router, same net. Gr8 work :-)"
>
> Cheers,
> Thomas
>
> Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
>
> diff -u -r -b ACCOUNT/linux/net/ipv4/netfilter/ipt_ACCOUNT.c ACCOUNT.1.4/linux/net/ipv4/netfilter/ipt_ACCOUNT.c
> --- ACCOUNT/linux/net/ipv4/netfilter/ipt_ACCOUNT.c 2004-06-13 22:41:21.000000000 +0200
> +++ ACCOUNT.1.4/linux/net/ipv4/netfilter/ipt_ACCOUNT.c 2005-04-05 09:33:52.000000000 +0200
> @@ -694,7 +694,8 @@
> /* Copy 8 bit network data into a prepared buffer.
> We only copy entries != 0 to increase performance.
> */
> -static int ipt_acc_handle_copy_data(void *to_user, int *pos,
> +static int ipt_acc_handle_copy_data(void *to_user, u_int32_t *to_user_pos,
> + u_int32_t *tmpbuf_pos,
> struct ipt_acc_mask_24 *data,
> u_int32_t net_ip, u_int32_t net_OR_mask)
> {
You seem to like u_int32_t as a type. That causes interesting behaviour
on 64bit machines. Is there any design objective dictating that?
I have a patch available changing most occurences of u_int32_t to
something more generic (of course not for IPs, netmasks and such) which
may make sense if you ever want to use your module on 64bit machines.
Regards,
Carl-Daniel
--
http://www.hailfinger.org/
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [patch] Fix ipt_ACCOUNT for large networks - 2nd try
2005-04-14 23:44 ` Carl-Daniel Hailfinger
@ 2005-04-15 8:29 ` Thomas Jarosch
2005-04-24 16:54 ` Patrick McHardy
1 sibling, 0 replies; 8+ messages in thread
From: Thomas Jarosch @ 2005-04-15 8:29 UTC (permalink / raw)
To: netfilter-devel
> > +static int ipt_acc_handle_copy_data(void *to_user, u_int32_t
> > *to_user_pos, + u_int32_t *tmpbuf_pos,
> > struct ipt_acc_mask_24 *data,
> > u_int32_t net_ip, u_int32_t
> > net_OR_mask) {
>
> You seem to like u_int32_t as a type. That causes interesting behaviour
> on 64bit machines. Is there any design objective dictating that?
> I have a patch available changing most occurences of u_int32_t to
> something more generic (of course not for IPs, netmasks and such) which
> may make sense if you ever want to use your module on 64bit machines.
Yep, I think for pointers this change is necessary on 64bit platforms.
Please base your patch on the locking patch I just sent.
Thomas
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [patch] Fix ipt_ACCOUNT for large networks - 2nd try
2005-04-05 7:48 [patch] Fix ipt_ACCOUNT for large networks - 2nd try Thomas Jarosch
2005-04-11 13:30 ` Carl-Daniel Hailfinger
2005-04-14 23:44 ` Carl-Daniel Hailfinger
@ 2005-04-24 16:52 ` Patrick McHardy
2005-04-24 17:06 ` Thomas Jarosch
2 siblings, 1 reply; 8+ messages in thread
From: Patrick McHardy @ 2005-04-24 16:52 UTC (permalink / raw)
To: Thomas Jarosch; +Cc: netfilter-devel
Thomas Jarosch wrote:
> attached is a patch to fix the ACCOUNT target for large networks.
> This time for good ;-) Discard the patch I sent yesterday.
Please resend as attachment, your mailer converted tabs to spaces.
patching file linux/net/ipv4/netfilter/ipt_ACCOUNT.c
Hunk #1 FAILED at 3.
Hunk #2 FAILED at 694.
Hunk #3 FAILED at 713.
Hunk #4 FAILED at 734.
Hunk #5 FAILED at 755.
Hunk #6 FAILED at 776.
Hunk #7 FAILED at 803.
Hunk #8 FAILED at 814.
8 out of 8 hunks FAILED -- saving rejects to file
linux/net/ipv4/netfilter/ipt_ACCOUNT.c.rej
Regards
Patrick
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [patch] Fix ipt_ACCOUNT for large networks - 2nd try
2005-04-14 23:44 ` Carl-Daniel Hailfinger
2005-04-15 8:29 ` Thomas Jarosch
@ 2005-04-24 16:54 ` Patrick McHardy
1 sibling, 0 replies; 8+ messages in thread
From: Patrick McHardy @ 2005-04-24 16:54 UTC (permalink / raw)
To: Carl-Daniel Hailfinger; +Cc: Thomas Jarosch, netfilter-devel
Carl-Daniel Hailfinger wrote:
>>diff -u -r -b ACCOUNT/linux/net/ipv4/netfilter/ipt_ACCOUNT.c ACCOUNT.1.4/linux/net/ipv4/netfilter/ipt_ACCOUNT.c
>>--- ACCOUNT/linux/net/ipv4/netfilter/ipt_ACCOUNT.c 2004-06-13 22:41:21.000000000 +0200
>>+++ ACCOUNT.1.4/linux/net/ipv4/netfilter/ipt_ACCOUNT.c 2005-04-05 09:33:52.000000000 +0200
>>@@ -694,7 +694,8 @@
>> /* Copy 8 bit network data into a prepared buffer.
>> We only copy entries != 0 to increase performance.
>> */
>>-static int ipt_acc_handle_copy_data(void *to_user, int *pos,
>>+static int ipt_acc_handle_copy_data(void *to_user, u_int32_t *to_user_pos,
>>+ u_int32_t *tmpbuf_pos,
>> struct ipt_acc_mask_24 *data,
>> u_int32_t net_ip, u_int32_t net_OR_mask)
>> {
>
>
> You seem to like u_int32_t as a type. That causes interesting behaviour
> on 64bit machines. Is there any design objective dictating that?
> I have a patch available changing most occurences of u_int32_t to
> something more generic (of course not for IPs, netmasks and such) which
> may make sense if you ever want to use your module on 64bit machines.
Seems to be fine, AFAICT the u_int32_ts are only used as offsets.
Regards
Patrick
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [patch] Fix ipt_ACCOUNT for large networks - 2nd try
2005-04-24 16:52 ` Patrick McHardy
@ 2005-04-24 17:06 ` Thomas Jarosch
0 siblings, 0 replies; 8+ messages in thread
From: Thomas Jarosch @ 2005-04-24 17:06 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
Hi Patrick,
> Please resend as attachment, your mailer converted tabs to spaces.
>
> patching file linux/net/ipv4/netfilter/ipt_ACCOUNT.c
> Hunk #1 FAILED at 3.
> Hunk #2 FAILED at 694.
> Hunk #3 FAILED at 713.
> Hunk #4 FAILED at 734.
> Hunk #5 FAILED at 755.
> Hunk #6 FAILED at 776.
> Hunk #7 FAILED at 803.
> Hunk #8 FAILED at 814.
> 8 out of 8 hunks FAILED -- saving rejects to file
> linux/net/ipv4/netfilter/ipt_ACCOUNT.c.rej
It's already in ;-)
Thomas
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2005-04-24 17:06 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-04-05 7:48 [patch] Fix ipt_ACCOUNT for large networks - 2nd try Thomas Jarosch
2005-04-11 13:30 ` Carl-Daniel Hailfinger
2005-04-11 18:13 ` Thomas Jarosch
2005-04-14 23:44 ` Carl-Daniel Hailfinger
2005-04-15 8:29 ` Thomas Jarosch
2005-04-24 16:54 ` Patrick McHardy
2005-04-24 16:52 ` Patrick McHardy
2005-04-24 17:06 ` Thomas Jarosch
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.