From: Patrick McHardy <kaber@trash.net>
To: Alexey Dobriyan <adobriyan@gmail.com>
Cc: netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
den@openvz.org, xemul@openvz.org, ebiederm@xmission.com,
benjamin.thery@bull.net, dlezcano@fr.ibm.com
Subject: Re: [PATCH 06/25] netns ct: per-netns conntrack hash
Date: Mon, 23 Jun 2008 12:22:17 +0200 [thread overview]
Message-ID: <485F7959.9000901@trash.net> (raw)
In-Reply-To: <20080622010605.GG5392@martell.zuzino.mipt.ru>
Alexey Dobriyan wrote:
> netns is given personal conntrack hash. Another way is to have one hash
> and give tuplehashes ->ct_net pointer. I tried that at some point, it's
> more ugly and more non-obvious.
I think is makes more sense your way, otherwise eviction becomes much
more complicated or people can easily DoS other namespaces.
> Functions that search by tuple (numerical data) get netns argument
> to know where to search as well as conntrack flush functions gets netns
> argument propagated.
>
> Everybody is stubbed to init_net, except trivial places.
>
> --- a/include/net/netns/conntrack.h
> +++ b/include/net/netns/conntrack.h
> @@ -5,5 +5,7 @@
>
> struct netns_ct {
> atomic_t count;
> + struct hlist_head *hash;
> + int hash_vmalloc;
Shouldn't the lock also be per namespace?
> --- a/net/netfilter/nf_conntrack_core.c
> +++ b/net/netfilter/nf_conntrack_core.c
> @@ -49,15 +49,11 @@ EXPORT_SYMBOL_GPL(nf_conntrack_htable_size);
> int nf_conntrack_max __read_mostly;
> EXPORT_SYMBOL_GPL(nf_conntrack_max);
>
> -struct hlist_head *nf_conntrack_hash __read_mostly;
> -EXPORT_SYMBOL_GPL(nf_conntrack_hash);
> -
> struct nf_conn nf_conntrack_untracked __read_mostly;
> EXPORT_SYMBOL_GPL(nf_conntrack_untracked);
Just a general comments, maybe its done in a later patch. But
for nf_conntrack_cleanup(), you also need to put the untrack
entry in a namespace, otherwise different use in different
namespaces will prevent cleanup from completing.
prev parent reply other threads:[~2008-06-23 10:22 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-06-22 1:06 [PATCH 06/25] netns ct: per-netns conntrack hash Alexey Dobriyan
2008-06-23 10:22 ` Patrick McHardy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=485F7959.9000901@trash.net \
--to=kaber@trash.net \
--cc=adobriyan@gmail.com \
--cc=benjamin.thery@bull.net \
--cc=den@openvz.org \
--cc=dlezcano@fr.ibm.com \
--cc=ebiederm@xmission.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=xemul@openvz.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.