From: Patrick McHardy <kaber@trash.net>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Netfilter Developers <netfilter-devel@vger.kernel.org>,
netdev <netdev@vger.kernel.org>
Subject: Re: [RFC nf-next-2.6] conntrack: per cpu nf_conntrack_untracked
Date: Fri, 04 Jun 2010 13:40:26 +0200 [thread overview]
Message-ID: <4C08E62A.9020607@trash.net> (raw)
In-Reply-To: <1275409203.2738.227.camel@edumazet-laptop>
Eric Dumazet wrote:
> Le mardi 01 juin 2010 à 12:41 +0200, Patrick McHardy a écrit :
>
>>> BTW, I notice nf_conntrack_untracked is incorrectly annotated
>>> '__read_mostly'.
>>>
>>> It can be written very often :(
>>>
>>> Should'nt we special case it and let be really const ?
>> That would need quite a bit of special-casing to avoid touching
>> the reference counts. So far this is completely hidden, so I'd
>> say it just shouldn't be marked __read_mostly. Alternatively we
>> can make "untracked" a nfctinfo state.
>
> I tried this suggestion, (a new IP_CT_UNTRACKED ctinfo), over a per_cpu
> untracked ct, but its a bit hard.
>
> For example, I cannot find a way to change ctnetlink_conntrack_event() :
>
> if (ct == &nf_conntrack_untracked)
> return 0;
>
> Maybe this piece of code is not necessary, we should not come here
> anyway, or it means several packets could store events for this (shared)
> ct ?
We probably shouldn't be reaching that code since that would mean
that we previously did modifications to the untracked conntrack.
But a quick audit shows that f.i. xt_connmark will do just that.
> Obviously, an IPS_UNTRACKED bit would be much easier to implement.
> Would it be acceptable ?
That also would be fine. However the main idea behind using a nfctinfo
bit was that we wouldn't need the untracked conntrack anymore at all.
But I guess a per-cpu untrack conntrack would already be an improvement
over the current situation.
next prev parent reply other threads:[~2010-06-04 11:40 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-22 12:58 DDoS attack causing bad effect on conntrack searches Jesper Dangaard Brouer
2010-04-22 13:13 ` Changli Gao
2010-04-22 13:17 ` Patrick McHardy
2010-04-22 14:36 ` Eric Dumazet
2010-04-22 14:53 ` Eric Dumazet
2010-04-22 15:51 ` Paul E. McKenney
2010-04-22 16:02 ` Eric Dumazet
2010-04-22 16:34 ` Paul E. McKenney
2010-04-22 20:38 ` Jesper Dangaard Brouer
2010-04-22 21:03 ` Eric Dumazet
2010-04-22 21:14 ` Eric Dumazet
2010-04-22 23:44 ` David Miller
2010-04-23 5:44 ` Eric Dumazet
2010-04-23 8:13 ` David Miller
2010-04-23 8:18 ` David Miller
2010-04-23 8:40 ` Jesper Dangaard Brouer
2010-04-23 10:36 ` Patrick McHardy
2010-04-23 11:06 ` Eric Dumazet
2010-04-22 21:28 ` Jesper Dangaard Brouer
2010-04-23 7:23 ` Jan Engelhardt
2010-04-23 7:46 ` Eric Dumazet
2010-04-23 7:55 ` Jan Engelhardt
2010-04-23 9:23 ` Eric Dumazet
2010-04-23 10:55 ` Patrick McHardy
2010-04-23 11:05 ` Eric Dumazet
2010-04-23 11:06 ` Patrick McHardy
2010-04-23 20:57 ` Eric Dumazet
2010-04-24 11:11 ` Jesper Dangaard Brouer
2010-04-24 20:11 ` Eric Dumazet
2010-04-26 14:36 ` Jesper Dangaard Brouer
2010-05-31 21:21 ` Eric Dumazet
2010-06-01 0:28 ` Changli Gao
2010-06-01 5:05 ` Eric Dumazet
2010-06-01 5:48 ` Changli Gao
2010-06-01 10:18 ` Patrick McHardy
2010-06-01 10:31 ` Eric Dumazet
2010-06-01 10:41 ` Patrick McHardy
2010-06-01 16:20 ` [RFC nf-next-2.6] conntrack: per cpu nf_conntrack_untracked Eric Dumazet
2010-06-04 11:40 ` Patrick McHardy [this message]
2010-06-04 12:10 ` Changli Gao
2010-06-04 12:29 ` Patrick McHardy
2010-06-04 12:36 ` Eric Dumazet
2010-06-04 16:25 ` [PATCH nf-next-2.6] conntrack: IPS_UNTRACKED bit Eric Dumazet
2010-06-04 20:15 ` [PATCH nf-next-2.6 2/2] conntrack: per_cpu untracking Eric Dumazet
2010-06-08 14:29 ` Patrick McHardy
2010-06-08 14:52 ` Eric Dumazet
2010-06-08 15:12 ` Eric Dumazet
2010-06-09 12:45 ` Patrick McHardy
2010-06-08 14:12 ` [PATCH nf-next-2.6] conntrack: IPS_UNTRACKED bit Patrick McHardy
2010-04-23 10:56 ` DDoS attack causing bad effect on conntrack searches Patrick McHardy
2010-04-23 12:45 ` Jesper Dangaard Brouer
2010-04-23 13:57 ` Patrick McHardy
2010-04-22 13:31 ` Jesper Dangaard Brouer
2010-04-23 10:35 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C08E62A.9020607@trash.net \
--to=kaber@trash.net \
--cc=eric.dumazet@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.