public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed
From: Julian Anastasov <ja@ssi.bg>
To: Jakub Kicinski <kuba@kernel.org>
Cc: fw@strlen.de, netfilter-devel@vger.kernel.org, pabeni@redhat.com,
	davem@davemloft.net, edumazet@google.com, netdev@vger.kernel.org,
	pablo@netfilter.org
Subject: Re: [net-next,1/9] ipvs: make ip_vs_svc_table and ip_vs_svc_fwm_table per netns
Date: Thu, 26 Feb 2026 21:19:43 +0200 (EET)	[thread overview]
Message-ID: <2b88af71-9294-e4a6-968a-cb9b314bc87f@ssi.bg> (raw)
In-Reply-To: <20260226034114.1806906-1-kuba@kernel.org>


	Hello,

On Wed, 25 Feb 2026, Jakub Kicinski wrote:

> This is an AI-generated review of your patch. The human sending this
> email says "FYI"
> 
> For local reproduction steps see https://netdev-ai.bots.linux.dev/ai-local.html
> ---
> ipvs: make ip_vs_svc_table and ip_vs_svc_fwm_table per netns
> 
> This commit converts the global IPVS service tables and their
> associated mutex from global to per-netns, improving lookup
> performance in large-scale deployments with multiple network
> namespaces.
> 
> > diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
> > index 29a36709e7f3..074a204ec6db 100644
> > --- a/include/net/ip_vs.h
> > +++ b/include/net/ip_vs.h
> > @@ -33,6 +33,12 @@
> >
> >  #define IP_VS_HDR_INVERSE	1
> >  #define IP_VS_HDR_ICMP		2
> > +/*
> > + *	Hash table: for virtual service lookups
> > + */
> > +#define IP_VS_SVC_TAB_BITS 8
> > +#define IP_VS_SVC_TAB_SIZE BIT(IP_VS_SVC_TAB_BITS)
> > +#define IP_VS_SVC_TAB_MASK (IP_VS_SVC_TAB_SIZE - 1)
> 
> The patch removes the global mutex definition DEFINE_MUTEX(__ip_vs_mutex)
> from net/netfilter/ipvs/ip_vs_ctl.c and replaces all usage sites with the
> per-netns ipvs->service_mutex. However, the extern declaration at line 52
> of include/net/ip_vs.h is still present:
> 
>     extern struct mutex __ip_vs_mutex;

	I have fixes for all these issues in a followup
patches. Sorry that I forgot to push them to the right
patch.

> Since no in-tree code references __ip_vs_mutex after this conversion,
> should this declaration be removed for consistency?

	It will be removed in a followup patchset, in its patch 3/5.

> 
> [ ... ]
> 
> > diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
> > index 068702894377..d871273ce917 100644
> > --- a/net/netfilter/ipvs/ip_vs_ctl.c
> > +++ b/net/netfilter/ipvs/ip_vs_ctl.c
> 
> [ ... ]
> 
> > @@ -2306,9 +2282,9 @@ static struct ip_vs_service *ip_vs_info_array(struct seq_file *seq, loff_t pos)
> >
> >  	/* look in hash by protocol */
> >  	for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
> > -		hlist_for_each_entry_rcu(svc, &ip_vs_svc_table[idx], s_list) {
> > -			if ((svc->ipvs == ipvs) && pos-- == 0) {
> > -				iter->table = ip_vs_svc_table;
> > +		hlist_for_each_entry_rcu(svc, &ipvs->svc_table[idx], s_list) {
> > +			if (pos-- == 0) {
> > +				iter->table = ipvs->svc_table;
> >  				iter->bucket = idx;
> >  				return svc;
> >  			}
> > @@ -2317,10 +2293,10 @@ static struct ip_vs_service *ip_vs_info_array(struct seq_file *seq, loff_t pos)
> >
> >  	/* keep looking in fwmark */
> >  	for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
> > -		hlist_for_each_entry_rcu(svc, &ip_vs_svc_fwm_table[idx],
> > +		hlist_for_each_entry_rcu(svc, &ipvs->svc_fwm_table[idx],
> >  					 f_list) {
> > -			if ((svc->ipvs == ipvs) && pos-- == 0) {
> > -				iter->table = ip_vs_svc_fwm_table;
> > +			if (pos-- == 0) {
> > +				iter->table = ipvs->svc_fwm_table;
> >  				iter->bucket = idx;
> >  				return svc;
> >  			}
> 
> [ ... ]
> 
> > @@ -2414,7 +2392,7 @@ static int ip_vs_info_seq_show(struct seq_file *seq, void *v)
> >
> >  		if (svc->ipvs != ipvs)
> >  			return 0;
> > -		if (iter->table == ip_vs_svc_table) {
> > +		if (iter->table == ipvs->svc_table) {
> >  #ifdef CONFIG_IP_VS_IPV6
> >  			if (svc->af == AF_INET6)
> >  				seq_printf(seq, "%s  [%pI6]:%04X %s ",
> 
> The conversion to per-netns tables makes 'svc->ipvs != ipvs' always false
> here in ip_vs_info_seq_show(). Every service in ipvs->svc_table belongs
> to that netns by construction.
> 
> Looking at the patch, similar checks were removed everywhere else:
> - ip_vs_flush(): removed 'svc->ipvs == ipvs' check
> - ip_vs_dst_event(): removed 'svc->ipvs == ipvs' check
> - ip_vs_zero_all(): removed 'svc->ipvs == ipvs' check
> - __ip_vs_service_find(): removed 'svc->ipvs == ipvs' check
> - __ip_vs_svc_fwm_find(): removed 'svc->ipvs == ipvs' check
> - ip_vs_genl_dump_services(): removed 'svc->ipvs != ipvs' check
> - __ip_vs_get_service_entries(): removed 'svc->ipvs != ipvs' check
> - ip_vs_info_array(): removed 'svc->ipvs == ipvs' check
> 
> But this one in ip_vs_info_seq_show() was left behind. Should it also
> be removed for consistency?

	It was removed later in patch 3 ("ipvs: use single svc table").

	Comments about patch 3/9:

- svc_fwm_table in comments will be removed in a followup
patchset, in its patch 3/5.

	Comments about patch 4/9:

- bitwise ops have precedence over the logical ops but as the
series is already applied we can make it less confusing later

Regards

--
Julian Anastasov <ja@ssi.bg>


  reply	other threads:[~2026-02-26 19:25 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-24 20:50 [PATCH net-next 0/9] netfilter: updates for net-next Florian Westphal
2026-02-24 20:50 ` [PATCH net-next 1/9] ipvs: make ip_vs_svc_table and ip_vs_svc_fwm_table per netns Florian Westphal
2026-02-26  3:41   ` [net-next,1/9] " Jakub Kicinski
2026-02-26 19:19     ` Julian Anastasov [this message]
2026-02-24 20:50 ` [PATCH net-next 2/9] ipvs: some service readers can use RCU Florian Westphal
2026-02-24 20:50 ` [PATCH net-next 3/9] ipvs: use single svc table Florian Westphal
2026-02-26  3:41   ` [net-next,3/9] " Jakub Kicinski
2026-02-24 20:50 ` [PATCH net-next 4/9] ipvs: do not keep dest_dst after dest is removed Florian Westphal
2026-02-26  3:41   ` [net-next,4/9] " Jakub Kicinski
2026-02-26  3:44     ` Jakub Kicinski
2026-02-24 20:50 ` [PATCH net-next 5/9] ipvs: use more counters to avoid service lookups Florian Westphal
2026-02-24 20:50 ` [PATCH net-next 6/9] ipvs: no_cport and dropentry counters can be per-net Florian Westphal
2026-02-24 20:50 ` [PATCH net-next 7/9] netfilter: nft_set_rbtree: don't disable bh when acquiring tree lock Florian Westphal
2026-02-24 20:50 ` [PATCH net-next 8/9] netfilter: nf_tables: drop obsolete EXPORT_SYMBOLs Florian Westphal
2026-02-24 20:50 ` [PATCH net-next 9/9] netfilter: nf_tables: remove register tracking infrastructure Florian Westphal
2026-02-26  3:50 ` [PATCH net-next 0/9] netfilter: updates for net-next patchwork-bot+netdevbpf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2b88af71-9294-e4a6-968a-cb9b314bc87f@ssi.bg \
    --to=ja@ssi.bg \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=fw@strlen.de \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox