From: Patrick McHardy <kaber@trash.net>
To: Alexey Dobriyan <adobriyan@gmail.com>
Cc: netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
den@openvz.org, xemul@openvz.org, ebiederm@xmission.com,
benjamin.thery@bull.net, dlezcano@fr.ibm.com
Subject: Re: [PATCH 06/25] netns ct: per-netns conntrack hash
Date: Mon, 23 Jun 2008 12:22:17 +0200 [thread overview]
Message-ID: <485F7959.9000901@trash.net> (raw)
In-Reply-To: <20080622010605.GG5392@martell.zuzino.mipt.ru>
Alexey Dobriyan wrote:
> netns is given personal conntrack hash. Another way is to have one hash
> and give tuplehashes ->ct_net pointer. I tried that at some point, it's
> more ugly and more non-obvious.
I think is makes more sense your way, otherwise eviction becomes much
more complicated or people can easily DoS other namespaces.
> Functions that search by tuple (numerical data) get netns argument
> to know where to search as well as conntrack flush functions gets netns
> argument propagated.
>
> Everybody is stubbed to init_net, except trivial places.
>
> --- a/include/net/netns/conntrack.h
> +++ b/include/net/netns/conntrack.h
> @@ -5,5 +5,7 @@
>
> struct netns_ct {
> atomic_t count;
> + struct hlist_head *hash;
> + int hash_vmalloc;
Shouldn't the lock also be per namespace?
> --- a/net/netfilter/nf_conntrack_core.c
> +++ b/net/netfilter/nf_conntrack_core.c
> @@ -49,15 +49,11 @@ EXPORT_SYMBOL_GPL(nf_conntrack_htable_size);
> int nf_conntrack_max __read_mostly;
> EXPORT_SYMBOL_GPL(nf_conntrack_max);
>
> -struct hlist_head *nf_conntrack_hash __read_mostly;
> -EXPORT_SYMBOL_GPL(nf_conntrack_hash);
> -
> struct nf_conn nf_conntrack_untracked __read_mostly;
> EXPORT_SYMBOL_GPL(nf_conntrack_untracked);
Just a general comments, maybe its done in a later patch. But
for nf_conntrack_cleanup(), you also need to put the untrack
entry in a namespace, otherwise different use in different
namespaces will prevent cleanup from completing.
prev parent reply other threads:[~2008-06-23 10:22 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-06-22 1:06 [PATCH 06/25] netns ct: per-netns conntrack hash Alexey Dobriyan
2008-06-23 10:22 ` Patrick McHardy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=485F7959.9000901@trash.net \
--to=kaber@trash.net \
--cc=adobriyan@gmail.com \
--cc=benjamin.thery@bull.net \
--cc=den@openvz.org \
--cc=dlezcano@fr.ibm.com \
--cc=ebiederm@xmission.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=xemul@openvz.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).