From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Changliang Wu <changliang.wu@smartx.com>
Cc: kadlec@netfilter.org, davem@davemloft.net, edumazet@google.com,
kuba@kernel.org, pabeni@redhat.com,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] netfilter: ctnetlink: support CTA_FILTER for flush
Date: Mon, 19 Aug 2024 20:47:12 +0200 [thread overview]
Message-ID: <ZsOTMHeMPgtjU6ZZ@calendula> (raw)
In-Reply-To: <CALHBjYFn_qB=Oo3TTg0znOnNz9rX5jP+eYSZbatAN94ys8Tzmw@mail.gmail.com>
Please, provide an example program for libnetfilter_conntrack.
See:
commit 27f09380ebb0fc21c4cd20070b828a27430b5de1
Author: Felix Huettner <felix.huettner@mail.schwarz>
Date: Tue Dec 5 09:35:16 2023 +0000
conntrack: support flush filtering
for instance.
thanks
On Thu, Jul 11, 2024 at 01:40:02PM +0800, Changliang Wu wrote:
> PING
>
>
> Changliang Wu <changliang.wu@smartx.com> 于2024年6月20日周四 19:35写道:
> >
> > From cb8aa9a, we can use kernel side filtering for dump, but
> > this capability is not available for flush.
> >
> > This Patch allows advanced filter with CTA_FILTER for flush
> >
> > Performace
> > 1048576 ct flows in total, delete 50,000 flows by origin src ip
> > 3.06s -> dump all, compare and delete
> > 584ms -> directly flush with filter
> >
> > Signed-off-by: Changliang Wu <changliang.wu@smartx.com>
> > ---
> > net/netfilter/nf_conntrack_netlink.c | 9 +++------
> > 1 file changed, 3 insertions(+), 6 deletions(-)
> >
> > diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> > index 3b846cbdc..93afe57d9 100644
> > --- a/net/netfilter/nf_conntrack_netlink.c
> > +++ b/net/netfilter/nf_conntrack_netlink.c
> > @@ -1579,9 +1579,6 @@ static int ctnetlink_flush_conntrack(struct net *net,
> > };
> >
> > if (ctnetlink_needs_filter(family, cda)) {
> > - if (cda[CTA_FILTER])
> > - return -EOPNOTSUPP;
> > -
> > filter = ctnetlink_alloc_filter(cda, family);
> > if (IS_ERR(filter))
> > return PTR_ERR(filter);
> > @@ -1610,14 +1607,14 @@ static int ctnetlink_del_conntrack(struct sk_buff *skb,
> > if (err < 0)
> > return err;
> >
> > - if (cda[CTA_TUPLE_ORIG])
> > + if (cda[CTA_TUPLE_ORIG] && !cda[CTA_FILTER])
> > err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
> > family, &zone);
> > - else if (cda[CTA_TUPLE_REPLY])
> > + else if (cda[CTA_TUPLE_REPLY] && !cda[CTA_FILTER])
> > err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
> > family, &zone);
> > else {
> > - u_int8_t u3 = info->nfmsg->version ? family : AF_UNSPEC;
> > + u8 u3 = info->nfmsg->version || cda[CTA_FILTER] ? family : AF_UNSPEC;
> >
> > return ctnetlink_flush_conntrack(info->net, cda,
> > NETLINK_CB(skb).portid,
> > --
> > 2.43.0
> >
next prev parent reply other threads:[~2024-08-19 18:47 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-20 11:35 [PATCH] netfilter: ctnetlink: support CTA_FILTER for flush Changliang Wu
2024-07-11 5:40 ` Changliang Wu
2024-08-19 18:47 ` Pablo Neira Ayuso [this message]
2024-08-22 7:58 ` Changliang Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZsOTMHeMPgtjU6ZZ@calendula \
--to=pablo@netfilter.org \
--cc=changliang.wu@smartx.com \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).