From: Florian Westphal <fw@strlen.de>
To: netfilter-devel@vger.kernel.org
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH 4/7] netfilter: connlimit: use kmem_cache for conn objects
Date: Fri, 7 Mar 2014 14:37:12 +0100 [thread overview]
Message-ID: <1394199435-14395-5-git-send-email-fw@strlen.de> (raw)
In-Reply-To: <1394199435-14395-1-git-send-email-fw@strlen.de>
We might allocate thousands of these (one object per connection).
Use distinct kmem cache to permit simplte tracking on how many
objects are currently used by the connlimit match via the sysfs.
Reviewed-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/netfilter/xt_connlimit.c | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 0220d40..a8eaabb 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -44,6 +44,7 @@ struct xt_connlimit_data {
};
static u_int32_t connlimit_rnd __read_mostly;
+static struct kmem_cache *connlimit_conn_cachep __read_mostly;
static inline unsigned int connlimit_iphash(__be32 addr)
{
@@ -113,7 +114,7 @@ static int count_hlist(struct net *net,
&conn->tuple);
if (found == NULL) {
hlist_del(&conn->node);
- kfree(conn);
+ kmem_cache_free(connlimit_conn_cachep, conn);
continue;
}
@@ -133,7 +134,7 @@ static int count_hlist(struct net *net,
*/
nf_ct_put(found_ct);
hlist_del(&conn->node);
- kfree(conn);
+ kmem_cache_free(connlimit_conn_cachep, conn);
continue;
}
@@ -152,7 +153,9 @@ static bool add_hlist(struct hlist_head *head,
const struct nf_conntrack_tuple *tuple,
const union nf_inet_addr *addr)
{
- struct xt_connlimit_conn *conn = kmalloc(sizeof(*conn), GFP_ATOMIC);
+ struct xt_connlimit_conn *conn;
+
+ conn = kmem_cache_alloc(connlimit_conn_cachep, GFP_ATOMIC);
if (conn == NULL)
return false;
conn->tuple = *tuple;
@@ -285,7 +288,7 @@ static void connlimit_mt_destroy(const struct xt_mtdtor_param *par)
for (i = 0; i < ARRAY_SIZE(info->data->iphash); ++i) {
hlist_for_each_entry_safe(conn, n, &hash[i], node) {
hlist_del(&conn->node);
- kfree(conn);
+ kmem_cache_free(connlimit_conn_cachep, conn);
}
}
@@ -305,12 +308,23 @@ static struct xt_match connlimit_mt_reg __read_mostly = {
static int __init connlimit_mt_init(void)
{
- return xt_register_match(&connlimit_mt_reg);
+ int ret;
+ connlimit_conn_cachep = kmem_cache_create("xt_connlimit_conn",
+ sizeof(struct xt_connlimit_conn),
+ 0, 0, NULL);
+ if (!connlimit_conn_cachep)
+ return -ENOMEM;
+
+ ret = xt_register_match(&connlimit_mt_reg);
+ if (ret != 0)
+ kmem_cache_destroy(connlimit_conn_cachep);
+ return ret;
}
static void __exit connlimit_mt_exit(void)
{
xt_unregister_match(&connlimit_mt_reg);
+ kmem_cache_destroy(connlimit_conn_cachep);
}
module_init(connlimit_mt_init);
--
1.8.1.5
next prev parent reply other threads:[~2014-03-07 13:41 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-07 13:37 [PATCH 0/7] netfilter: connlimit: scalability improvements Florian Westphal
2014-03-07 13:37 ` [PATCH 1/7] netfilter: connlimit: factor hlist search into new function Florian Westphal
2014-03-07 13:37 ` [PATCH 2/7] netfilter: connlimit: improve packet-to-closed-connection logic Florian Westphal
2014-03-07 13:37 ` [PATCH 3/7] netfilter: connlimit: move insertion of new element out of count function Florian Westphal
2014-03-07 13:37 ` Florian Westphal [this message]
2014-03-07 13:37 ` [PATCH 5/7] netfilter: connlimit: use keyed locks Florian Westphal
2014-03-09 17:13 ` Jan Engelhardt
2014-03-09 18:31 ` Florian Westphal
2014-03-07 13:37 ` [PATCH 6/7] netfilter: connlimit: make same_source_net signed Florian Westphal
2014-03-07 13:37 ` [PATCH 7/7] netfilter: connlimit: use rbtree for per-host conntrack obj storage Florian Westphal
2014-03-07 14:47 ` Eric Dumazet
2014-03-07 16:15 ` Florian Westphal
2014-03-09 18:42 ` Eric Dumazet
2014-03-09 18:43 ` Florian Westphal
2014-03-09 21:45 ` Florian Westphal
2014-03-12 12:58 ` [PATCH 0/7] netfilter: connlimit: scalability improvements Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1394199435-14395-5-git-send-email-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).