From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 36/36] netfilter: conntrack: use single slab cache
Date: Mon, 9 May 2016 20:46:54 +0200 [thread overview]
Message-ID: <1462819614-5402-37-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1462819614-5402-1-git-send-email-pablo@netfilter.org>
From: Florian Westphal <fw@strlen.de>
An earlier patch changed lookup side to also net_eq() namespaces after
obtaining a reference on the conntrack, so a single kmemcache can be used.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netns/conntrack.h | 2 --
net/netfilter/nf_conntrack_core.c | 36 ++++++++++++++----------------------
2 files changed, 14 insertions(+), 24 deletions(-)
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index 1e751bf..38b1a80 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -84,7 +84,6 @@ struct netns_ct {
struct ctl_table_header *event_sysctl_header;
struct ctl_table_header *helper_sysctl_header;
#endif
- char *slabname;
unsigned int sysctl_log_invalid; /* Log invalid packets */
int sysctl_events;
int sysctl_acct;
@@ -93,7 +92,6 @@ struct netns_ct {
int sysctl_tstamp;
int sysctl_checksum;
- struct kmem_cache *nf_conntrack_cachep;
struct ct_pcpu __percpu *pcpu_lists;
struct ip_conntrack_stat __percpu *stat;
struct nf_ct_event_notifier __rcu *nf_conntrack_event_cb;
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index f58a704..0cd2936 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -72,6 +72,7 @@ EXPORT_SYMBOL_GPL(nf_conntrack_expect_lock);
struct hlist_nulls_head *nf_conntrack_hash __read_mostly;
EXPORT_SYMBOL_GPL(nf_conntrack_hash);
+static __read_mostly struct kmem_cache *nf_conntrack_cachep;
static __read_mostly spinlock_t nf_conntrack_locks_all_lock;
static __read_mostly seqcount_t nf_conntrack_generation;
static __read_mostly bool nf_conntrack_locks_all;
@@ -910,7 +911,7 @@ __nf_conntrack_alloc(struct net *net,
* Do not use kmem_cache_zalloc(), as this cache uses
* SLAB_DESTROY_BY_RCU.
*/
- ct = kmem_cache_alloc(net->ct.nf_conntrack_cachep, gfp);
+ ct = kmem_cache_alloc(nf_conntrack_cachep, gfp);
if (ct == NULL)
goto out;
@@ -937,7 +938,7 @@ __nf_conntrack_alloc(struct net *net,
atomic_set(&ct->ct_general.use, 0);
return ct;
out_free:
- kmem_cache_free(net->ct.nf_conntrack_cachep, ct);
+ kmem_cache_free(nf_conntrack_cachep, ct);
out:
atomic_dec(&net->ct.count);
return ERR_PTR(-ENOMEM);
@@ -964,7 +965,7 @@ void nf_conntrack_free(struct nf_conn *ct)
nf_ct_ext_destroy(ct);
nf_ct_ext_free(ct);
- kmem_cache_free(net->ct.nf_conntrack_cachep, ct);
+ kmem_cache_free(nf_conntrack_cachep, ct);
smp_mb__before_atomic();
atomic_dec(&net->ct.count);
}
@@ -1587,8 +1588,6 @@ i_see_dead_people:
nf_conntrack_tstamp_pernet_fini(net);
nf_conntrack_acct_pernet_fini(net);
nf_conntrack_expect_pernet_fini(net);
- kmem_cache_destroy(net->ct.nf_conntrack_cachep);
- kfree(net->ct.slabname);
free_percpu(net->ct.stat);
free_percpu(net->ct.pcpu_lists);
}
@@ -1693,7 +1692,8 @@ EXPORT_SYMBOL_GPL(nf_ct_untracked_status_or);
int nf_conntrack_init_start(void)
{
int max_factor = 8;
- int i, ret, cpu;
+ int ret = -ENOMEM;
+ int i, cpu;
seqcount_init(&nf_conntrack_generation);
@@ -1729,6 +1729,12 @@ int nf_conntrack_init_start(void)
nf_conntrack_max = max_factor * nf_conntrack_htable_size;
+ nf_conntrack_cachep = kmem_cache_create("nf_conntrack",
+ sizeof(struct nf_conn), 0,
+ SLAB_DESTROY_BY_RCU, NULL);
+ if (!nf_conntrack_cachep)
+ goto err_cachep;
+
printk(KERN_INFO "nf_conntrack version %s (%u buckets, %d max)\n",
NF_CONNTRACK_VERSION, nf_conntrack_htable_size,
nf_conntrack_max);
@@ -1805,6 +1811,8 @@ err_tstamp:
err_acct:
nf_conntrack_expect_fini();
err_expect:
+ kmem_cache_destroy(nf_conntrack_cachep);
+err_cachep:
nf_ct_free_hashtable(nf_conntrack_hash, nf_conntrack_htable_size);
return ret;
}
@@ -1846,18 +1854,6 @@ int nf_conntrack_init_net(struct net *net)
if (!net->ct.stat)
goto err_pcpu_lists;
- net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%p", net);
- if (!net->ct.slabname)
- goto err_slabname;
-
- net->ct.nf_conntrack_cachep = kmem_cache_create(net->ct.slabname,
- sizeof(struct nf_conn), 0,
- SLAB_DESTROY_BY_RCU, NULL);
- if (!net->ct.nf_conntrack_cachep) {
- printk(KERN_ERR "Unable to create nf_conn slab cache\n");
- goto err_cache;
- }
-
ret = nf_conntrack_expect_pernet_init(net);
if (ret < 0)
goto err_expect;
@@ -1889,10 +1885,6 @@ err_tstamp:
err_acct:
nf_conntrack_expect_pernet_fini(net);
err_expect:
- kmem_cache_destroy(net->ct.nf_conntrack_cachep);
-err_cache:
- kfree(net->ct.slabname);
-err_slabname:
free_percpu(net->ct.stat);
err_pcpu_lists:
free_percpu(net->ct.pcpu_lists);
--
2.1.4
next prev parent reply other threads:[~2016-05-09 18:47 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-09 18:46 [PATCH 00/36] Netfilter updates for net-next Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 01/36] ipvs: handle connections started by real-servers Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 02/36] ipvs: optimize release of connections in OPS mode Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 03/36] ipvs: don't alter conntrack " Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 04/36] netfilter: conntrack: move generation seqcnt out of netns_ct Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 05/36] netfilter: conntrack: use get_random_once for nat and expectations Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 06/36] netfilter: conntrack: use get_random_once for conntrack hash seed Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 07/36] netfilter: nf_tables: introduce nft_setelem_parse_flags() helper Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 08/36] netfilter: nf_tables: parse element flags from nft_del_setelem() Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 09/36] netfilter: nft_rbtree: introduce nft_rbtree_interval_end() helper Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 10/36] netfilter: nft_rbtree: allow adjacent intervals with dynamic updates Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 11/36] netfilter: nf_ct_helper: disable automatic helper assignment Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 12/36] netfilter: ip6t_SYNPROXY: unnecessary to check whether ip6_route_output returns NULL Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 13/36] netfilter: fix IS_ERR_VALUE usage Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 14/36] netfilter: nftables: add connlabel set support Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 15/36] netfilter: conntrack: keep BH enabled during lookup Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 16/36] netfilter: conntrack: fix lookup race during hash resize Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 17/36] netfilter: conntrack: don't attempt to iterate over empty table Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 18/36] netfilter: conntrack: use nf_ct_key_equal() in more places Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 19/36] netfilter: conntrack: small refactoring of conntrack seq_printf Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 20/36] netfilter: conntrack: check netns when comparing conntrack objects Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 21/36] netfilter: conntrack: make netns address part of hash Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 22/36] netfilter: conntrack: use a single hashtable for all namespaces Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 23/36] netfilter: conntrack: consider ct netns in early_drop logic Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 24/36] netfilter: conntrack: __nf_ct_l4proto_find() always returns valid pointer Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 25/36] netfilter: conntrack: introduce nf_ct_acct_update() Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 26/36] netfilter: conntrack: introduce clash resolution on insertion race Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 27/36] openvswitch: __nf_ct_l{3,4}proto_find() always return a valid pointer Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 28/36] netfilter: x_tables: get rid of old and inconsistent debugging Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 29/36] netfilter: nf_tables: allow set names up to 32 bytes Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 30/36] ipvs: make drop_entry protection effective for SIP-pe Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 31/36] netfilter: conntrack: check netns when walking expect hash Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 32/36] netfilter: conntrack: make netns address part of " Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 33/36] netfilter: conntrack: use a single expectation table for all namespaces Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 34/36] netfilter: conntrack: make netns address part of nat bysrc hash Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 35/36] netfilter: conntrack: use a single nat bysource table for all namespaces Pablo Neira Ayuso
2016-05-09 18:46 ` Pablo Neira Ayuso [this message]
2016-05-09 19:15 ` [PATCH 00/36] Netfilter updates for net-next David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1462819614-5402-37-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).