Re: Quota on SMP AGAIN - Patrick McHardy

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Jan Engelhardt <jengelh@computergmbh.de>
Cc: gpf <gpf@simm.ru>, netfilter-devel@vger.kernel.org
Subject: Re: Quota on SMP AGAIN
Date: Fri, 28 Dec 2007 17:50:32 +0100	[thread overview]
Message-ID: <47752958.3010601@trash.net> (raw)
In-Reply-To: <Pine.LNX.4.64.0712281716350.29013@fbirervta.pbzchgretzou.qr>

Jan Engelhardt wrote:
> On Dec 28 2007 17:13, Patrick McHardy wrote:
>   
>> Gpf's report didn't include an actual description of the problem, so
>> I can only assume its an incorrect value of the quota. What exactly
>> are the effects you're seeing?
>>
>>     
>
> To begin with:
>
> 	ssh root@somebox
>
> when logged in:
>
> 	iptables -I OUTPUT -m quota --quota 1234567
>
> as you do more actions over the interactive ssh session, the quota
> will obviously decrease -- after all, that is what it is supposed
> to do. Enter
>
> 	iptables -nvL OUTPUT
>
> should reduce the quota by some 50-60 bytes per packet (and typing the 
> iptables command costs some bytes), but as you 
> repeatedly call iptables, the quota fluctuates around 1234567.
>
> What one can see is that the packet counter (1st column) increases while 
> the quota has problems.
>
> 17:38 ccgmbh:~ # iptables -nvL | grep quota
>   155 35709            all  --  *      *       0.0.0.0/0            0.0.0.0/0           quota: 1234567 bytes
> 17:38 ccgmbh:~ # iptables -nvL | grep quota
>   163 36609            all  --  *      *       0.0.0.0/0            0.0.0.0/0           quota: 1234567 bytes
> 17:38 ccgmbh:~ # iptables -nvL | grep quota
>   171 37509            all  --  *      *       0.0.0.0/0            0.0.0.0/0           quota: 1197058 bytes
> 17:38 ccgmbh:~ # iptables -nvL | grep quota
>   179 38409            all  --  *      *       0.0.0.0/0            0.0.0.0/0           quota: 1234567 bytes
>
> What is interesting to note is that if we do away with all "wrong" 
> results, then it "works":
>
> 17:39 ccgmbh:~ # while :; do iptables -nvL | grep quota; done | grep -v 1234567
> ...
>   830  118K            all  --  *      *       0.0.0.0/0            0.0.0.0/0           quota: 1116680 bytes
>   832  118K            all  --  *      *       0.0.0.0/0            0.0.0.0/0           quota: 1116399 bytes
>   834  118K            all  --  *      *       0.0.0.0/0            0.0.0.0/0           quota: 1116150 bytes
>   834  118K            all  --  *      *       0.0.0.0/0            0.0.0.0/0           quota: 1116150 bytes
>   838  119K            all  --  *      *       0.0.0.0/0            0.0.0.0/0           quota: 1115684 bytes
> ...
>
> Want to know what I believe? That r->master = r in the source code is 
> redundant and/or does not solve the problem its comment says.
>
> /* For SMP, we only want to use one set of counters. */
>
> And my bigtime question would be: where is the other counter actually? 
> struct xt_quota_info only has one counter! Does netfilter secretly 
> allocate matchinfos per-cpu?
>   

Not secretly, but yes, the entire ruleset exists once per CPU. That
also seems to be the problem, at the time the master idea was thought
of we always dumped entries from CPU 0, today its from the current
CPU, but the only one that actually has correct counters is CPU 0.

The easy fix would be to revert to that behaviour, but maybe someone
can come up with a better idea that doesn't involve walking over the
entire ruleset and resycing things or adding dump callbacks to
matches.

next prev parent reply	other threads:[~2007-12-28 16:50 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-12-27 15:14 Quota on SMP AGAIN gpf
2007-12-27 15:54 ` Jan Engelhardt
2007-12-27 16:55   ` gpf
2007-12-28 15:26 ` Patrick McHardy
2007-12-28 15:50   ` Jan Engelhardt
2007-12-28 16:13     ` Patrick McHardy
2007-12-28 16:38       ` Jan Engelhardt
2007-12-28 16:50         ` Patrick McHardy [this message]
2007-12-28 17:00           ` Jan Engelhardt
2007-12-29 16:32             ` Patrick McHardy
2007-12-29 18:54               ` Krzysztof Oledzki
2007-12-29 19:54                 ` Jan Engelhardt
2007-12-30 17:36                   ` Patrick McHardy
2007-12-30 18:25                     ` Jan Engelhardt
2007-12-30 18:27                       ` Patrick McHardy
2007-12-30 21:31           ` Krzysztof Oledzki
2007-12-31  0:19             ` Patrick McHardy
2007-12-31  0:54               ` Jan Engelhardt
2007-12-31 14:15                 ` Patrick McHardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=47752958.3010601@trash.net \
    --to=kaber@trash.net \
    --cc=gpf@simm.ru \
    --cc=jengelh@computergmbh.de \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).