Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2196530/?format=api
{ "id": 2196530, "url": "http://patchwork.ozlabs.org/api/patches/2196530/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260214151230.18970-7-ja@ssi.bg/", "project": { "id": 26, "url": "http://patchwork.ozlabs.org/api/projects/26/?format=api", "name": "Netfilter Development", "link_name": "netfilter-devel", "list_id": "netfilter-devel.vger.kernel.org", "list_email": "netfilter-devel@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260214151230.18970-7-ja@ssi.bg>", "list_archive_url": null, "date": "2026-02-14T15:12:30", "name": "[nf-next,6/6] ipvs: no_cport and dropentry counters can be per-net", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "6eaa4a38af514ff73ba8c2d17c36f21061e46978", "submitter": { "id": 2825, "url": "http://patchwork.ozlabs.org/api/people/2825/?format=api", "name": "Julian Anastasov", "email": "ja@ssi.bg" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260214151230.18970-7-ja@ssi.bg/mbox/", "series": [ { "id": 492179, "url": "http://patchwork.ozlabs.org/api/series/492179/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=492179", "date": "2026-02-14T15:12:24", "name": "IPVS changes, part 2 of 4 - optimizations", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/492179/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2196530/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2196530/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "\n <netfilter-devel+bounces-10778-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "netfilter-devel@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (4096-bit key;\n unprotected) header.d=ssi.bg header.i=@ssi.bg header.a=rsa-sha256\n header.s=ssi header.b=Oji2DOTc;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-10778-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (4096-bit key) header.d=ssi.bg header.i=@ssi.bg header.b=\"Oji2DOTc\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=193.238.174.39", "smtp.subspace.kernel.org;\n dmarc=pass (p=reject dis=none) header.from=ssi.bg", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=ssi.bg" ], "Received": [ "from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fCt2m2vdHz1xr1\n\tfor <incoming@patchwork.ozlabs.org>; Sun, 15 Feb 2026 02:18:08 +1100 (AEDT)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 474AC3013873\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 14 Feb 2026 15:18:06 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id A115225FA10;\n\tSat, 14 Feb 2026 15:18:05 +0000 (UTC)", "from mx.ssi.bg (mx.ssi.bg [193.238.174.39])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 53B8523A562;\n\tSat, 14 Feb 2026 15:18:03 +0000 (UTC)", "from mx.ssi.bg (localhost [127.0.0.1])\n\tby mx.ssi.bg (Potsfix) with ESMTP id 96E0421D61;\n\tSat, 14 Feb 2026 17:17:48 +0200 (EET)", "from box.ssi.bg (box.ssi.bg [193.238.174.46])\n\tby mx.ssi.bg (Potsfix) with ESMTPS;\n\tSat, 14 Feb 2026 17:17:46 +0200 (EET)", "from ja.ssi.bg (unknown [213.16.62.126])\n\tby box.ssi.bg (Potsfix) with ESMTPSA id 67EFD628AF;\n\tSat, 14 Feb 2026 17:17:46 +0200 (EET)", "from ja.home.ssi.bg (localhost.localdomain [127.0.0.1])\n\tby ja.ssi.bg (8.18.1/8.18.1) with ESMTP id 61EFCwUj019366;\n\tSat, 14 Feb 2026 17:12:58 +0200", "(from root@localhost)\n\tby ja.home.ssi.bg (8.18.1/8.18.1/Submit) id 61EFCw61019365;\n\tSat, 14 Feb 2026 17:12:58 +0200" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1771082284; cv=none;\n b=etK5AR3F6bLqZ+M0ZouteNzeodNCQFFtE44JCrf9GTRX4TIzkqfYNMFPKzevW8qcguONO6mR0OFvzLHkYgnpG59HbM4/CYjTCuIeG1xsWg6Y8vLeVcuIs/aU5pvH4Tqi5CJCOnMefKcaLLqYnoJmn1VBXHPsQWPlD3NS6a/Jcn0=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1771082284; c=relaxed/simple;\n\tbh=SenVcpQz6rH5qWqU0EOVJPMJYixjW9+d3hrqGVQoEJA=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=u6cIbe1UeRsnOcgSdwsBOCv1z8XuQien7mpEAZpiNch+0y/EB+VkOL7267q34zF1PaanksoFhKfY8AA85bcJU546oBUipFWS1pYof1ZAc5N8oiGCG8pjOx3ckwE1nuhI2zU3/dVG0q0wjd+/sYVGi59ATy7lCPVE5O9uTTPeyUk=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=reject dis=none) header.from=ssi.bg;\n spf=pass smtp.mailfrom=ssi.bg;\n dkim=pass (4096-bit key) header.d=ssi.bg header.i=@ssi.bg header.b=Oji2DOTc;\n arc=none smtp.client-ip=193.238.174.39", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=ssi.bg; h=cc:cc\n\t:content-transfer-encoding:date:from:from:in-reply-to:message-id\n\t:mime-version:references:reply-to:subject:subject:to:to; s=ssi;\n\t bh=q18sUM3m0kDIHv3aF+8/odre02oFOVdoFiWHcqq5eIU=; b=Oji2DOTc8L2N\n\teEFtJ4EhG32ldcYPcFDYPk2xtROpfVZK3qAIwMUWnsLGssll/oSyMn3hb0EaD7gt\n\t3JILW1BJTUuCYfGGnuHL1jkxZhTH+1v70dld1+8ETUksEAW3cJuGJ18IQJbWDpQU\n\tWyzxRXkzMke3IZw01GLhoJbz4uuePPN31Ue19Dvps7qkue2+kFRjPoRjnb0Dn9sD\n\tK92gwAaKkkD5d6vzrBPFX60ZV6fhrmBak8uUAJAy4DWDMMbSb74oyltm+bo1wj0F\n\tRqhvSMcVmNzvGUQGg7Mg9hb1DQ+XSKSt+Zk4imlwhbdphxdNwNgizkR/0Yvex/Ak\n\tEZv8ZXPN0giBf+nHpgI/hORHFCce7Agl5vctE6UpjmFUuo7q/7W7pDnFNIVNqOT+\n\tlCtzDbeWN1oKQ000SpGMvzpQuYRyBCGISbCuiPbK2qgaiwuAGHs7zPDsMBiU1Dvh\n\tZ8IJCCCw8ue7g46RKk9iKT+YUo3xAD6gDOS6nauHRfNBa6DrnbchrnGik9eywwPi\n\tiQEO2HwixWNMfSOuQoIFCxsddT1nK2StQRb53hwWoeW/cawTZ8NVsuqo9uUgNGRS\n\tZLDBBejQu03/TuaGs4tjkklRtnYd1xdO5pfUmtyHt2gpmvCf1oUc9fuwZBOghfwu\n\thI4HtBfzrDMD+AgdazaDJ7J0M9n1CPE=", "From": "Julian Anastasov <ja@ssi.bg>", "To": "Simon Horman <horms@verge.net.au>", "Cc": "Pablo Neira Ayuso <pablo@netfilter.org>, lvs-devel@vger.kernel.org,\n netfilter-devel@vger.kernel.org, Dust Li <dust.li@linux.alibaba.com>,\n Jiejian Wu <jiejian@linux.alibaba.com>", "Subject": "[PATCH nf-next 6/6] ipvs: no_cport and dropentry counters can be\n per-net", "Date": "Sat, 14 Feb 2026 17:12:30 +0200", "Message-ID": "<20260214151230.18970-7-ja@ssi.bg>", "X-Mailer": "git-send-email 2.53.0", "In-Reply-To": "<20260214151230.18970-1-ja@ssi.bg>", "References": "<20260214151230.18970-1-ja@ssi.bg>", "Precedence": "bulk", "X-Mailing-List": "netfilter-devel@vger.kernel.org", "List-Id": "<netfilter-devel.vger.kernel.org>", "List-Subscribe": "<mailto:netfilter-devel+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:netfilter-devel+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit" }, "content": "Change the no_cport counters to be per-net and address family.\nThis should reduce the extra conn lookups done during present\nNO_CPORT connections.\n\nBy changing from global to per-net dropentry counters, one net\nwill not affect the drop rate of another net.\n\nSigned-off-by: Julian Anastasov <ja@ssi.bg>\n---\n include/net/ip_vs.h | 2 ++\n net/netfilter/ipvs/ip_vs_conn.c | 64 ++++++++++++++++++++-------------\n 2 files changed, 41 insertions(+), 25 deletions(-)", "diff": "diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h\nindex f2291be36409..ad8a16146ac5 100644\n--- a/include/net/ip_vs.h\n+++ b/include/net/ip_vs.h\n@@ -948,6 +948,7 @@ struct netns_ipvs {\n #endif\n \t/* ip_vs_conn */\n \tatomic_t\t\tconn_count; /* connection counter */\n+\tatomic_t\t\tno_cport_conns[IP_VS_AF_MAX];\n \n \t/* ip_vs_ctl */\n \tstruct ip_vs_stats_rcu\t*tot_stats; /* Statistics & est. */\n@@ -973,6 +974,7 @@ struct netns_ipvs {\n \tint\t\t\tdrop_counter;\n \tint\t\t\told_secure_tcp;\n \tatomic_t\t\tdropentry;\n+\ts8\t\t\tdropentry_counters[8];\n \t/* locks in ctl.c */\n \tspinlock_t\t\tdropentry_lock; /* drop entry handling */\n \tspinlock_t\t\tdroppacket_lock; /* drop packet handling */\ndiff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c\nindex 50cc492c7553..66057db63d02 100644\n--- a/net/netfilter/ipvs/ip_vs_conn.c\n+++ b/net/netfilter/ipvs/ip_vs_conn.c\n@@ -59,9 +59,6 @@ static struct hlist_head *ip_vs_conn_tab __read_mostly;\n /* SLAB cache for IPVS connections */\n static struct kmem_cache *ip_vs_conn_cachep __read_mostly;\n \n-/* counter for no client port connections */\n-static atomic_t ip_vs_conn_no_cport_cnt = ATOMIC_INIT(0);\n-\n /* random value for IPVS connection hash */\n static unsigned int ip_vs_conn_rnd __read_mostly;\n \n@@ -294,10 +291,16 @@ struct ip_vs_conn *ip_vs_conn_in_get(const struct ip_vs_conn_param *p)\n \tstruct ip_vs_conn *cp;\n \n \tcp = __ip_vs_conn_in_get(p);\n-\tif (!cp && atomic_read(&ip_vs_conn_no_cport_cnt)) {\n-\t\tstruct ip_vs_conn_param cport_zero_p = *p;\n-\t\tcport_zero_p.cport = 0;\n-\t\tcp = __ip_vs_conn_in_get(&cport_zero_p);\n+\tif (!cp) {\n+\t\tstruct netns_ipvs *ipvs = p->ipvs;\n+\t\tint af_id = ip_vs_af_index(p->af);\n+\n+\t\tif (atomic_read(&ipvs->no_cport_conns[af_id])) {\n+\t\t\tstruct ip_vs_conn_param cport_zero_p = *p;\n+\n+\t\t\tcport_zero_p.cport = 0;\n+\t\t\tcp = __ip_vs_conn_in_get(&cport_zero_p);\n+\t\t}\n \t}\n \n \tIP_VS_DBG_BUF(9, \"lookup/in %s %s:%d->%s:%d %s\\n\",\n@@ -490,9 +493,12 @@ void ip_vs_conn_put(struct ip_vs_conn *cp)\n void ip_vs_conn_fill_cport(struct ip_vs_conn *cp, __be16 cport)\n {\n \tif (ip_vs_conn_unhash(cp)) {\n+\t\tstruct netns_ipvs *ipvs = cp->ipvs;\n+\t\tint af_id = ip_vs_af_index(cp->af);\n+\n \t\tspin_lock_bh(&cp->lock);\n \t\tif (cp->flags & IP_VS_CONN_F_NO_CPORT) {\n-\t\t\tatomic_dec(&ip_vs_conn_no_cport_cnt);\n+\t\t\tatomic_dec(&ipvs->no_cport_conns[af_id]);\n \t\t\tcp->flags &= ~IP_VS_CONN_F_NO_CPORT;\n \t\t\tcp->cport = cport;\n \t\t}\n@@ -891,8 +897,11 @@ static void ip_vs_conn_expire(struct timer_list *t)\n \t\tif (unlikely(cp->app != NULL))\n \t\t\tip_vs_unbind_app(cp);\n \t\tip_vs_unbind_dest(cp);\n-\t\tif (cp->flags & IP_VS_CONN_F_NO_CPORT)\n-\t\t\tatomic_dec(&ip_vs_conn_no_cport_cnt);\n+\t\tif (unlikely(cp->flags & IP_VS_CONN_F_NO_CPORT)) {\n+\t\t\tint af_id = ip_vs_af_index(cp->af);\n+\n+\t\t\tatomic_dec(&ipvs->no_cport_conns[af_id]);\n+\t\t}\n \t\tif (cp->flags & IP_VS_CONN_F_ONE_PACKET)\n \t\t\tip_vs_conn_rcu_free(&cp->rcu_head);\n \t\telse\n@@ -999,8 +1008,11 @@ ip_vs_conn_new(const struct ip_vs_conn_param *p, int dest_af,\n \tcp->out_seq.delta = 0;\n \n \tatomic_inc(&ipvs->conn_count);\n-\tif (flags & IP_VS_CONN_F_NO_CPORT)\n-\t\tatomic_inc(&ip_vs_conn_no_cport_cnt);\n+\tif (unlikely(flags & IP_VS_CONN_F_NO_CPORT)) {\n+\t\tint af_id = ip_vs_af_index(cp->af);\n+\n+\t\tatomic_inc(&ipvs->no_cport_conns[af_id]);\n+\t}\n \n \t/* Bind the connection with a destination server */\n \tcp->dest = NULL;\n@@ -1257,6 +1269,7 @@ static const struct seq_operations ip_vs_conn_sync_seq_ops = {\n };\n #endif\n \n+#ifdef CONFIG_SYSCTL\n \n /* Randomly drop connection entries before running out of memory\n * Can be used for DATA and CTL conns. For TPL conns there are exceptions:\n@@ -1266,12 +1279,7 @@ static const struct seq_operations ip_vs_conn_sync_seq_ops = {\n */\n static inline int todrop_entry(struct ip_vs_conn *cp)\n {\n-\t/*\n-\t * The drop rate array needs tuning for real environments.\n-\t * Called from timer bh only => no locking\n-\t */\n-\tstatic const signed char todrop_rate[9] = {0, 1, 2, 3, 4, 5, 6, 7, 8};\n-\tstatic signed char todrop_counter[9] = {0};\n+\tstruct netns_ipvs *ipvs = cp->ipvs;\n \tint i;\n \n \t/* if the conn entry hasn't lasted for 60 seconds, don't drop it.\n@@ -1280,15 +1288,17 @@ static inline int todrop_entry(struct ip_vs_conn *cp)\n \tif (time_before(cp->timeout + jiffies, cp->timer.expires + 60*HZ))\n \t\treturn 0;\n \n-\t/* Don't drop the entry if its number of incoming packets is not\n-\t located in [0, 8] */\n+\t/* Drop only conns with number of incoming packets in [1..8] range */\n \ti = atomic_read(&cp->in_pkts);\n-\tif (i > 8 || i < 0) return 0;\n+\tif (i > 8 || i < 1)\n+\t\treturn 0;\n \n-\tif (!todrop_rate[i]) return 0;\n-\tif (--todrop_counter[i] > 0) return 0;\n+\ti--;\n+\tif (--ipvs->dropentry_counters[i] > 0)\n+\t\treturn 0;\n \n-\ttodrop_counter[i] = todrop_rate[i];\n+\t/* Prefer to drop conns with less number of incoming packets */\n+\tipvs->dropentry_counters[i] = i + 1;\n \treturn 1;\n }\n \n@@ -1368,7 +1378,7 @@ void ip_vs_random_dropentry(struct netns_ipvs *ipvs)\n \t}\n \trcu_read_unlock();\n }\n-\n+#endif\n \n /*\n * Flush all the connection entries in the ip_vs_conn_tab\n@@ -1450,7 +1460,11 @@ void ip_vs_expire_nodest_conn_flush(struct netns_ipvs *ipvs)\n */\n int __net_init ip_vs_conn_net_init(struct netns_ipvs *ipvs)\n {\n+\tint idx;\n+\n \tatomic_set(&ipvs->conn_count, 0);\n+\tfor (idx = 0; idx < IP_VS_AF_MAX; idx++)\n+\t\tatomic_set(&ipvs->no_cport_conns[idx], 0);\n \n #ifdef CONFIG_PROC_FS\n \tif (!proc_create_net(\"ip_vs_conn\", 0, ipvs->net->proc_net,\n", "prefixes": [ "nf-next", "6/6" ] }