| Message ID | 20181228002450.18611-1-fw@strlen.de |
|---|---|
| Headers | show |
| Series | netfilter: nf_conncount: rework locking and memory management | expand |
On Fri, Dec 28, 2018 at 01:24:41AM +0100, Florian Westphal wrote: > This series is a collection of all the various conncount patches that have > been floating around recently. > > The overall goal is to simplify nf_conncount instead of just addressing > bugs. This series removes quite a few lines of code and conditionals. > > Most importantly, 'conn' list traversal now requires the node list_lock. > > Second, the garbage collection cannot race with the packet path anymore, > collection of conn objects acquires the list_lock, and tree pruning > only occurs after the tree lock has been acquired. > > While looking at this, I found a few more, albeit minor, bugs, > these are fixed here as well. > > I've mangled Pablos patches a little so they apply on top > of the other ones, but otherwise no major changes happened. > > I've tested this with parallel synfloods against a VM (with no patches, > KASAN splats happen almost instantly). > > Please see individual patches for more details. > > I'd like to thank everyone that has contributed patches and ideas for this. > More comments, reviews and tests are much appreciated. > > Florian Westphal (5): > netfilter: nf_conncount: don't skip eviction when age is negative > netfilter: nf_conncount: split gc in two phases > netfilter: nf_conncount: restart search when nodes have been erased > netfilter: nf_conncount: merge lookup and add functions > netfilter: nf_conncount: fix argument order to find_next_bit > > Pablo Neira Ayuso (2): > netfilter: nf_conncount: move all list iterations under spinlock > netfilter: nf_conncount: speculative garbage collection on empty lists > > Shawn Bohrer (1): > nf_conncount: replace CONNCOUNT_LOCK_SLOTS with CONNCOUNT_SLOTS > > include/net/netfilter/nf_conntrack_count.h | 19 - > net/netfilter/nf_conncount.c | 290 ++++++++++++----------------- > net/netfilter/nft_connlimit.c | 14 - > 3 files changed, 134 insertions(+), 189 deletions(-) Reviewd-by: Shawn Bohrer <sbohrer@cloudflare.com>
On Fri, Dec 28, 2018 at 01:24:41AM +0100, Florian Westphal wrote: > This series is a collection of all the various conncount patches that have > been floating around recently. > > The overall goal is to simplify nf_conncount instead of just addressing > bugs. This series removes quite a few lines of code and conditionals. Series applied, thanks Florian.
This series is a collection of all the various conncount patches that have been floating around recently. The overall goal is to simplify nf_conncount instead of just addressing bugs. This series removes quite a few lines of code and conditionals. Most importantly, 'conn' list traversal now requires the node list_lock. Second, the garbage collection cannot race with the packet path anymore, collection of conn objects acquires the list_lock, and tree pruning only occurs after the tree lock has been acquired. While looking at this, I found a few more, albeit minor, bugs, these are fixed here as well. I've mangled Pablos patches a little so they apply on top of the other ones, but otherwise no major changes happened. I've tested this with parallel synfloods against a VM (with no patches, KASAN splats happen almost instantly). Please see individual patches for more details. I'd like to thank everyone that has contributed patches and ideas for this. More comments, reviews and tests are much appreciated. Florian Westphal (5): netfilter: nf_conncount: don't skip eviction when age is negative netfilter: nf_conncount: split gc in two phases netfilter: nf_conncount: restart search when nodes have been erased netfilter: nf_conncount: merge lookup and add functions netfilter: nf_conncount: fix argument order to find_next_bit Pablo Neira Ayuso (2): netfilter: nf_conncount: move all list iterations under spinlock netfilter: nf_conncount: speculative garbage collection on empty lists Shawn Bohrer (1): nf_conncount: replace CONNCOUNT_LOCK_SLOTS with CONNCOUNT_SLOTS include/net/netfilter/nf_conntrack_count.h | 19 - net/netfilter/nf_conncount.c | 290 ++++++++++++----------------- net/netfilter/nft_connlimit.c | 14 - 3 files changed, 134 insertions(+), 189 deletions(-)