| Message ID | 1519856382-40212-2-git-send-email-yihung.wei@gmail.com |
|---|---|
| State | Changes Requested |
| Delegated to: | Pablo Neira |
| Headers | show |
| Series | [nf-next,1/2] netfilter: nf_conncount: Refactor nf_conncount | expand |
Yi-Hung Wei <yihung.wei@gmail.com> wrote: > Currently, nf_conncount_count() counts the number of connections that > matches key and inserts a conntrack 'tuple' associated with the key into > the accounting data structure. This patch supports another use case that > only counts the number of connections associated with the key without > providing a 'tuple'. Therefore, proper changes are made on > nf_conncount_count() to support the case where 'tuple' is NULL. Normal use case is to combine this with another match to only lookup start of a connection (-p tcp --syn in iptables, or -m conntrack --ctstate NEW and the like). Could you perhaps illustrate how this is going to be used? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, Mar 1, 2018 at 12:09 AM, Florian Westphal <fw@strlen.de> wrote: > Yi-Hung Wei <yihung.wei@gmail.com> wrote: >> Currently, nf_conncount_count() counts the number of connections that >> matches key and inserts a conntrack 'tuple' associated with the key into >> the accounting data structure. This patch supports another use case that >> only counts the number of connections associated with the key without >> providing a 'tuple'. Therefore, proper changes are made on >> nf_conncount_count() to support the case where 'tuple' is NULL. > > Normal use case is to combine this with another match to only lookup > start of a connection (-p tcp --syn in iptables, or -m conntrack > --ctstate NEW and the like). > > Could you perhaps illustrate how this is going to be used? > I am thinking about to use the nf_conncount backend to limit the number of connections in particular zones for OVS. A use case for us is to query the number of connections in particular zone without adding a new entry to that zone. This is could be useful for querying statistics or debugging purpose. Thanks, -Yi-Hung -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Yi-Hung Wei <yihung.wei@gmail.com> wrote: > On Thu, Mar 1, 2018 at 12:09 AM, Florian Westphal <fw@strlen.de> wrote: > > Yi-Hung Wei <yihung.wei@gmail.com> wrote: > >> Currently, nf_conncount_count() counts the number of connections that > >> matches key and inserts a conntrack 'tuple' associated with the key into > >> the accounting data structure. This patch supports another use case that > >> only counts the number of connections associated with the key without > >> providing a 'tuple'. Therefore, proper changes are made on > >> nf_conncount_count() to support the case where 'tuple' is NULL. > > > > Normal use case is to combine this with another match to only lookup > > start of a connection (-p tcp --syn in iptables, or -m conntrack > > --ctstate NEW and the like). > > > > Could you perhaps illustrate how this is going to be used? > > > > I am thinking about to use the nf_conncount backend to limit the number > of connections in particular zones for OVS. A use case for us is to > query the number of connections in particular zone without adding > a new entry to that zone. This is could be useful for querying statistics > or debugging purpose. Ok, fair enough, thanks for explaining this. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c index 91b13142631e..b247e82ae8e2 100644 --- a/net/netfilter/nf_conncount.c +++ b/net/netfilter/nf_conncount.c @@ -104,7 +104,7 @@ static unsigned int check_hlist(struct net *net, struct nf_conn *found_ct; unsigned int length = 0; - *addit = true; + *addit = tuple ? true : false; /* check the saved connections */ hlist_for_each_entry_safe(conn, n, head, node) { @@ -117,7 +117,7 @@ static unsigned int check_hlist(struct net *net, found_ct = nf_ct_tuplehash_to_ctrack(found); - if (nf_ct_tuple_equal(&conn->tuple, tuple)) { + if (tuple && nf_ct_tuple_equal(&conn->tuple, tuple)) { /* * Just to be sure we have it only once in the list. * We should not see tuples twice unless someone hooks @@ -220,6 +220,9 @@ count_tree(struct net *net, struct rb_root *root, goto restart; } + if (!tuple) + return 0; + /* no match, need to insert new node */ rbconn = kmem_cache_alloc(conncount_rb_cachep, GFP_ATOMIC); if (rbconn == NULL) @@ -242,6 +245,9 @@ count_tree(struct net *net, struct rb_root *root, return 1; } +/* Count and return number of conntrack entries in 'net' with particular 'key'. + * If 'tuple' is not null, insert it into the accounting data structure. + */ unsigned int nf_conncount_count(struct net *net, struct nf_conncount_data *data, const u32 *key,
Currently, nf_conncount_count() counts the number of connections that matches key and inserts a conntrack 'tuple' associated with the key into the accounting data structure. This patch supports another use case that only counts the number of connections associated with the key without providing a 'tuple'. Therefore, proper changes are made on nf_conncount_count() to support the case where 'tuple' is NULL. Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com> --- net/netfilter/nf_conncount.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-)