From patchwork Mon Aug 3 07:33:04 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roi Dayan X-Patchwork-Id: 1340173 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=23.128.96.18; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=mellanox.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by ozlabs.org (Postfix) with ESMTP id 4BKqPJ1rJRz9sTY for ; Mon, 3 Aug 2020 17:33:24 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725933AbgHCHdV (ORCPT ); Mon, 3 Aug 2020 03:33:21 -0400 Received: from mail-il-dmz.mellanox.com ([193.47.165.129]:43516 "EHLO mellanox.co.il" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725806AbgHCHdU (ORCPT ); Mon, 3 Aug 2020 03:33:20 -0400 Received: from Internal Mail-Server by MTLPINE1 (envelope-from roid@mellanox.com) with SMTP; 3 Aug 2020 10:33:13 +0300 Received: from dev-r-vrt-138.mtr.labs.mlnx (dev-r-vrt-138.mtr.labs.mlnx [10.212.138.1]) by labmailer.mlnx (8.13.8/8.13.8) with ESMTP id 0737XCK1012882; Mon, 3 Aug 2020 10:33:13 +0300 From: Roi Dayan To: netdev@vger.kernel.org Cc: pablo@netfilter.org, Paul Blakey , Oz Shlomo , Roi Dayan , Marcelo Ricardo Leitner Subject: [PATCH net v2 1/2] netfilter: conntrack: Move nf_ct_offload_timeout to header file Date: Mon, 3 Aug 2020 10:33:04 +0300 Message-Id: <20200803073305.702079-2-roid@mellanox.com> X-Mailer: git-send-email 2.8.4 In-Reply-To: <20200803073305.702079-1-roid@mellanox.com> References: <20200803073305.702079-1-roid@mellanox.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org To be used by callers from other modules. Signed-off-by: Roi Dayan Reviewed-by: Oz Shlomo --- include/net/netfilter/nf_conntrack.h | 12 ++++++++++++ net/netfilter/nf_conntrack_core.c | 12 ------------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index 90690e37a56f..8481819ff632 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h @@ -279,6 +279,18 @@ static inline bool nf_ct_should_gc(const struct nf_conn *ct) !nf_ct_is_dying(ct); } +#define DAY (86400 * HZ) + +/* Set an arbitrary timeout large enough not to ever expire, this save + * us a check for the IPS_OFFLOAD_BIT from the packet path via + * nf_ct_is_expired(). + */ +static inline void nf_ct_offload_timeout(struct nf_conn *ct) +{ + if (nf_ct_expires(ct) < DAY / 2) + ct->timeout = nfct_time_stamp + DAY; +} + struct kernel_param; int nf_conntrack_set_hashsize(const char *val, const struct kernel_param *kp); diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 79cd9dde457b..947c6d9437c3 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -1344,18 +1344,6 @@ static bool gc_worker_can_early_drop(const struct nf_conn *ct) return false; } -#define DAY (86400 * HZ) - -/* Set an arbitrary timeout large enough not to ever expire, this save - * us a check for the IPS_OFFLOAD_BIT from the packet path via - * nf_ct_is_expired(). - */ -static void nf_ct_offload_timeout(struct nf_conn *ct) -{ - if (nf_ct_expires(ct) < DAY / 2) - ct->timeout = nfct_time_stamp + DAY; -} - static void gc_worker(struct work_struct *work) { unsigned int min_interval = max(HZ / GC_MAX_BUCKETS_DIV, 1u); From patchwork Mon Aug 3 07:33:05 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roi Dayan X-Patchwork-Id: 1340172 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=23.128.96.18; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=mellanox.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by ozlabs.org (Postfix) with ESMTP id 4BKqPH4Z4nz9sRN for ; Mon, 3 Aug 2020 17:33:23 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725957AbgHCHdV (ORCPT ); Mon, 3 Aug 2020 03:33:21 -0400 Received: from mail-il-dmz.mellanox.com ([193.47.165.129]:43519 "EHLO mellanox.co.il" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725270AbgHCHdU (ORCPT ); Mon, 3 Aug 2020 03:33:20 -0400 Received: from Internal Mail-Server by MTLPINE1 (envelope-from roid@mellanox.com) with SMTP; 3 Aug 2020 10:33:13 +0300 Received: from dev-r-vrt-138.mtr.labs.mlnx (dev-r-vrt-138.mtr.labs.mlnx [10.212.138.1]) by labmailer.mlnx (8.13.8/8.13.8) with ESMTP id 0737XCK2012882; Mon, 3 Aug 2020 10:33:13 +0300 From: Roi Dayan To: netdev@vger.kernel.org Cc: pablo@netfilter.org, Paul Blakey , Oz Shlomo , Roi Dayan , Marcelo Ricardo Leitner Subject: [PATCH net v2 2/2] netfilter: flowtable: Set offload timeout when adding flow Date: Mon, 3 Aug 2020 10:33:05 +0300 Message-Id: <20200803073305.702079-3-roid@mellanox.com> X-Mailer: git-send-email 2.8.4 In-Reply-To: <20200803073305.702079-1-roid@mellanox.com> References: <20200803073305.702079-1-roid@mellanox.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On heavily loaded systems the GC can take time to go over all existing conns and reset their timeout. At that time other calls like from nf_conntrack_in() can call of nf_ct_is_expired() and see the conn as expired. To fix this when we set the offload bit we should also reset the timeout instead of counting on GC to finish first iteration over all conns before the initial timeout. Fixes: 90964016e5d3 ("netfilter: nf_conntrack: add IPS_OFFLOAD status bit") Signed-off-by: Roi Dayan --- Notes: v2 - timeout fix from flow_offload_add() instead of act_ct net/netfilter/nf_flow_table_core.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c index b1eb5272b379..4f7a567c536e 100644 --- a/net/netfilter/nf_flow_table_core.c +++ b/net/netfilter/nf_flow_table_core.c @@ -243,6 +243,8 @@ int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow) return err; } + nf_ct_offload_timeout(flow->ct); + if (nf_flowtable_hw_offload(flow_table)) { __set_bit(NF_FLOW_HW, &flow->flags); nf_flow_offload_add(flow_table, flow);