[Devel] [PATCH RH7 0/4] do not rely on missing rtcache in vzprivnet_hook
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Tue Oct 25 03:31:47 PDT 2016
Andrey, sorry for repeating, you might missed my message in hangouts -
please review these patchset.
On 10/19/2016 03:20 PM, Pavel Tikhomirov wrote:
> vzprivnet filter relies on dst.privnet_mark is per saddr+daddr pair.
> But rt_hash_table was removed in ms kernel v3.6, commit 89aef8921bfb
> ("ipv4: Delete routing cache."). And now different saddr+daddr pairs
> can have same routing dst_entry, and thus same pmark variable, and
> vzprivnet filter fails to filter these pairs(blocks both or allows
> both depending on which connection was first, the one we need to
> block or allow).
>
> These is the try to return plain vzprivnet_hook which was without
> caching, so we would always do explicit vzprivnet_classify. If after
> these change the network would not become very slow (not much than
> ~10% slower) we seem to be able to leave with it.
>
> note: We do the same in vzprivnet6_hook, except that private networks
> are in radix tree instead of rbtree as for vzprivnet_hook.
>
> https://jira.sw.ru/browse/PSBM-53646
>
> Pavel Tikhomirov (4):
> Revert "vzprivnet: rt cache drop on vzprivnet update"
> Revert "vzprivnet: Flush rt cache each time rules change"
> vzprivnet: remove dst.privnet_mark usage as it is no more rtcached
> Revert "VZPRIVNET: cache filtering result on dst"
>
> include/net/dst.h | 2 --
> net/core/dst.c | 1 -
> net/ipv4/netfilter/ip_vzprivnet.c | 63 +++++++--------------------------------
> 3 files changed, 10 insertions(+), 56 deletions(-)
>
--
Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.
More information about the Devel
mailing list