[Devel] [PATCH RH7 0/4] do not rely on missing rtcache in vzprivnet_hook
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Thu Oct 27 01:03:01 PDT 2016
On 10/26/2016 12:33 AM, Andrew Vagin wrote:
> On Wed, Oct 19, 2016 at 03:20:53PM +0300, Pavel Tikhomirov wrote:
>> vzprivnet filter relies on dst.privnet_mark is per saddr+daddr pair.
>> But rt_hash_table was removed in ms kernel v3.6, commit 89aef8921bfb
>> ("ipv4: Delete routing cache."). And now different saddr+daddr pairs
>> can have same routing dst_entry, and thus same pmark variable, and
>> vzprivnet filter fails to filter these pairs(blocks both or allows
>> both depending on which connection was first, the one we need to
>> block or allow).
>>
>> These is the try to return plain vzprivnet_hook which was without
>> caching, so we would always do explicit vzprivnet_classify. If after
>> these change the network would not become very slow (not much than
>> ~10% slower) we seem to be able to leave with it.
>
> Who will do performance measurements?
I've made a description on how to test it for perf teem, see
https://jira.sw.ru/browse/PSBM-54187.
>>
>> note: We do the same in vzprivnet6_hook, except that private networks
>> are in radix tree instead of rbtree as for vzprivnet_hook.
>>
>> https://jira.sw.ru/browse/PSBM-53646
>
> Reviewed-by: Andrew Vagin <avagin at virtuozzo.com>
>
>>
>> Pavel Tikhomirov (4):
>> Revert "vzprivnet: rt cache drop on vzprivnet update"
>> Revert "vzprivnet: Flush rt cache each time rules change"
>> vzprivnet: remove dst.privnet_mark usage as it is no more rtcached
>> Revert "VZPRIVNET: cache filtering result on dst"
>>
>> include/net/dst.h | 2 --
>> net/core/dst.c | 1 -
>> net/ipv4/netfilter/ip_vzprivnet.c | 63 +++++++--------------------------------
>> 3 files changed, 10 insertions(+), 56 deletions(-)
>>
>> --
>> 2.7.4
>>
--
Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.
More information about the Devel
mailing list