[Devel] [PATCH rh7 2/4] net: Skip allocation of conntrack if there are no rules

Mon Sep 5 23:31:33 PDT 2016

HW node may have many CTs, which are not having conntrack
users. Do not allocate them to save resources and decrease
performance penalty.

Next two patches will actually mark conntrack users.

https://jira.sw.ru/browse/PSBM-51050

Signed-off-by: Kirill Tkhai <ktkhai at virtuozzo.com>
---
 net/netfilter/nf_conntrack_core.c    |    7 ++++++-
 net/netfilter/nf_conntrack_netlink.c |    2 ++
 net/netfilter/nf_synproxy_core.c     |    2 ++
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index b5de5aa..c46bede 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -841,6 +841,11 @@ __nf_conntrack_alloc(struct net *net, u16 zone,
 	unsigned int ct_max = net->ct.max ? net->ct.max : init_net.ct.max;
 	struct nf_conn *ct;
 
+	if (!atomic_read(&net->ct.users)) {
+		/* No rules loaded */
+		return NULL;
+	}
+
 	if (unlikely(!nf_conntrack_hash_rnd)) {
 		init_nf_conntrack_hash_rnd();
 		/* recompute the hash as nf_conntrack_hash_rnd is initialized */
@@ -963,7 +968,7 @@ init_conntrack(struct net *net, struct nf_conn *tmpl,
 
 	ct = __nf_conntrack_alloc(net, zone, tuple, &repl_tuple, GFP_ATOMIC,
 				  hash);
-	if (IS_ERR(ct))
+	if (IS_ERR_OR_NULL(ct))
 		return (struct nf_conntrack_tuple_hash *)ct;
 
 	if (tmpl && nfct_synproxy(tmpl)) {
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index d6b6465..87f5091 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1617,7 +1617,9 @@ ctnetlink_create_conntrack(struct net *net, u16 zone,
 	struct nf_conntrack_helper *helper;
 	struct nf_conn_tstamp *tstamp;
 
+	inc_conntrack_users(net);
 	ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC);
+	dec_conntrack_users(net);
 	if (IS_ERR(ct))
 		return ERR_PTR(-ENOMEM);
 
diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
index 52e20c9..7bef49e 100644
--- a/net/netfilter/nf_synproxy_core.c
+++ b/net/netfilter/nf_synproxy_core.c
@@ -353,7 +353,9 @@ static int __net_init synproxy_net_init(struct net *net)
 	int err = -ENOMEM;
 
 	memset(&t, 0, sizeof(t));
+	inc_conntrack_users(net);
 	ct = nf_conntrack_alloc(net, 0, &t, &t, GFP_KERNEL);
+	dec_conntrack_users(net);
 	if (IS_ERR(ct)) {
 		err = PTR_ERR(ct);
 		goto err1;

