[Devel] [PATCH 02/14] ve/netfilter: Implement pernet expect_max / virtualize "net.netfilter.nf_conntrack_expect_max" sysctl
Alexander Mikhalitsyn
alexander.mikhalitsyn at virtuozzo.com
Fri Apr 30 15:45:30 MSK 2021
From: Konstantin Khorenko <khorenko at virtuozzo.com>
Rebasing and splitting netfilters sybsystem
(port 66-diff-ve-net-netfilter-combined).
Part 1.
https://jira.sw.ru/browse/PSBM-18322
Signed-off-by: Kirill Tkhai <ktkhai at parallels.com>
(cherry picked from commit 2cabd3c5f1a772f3dd7648acc345bca529aed254)
VZ 8 rebase part https://jira.sw.ru/browse/PSBM-127783
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn at virtuozzo.com>
---
include/net/netfilter/nf_conntrack_expect.h | 1 -
include/net/netns/conntrack.h | 2 ++
net/netfilter/nf_conntrack_expect.c | 7 +++----
net/netfilter/nf_conntrack_standalone.c | 3 ++-
4 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index 006e430d1cdf..a31f69e7ec65 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -12,7 +12,6 @@
#include <net/netfilter/nf_conntrack_zones.h>
extern unsigned int nf_ct_expect_hsize;
-extern unsigned int nf_ct_expect_max;
extern struct hlist_head *nf_ct_expect_hash;
struct nf_conntrack_expect {
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index 42c8b69c1113..447c3ec738da 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -106,11 +106,13 @@ struct ct_pcpu {
struct netns_ct {
atomic_t count;
+ unsigned int max;
unsigned int expect_count;
#ifdef CONFIG_NF_CONNTRACK_EVENTS
struct delayed_work ecache_dwork;
bool ecache_dwork_pending;
#endif
+ unsigned int expect_max;
#ifdef CONFIG_SYSCTL
struct ctl_table_header *sysctl_header;
struct ctl_table_header *acct_sysctl_header;
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index b8c739f31d43..59338d01888b 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -43,8 +43,6 @@ EXPORT_SYMBOL_GPL(nf_ct_expect_hsize);
struct hlist_head *nf_ct_expect_hash __read_mostly;
EXPORT_SYMBOL_GPL(nf_ct_expect_hash);
-unsigned int nf_ct_expect_max __read_mostly;
-
static struct kmem_cache *nf_ct_expect_cachep __read_mostly;
static unsigned int nf_ct_expect_hashrnd __read_mostly;
@@ -451,7 +449,7 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
}
}
- if (net->ct.expect_count >= nf_ct_expect_max) {
+ if (net->ct.expect_count >= init_net.ct.expect_max) {
net_veboth_ratelimited(KERN_WARNING "VE%s "
"nf_conntrack: expectation table full\n",
net->owner_ve->ve_name);
@@ -682,6 +680,7 @@ module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0400);
int nf_conntrack_expect_pernet_init(struct net *net)
{
net->ct.expect_count = 0;
+ net->ct.expect_max = init_net.ct.expect_max;
return exp_proc_init(net);
}
@@ -697,7 +696,7 @@ int nf_conntrack_expect_init(void)
if (!nf_ct_expect_hsize)
nf_ct_expect_hsize = 1;
}
- nf_ct_expect_max = nf_ct_expect_hsize * 4;
+ init_net.ct.expect_max = nf_ct_expect_hsize * 4;
nf_ct_expect_cachep = kmem_cache_create("nf_conntrack_expect",
sizeof(struct nf_conntrack_expect),
0, 0, NULL);
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index c0e9ba243667..e4fcb939e19a 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -557,7 +557,7 @@ static struct ctl_table nf_ct_sysctl_table[] = {
},
{
.procname = "nf_conntrack_expect_max",
- .data = &nf_ct_expect_max,
+ .data = &init_net.ct.expect_max,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec,
@@ -588,6 +588,7 @@ static int nf_conntrack_standalone_init_sysctl(struct net *net)
table[1].data = &net->ct.count;
table[3].data = &net->ct.sysctl_checksum;
table[4].data = &net->ct.sysctl_log_invalid;
+ table[5].data = &net->ct.expect_max;
/* Don't export sysctls to unprivileged users */
if (ve_net_hide_sysctl(net))
--
2.28.0
More information about the Devel
mailing list