[Devel] [PATCH 02/13] ve/netfilter: Implement pernet expect_max / virtualize "net.netfilter.nf_conntrack_expect_max" sysctl

Konstantin Khorenko khorenko at virtuozzo.com
Mon May 24 16:18:13 MSK 2021 

+++ b/include/net/netns/conntrack.h
@@ -106,11 +106,13 @@ struct ct_pcpu {

  struct netns_ct {
  	atomic_t		count;
+	unsigned int		max;
  	unsigned int		expect_count;
  #ifdef CONFIG_NF_CONNTRACK_EVENTS


Moved the hunk above into next patch.

--
Best regards,

Konstantin Khorenko,
Virtuozzo Linux Kernel Team

On 05/18/2021 08:54 PM, Alexander Mikhalitsyn wrote:
> From: Konstantin Khorenko <khorenko at virtuozzo.com>
>
> Rebasing and splitting netfilters sybsystem
> (port 66-diff-ve-net-netfilter-combined).
> Part 1.
>
> https://jira.sw.ru/browse/PSBM-18322
>
> * diff-ve-nf-make-nf_ct_expect_max-sysctl-virtual
> Author: Pavel Emelyanov
> Subject: [PATCH rh6] ve: Make nf_ct_expect_max "virtualized"
> Date: Wed, 06 Jul 2011 17:36:45 +0400
>
> Make the respective sysctl be per-ct only. Real limit is still taken from
> ve0 (init_net). Need to look at how this will work in the mainline.
> https://jira.sw.ru/browse/PCLIN-29578
>
> Signed-off-by: Kirill Tkhai <ktkhai at parallels.com>
> (cherry picked from commit 2cabd3c5f1a772f3dd7648acc345bca529aed254)
>
> VZ 8 rebase part https://jira.sw.ru/browse/PSBM-127783
>
> Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn at virtuozzo.com>
> ---
>  include/net/netfilter/nf_conntrack_expect.h | 1 -
>  include/net/netns/conntrack.h               | 2 ++
>  net/netfilter/nf_conntrack_expect.c         | 7 +++----
>  net/netfilter/nf_conntrack_standalone.c     | 3 ++-
>  4 files changed, 7 insertions(+), 6 deletions(-)
>
> diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
> index 006e430d1cdf..a31f69e7ec65 100644
> --- a/include/net/netfilter/nf_conntrack_expect.h
> +++ b/include/net/netfilter/nf_conntrack_expect.h
> @@ -12,7 +12,6 @@
>  #include <net/netfilter/nf_conntrack_zones.h>
>
>  extern unsigned int nf_ct_expect_hsize;
> -extern unsigned int nf_ct_expect_max;
>  extern struct hlist_head *nf_ct_expect_hash;
>
>  struct nf_conntrack_expect {
> diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
> index 42c8b69c1113..447c3ec738da 100644
> --- a/include/net/netns/conntrack.h
> +++ b/include/net/netns/conntrack.h
> @@ -106,11 +106,13 @@ struct ct_pcpu {
>
>  struct netns_ct {
>  	atomic_t		count;
> +	unsigned int		max;
>  	unsigned int		expect_count;
>  #ifdef CONFIG_NF_CONNTRACK_EVENTS
>  	struct delayed_work ecache_dwork;
>  	bool ecache_dwork_pending;
>  #endif
> +	unsigned int		expect_max;
>  #ifdef CONFIG_SYSCTL
>  	struct ctl_table_header	*sysctl_header;
>  	struct ctl_table_header	*acct_sysctl_header;
> diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
> index b8c739f31d43..59338d01888b 100644
> --- a/net/netfilter/nf_conntrack_expect.c
> +++ b/net/netfilter/nf_conntrack_expect.c
> @@ -43,8 +43,6 @@ EXPORT_SYMBOL_GPL(nf_ct_expect_hsize);
>  struct hlist_head *nf_ct_expect_hash __read_mostly;
>  EXPORT_SYMBOL_GPL(nf_ct_expect_hash);
>
> -unsigned int nf_ct_expect_max __read_mostly;
> -
>  static struct kmem_cache *nf_ct_expect_cachep __read_mostly;
>  static unsigned int nf_ct_expect_hashrnd __read_mostly;
>
> @@ -451,7 +449,7 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
>  		}
>  	}
>
> -	if (net->ct.expect_count >= nf_ct_expect_max) {
> +	if (net->ct.expect_count >= init_net.ct.expect_max) {
>  		net_veboth_ratelimited(KERN_WARNING "VE%s "
>  					"nf_conntrack: expectation table full\n",
>  					net->owner_ve->ve_name);
> @@ -682,6 +680,7 @@ module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0400);
>  int nf_conntrack_expect_pernet_init(struct net *net)
>  {
>  	net->ct.expect_count = 0;
> +	net->ct.expect_max = init_net.ct.expect_max;
>  	return exp_proc_init(net);
>  }
>
> @@ -697,7 +696,7 @@ int nf_conntrack_expect_init(void)
>  		if (!nf_ct_expect_hsize)
>  			nf_ct_expect_hsize = 1;
>  	}
> -	nf_ct_expect_max = nf_ct_expect_hsize * 4;
> +	init_net.ct.expect_max = nf_ct_expect_hsize * 4;
>  	nf_ct_expect_cachep = kmem_cache_create("nf_conntrack_expect",
>  				sizeof(struct nf_conntrack_expect),
>  				0, 0, NULL);
> diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
> index c0e9ba243667..e4fcb939e19a 100644
> --- a/net/netfilter/nf_conntrack_standalone.c
> +++ b/net/netfilter/nf_conntrack_standalone.c
> @@ -557,7 +557,7 @@ static struct ctl_table nf_ct_sysctl_table[] = {
>  	},
>  	{
>  		.procname	= "nf_conntrack_expect_max",
> -		.data		= &nf_ct_expect_max,
> +		.data		= &init_net.ct.expect_max,
>  		.maxlen		= sizeof(int),
>  		.mode		= 0644,
>  		.proc_handler	= proc_dointvec,
> @@ -588,6 +588,7 @@ static int nf_conntrack_standalone_init_sysctl(struct net *net)
>  	table[1].data = &net->ct.count;
>  	table[3].data = &net->ct.sysctl_checksum;
>  	table[4].data = &net->ct.sysctl_log_invalid;
> +	table[5].data = &net->ct.expect_max;
>
>  	/* Don't export sysctls to unprivileged users */
>  	if (ve_net_hide_sysctl(net))
>

More information about the Devel mailing list