[Devel] [PATCH RHEL8 COMMIT] ve/netfilter: Implement pernet expect_max / virtualize "net.netfilter.nf_conntrack_expect_max" sysctl

Konstantin Khorenko khorenko at virtuozzo.com
Mon May 24 16:19:14 MSK 2021 

The commit is pushed to "branch-rh8-4.18.0-240.1.1.vz8.5.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-240.1.1.vz8.5.32
------>
commit cb7dc0d2e4ab1ef566399f60be91f247d7fb9286
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date:   Tue May 18 20:54:16 2021 +0300

    ve/netfilter: Implement pernet expect_max / virtualize "net.netfilter.nf_conntrack_expect_max" sysctl
    
    Rebasing and splitting netfilters sybsystem
    (port 66-diff-ve-net-netfilter-combined).
    Part 1.
    
    https://jira.sw.ru/browse/PSBM-18322
    
    * diff-ve-nf-make-nf_ct_expect_max-sysctl-virtual
    Author: Pavel Emelyanov
    Subject: [PATCH rh6] ve: Make nf_ct_expect_max "virtualized"
    Date: Wed, 06 Jul 2011 17:36:45 +0400
    
    Make the respective sysctl be per-ct only. Real limit is still taken from
    ve0 (init_net). Need to look at how this will work in the mainline.
    https://jira.sw.ru/browse/PCLIN-29578
    
    Signed-off-by: Kirill Tkhai <ktkhai at parallels.com>
    
    (cherry picked from vz7 commit 2cabd3c5f1a7 ("ve/netfilter: Implement pernet
    expect_max / virtualize "net.netfilter.nf_conntrack_expect_max" sysctl"))
    
    VZ 8 rebase part https://jira.sw.ru/browse/PSBM-127783
    
    Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn at virtuozzo.com>
---
 include/net/netfilter/nf_conntrack_expect.h | 1 -
 include/net/netns/conntrack.h               | 1 +
 net/netfilter/nf_conntrack_expect.c         | 7 +++----
 net/netfilter/nf_conntrack_standalone.c     | 3 ++-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index 006e430d1cdf..a31f69e7ec65 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -12,7 +12,6 @@
 #include <net/netfilter/nf_conntrack_zones.h>
 
 extern unsigned int nf_ct_expect_hsize;
-extern unsigned int nf_ct_expect_max;
 extern struct hlist_head *nf_ct_expect_hash;
 
 struct nf_conntrack_expect {
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index 42c8b69c1113..fe2331b75cc7 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -111,6 +111,7 @@ struct netns_ct {
 	struct delayed_work ecache_dwork;
 	bool ecache_dwork_pending;
 #endif
+	unsigned int		expect_max;
 #ifdef CONFIG_SYSCTL
 	struct ctl_table_header	*sysctl_header;
 	struct ctl_table_header	*acct_sysctl_header;
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index b8c739f31d43..59338d01888b 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -43,8 +43,6 @@ EXPORT_SYMBOL_GPL(nf_ct_expect_hsize);
 struct hlist_head *nf_ct_expect_hash __read_mostly;
 EXPORT_SYMBOL_GPL(nf_ct_expect_hash);
 
-unsigned int nf_ct_expect_max __read_mostly;
-
 static struct kmem_cache *nf_ct_expect_cachep __read_mostly;
 static unsigned int nf_ct_expect_hashrnd __read_mostly;
 
@@ -451,7 +449,7 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
 		}
 	}
 
-	if (net->ct.expect_count >= nf_ct_expect_max) {
+	if (net->ct.expect_count >= init_net.ct.expect_max) {
 		net_veboth_ratelimited(KERN_WARNING "VE%s "
 					"nf_conntrack: expectation table full\n",
 					net->owner_ve->ve_name);
@@ -682,6 +680,7 @@ module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0400);
 int nf_conntrack_expect_pernet_init(struct net *net)
 {
 	net->ct.expect_count = 0;
+	net->ct.expect_max = init_net.ct.expect_max;
 	return exp_proc_init(net);
 }
 
@@ -697,7 +696,7 @@ int nf_conntrack_expect_init(void)
 		if (!nf_ct_expect_hsize)
 			nf_ct_expect_hsize = 1;
 	}
-	nf_ct_expect_max = nf_ct_expect_hsize * 4;
+	init_net.ct.expect_max = nf_ct_expect_hsize * 4;
 	nf_ct_expect_cachep = kmem_cache_create("nf_conntrack_expect",
 				sizeof(struct nf_conntrack_expect),
 				0, 0, NULL);
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index c0e9ba243667..e4fcb939e19a 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -557,7 +557,7 @@ static struct ctl_table nf_ct_sysctl_table[] = {
 	},
 	{
 		.procname	= "nf_conntrack_expect_max",
-		.data		= &nf_ct_expect_max,
+		.data		= &init_net.ct.expect_max,
 		.maxlen		= sizeof(int),
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec,
@@ -588,6 +588,7 @@ static int nf_conntrack_standalone_init_sysctl(struct net *net)
 	table[1].data = &net->ct.count;
 	table[3].data = &net->ct.sysctl_checksum;
 	table[4].data = &net->ct.sysctl_log_invalid;
+	table[5].data = &net->ct.expect_max;
 
 	/* Don't export sysctls to unprivileged users */
 	if (ve_net_hide_sysctl(net))

More information about the Devel mailing list