Commit 49ac8713 authored by Alexey Dobriyan's avatar Alexey Dobriyan Committed by Patrick McHardy

netfilter: netns nf_conntrack: per-netns conntrack count

Sysctls and proc files are stubbed to init_net's one. This is temporary.
Signed-off-by: default avatarAlexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent 5a1fb391
...@@ -288,7 +288,6 @@ static inline int nf_ct_is_untracked(const struct sk_buff *skb) ...@@ -288,7 +288,6 @@ static inline int nf_ct_is_untracked(const struct sk_buff *skb)
extern int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp); extern int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp);
extern unsigned int nf_conntrack_htable_size; extern unsigned int nf_conntrack_htable_size;
extern int nf_conntrack_checksum; extern int nf_conntrack_checksum;
extern atomic_t nf_conntrack_count;
extern int nf_conntrack_max; extern int nf_conntrack_max;
DECLARE_PER_CPU(struct ip_conntrack_stat, nf_conntrack_stat); DECLARE_PER_CPU(struct ip_conntrack_stat, nf_conntrack_stat);
......
#ifndef __NETNS_CONNTRACK_H #ifndef __NETNS_CONNTRACK_H
#define __NETNS_CONNTRACK_H #define __NETNS_CONNTRACK_H
#include <asm/atomic.h>
struct netns_ct { struct netns_ct {
atomic_t count;
}; };
#endif #endif
...@@ -254,7 +254,7 @@ static ctl_table ip_ct_sysctl_table[] = { ...@@ -254,7 +254,7 @@ static ctl_table ip_ct_sysctl_table[] = {
{ {
.ctl_name = NET_IPV4_NF_CONNTRACK_COUNT, .ctl_name = NET_IPV4_NF_CONNTRACK_COUNT,
.procname = "ip_conntrack_count", .procname = "ip_conntrack_count",
.data = &nf_conntrack_count, .data = &init_net.ct.count,
.maxlen = sizeof(int), .maxlen = sizeof(int),
.mode = 0444, .mode = 0444,
.proc_handler = &proc_dointvec, .proc_handler = &proc_dointvec,
......
...@@ -314,7 +314,7 @@ static void ct_cpu_seq_stop(struct seq_file *seq, void *v) ...@@ -314,7 +314,7 @@ static void ct_cpu_seq_stop(struct seq_file *seq, void *v)
static int ct_cpu_seq_show(struct seq_file *seq, void *v) static int ct_cpu_seq_show(struct seq_file *seq, void *v)
{ {
unsigned int nr_conntracks = atomic_read(&nf_conntrack_count); unsigned int nr_conntracks = atomic_read(&init_net.ct.count);
const struct ip_conntrack_stat *st = v; const struct ip_conntrack_stat *st = v;
if (v == SEQ_START_TOKEN) { if (v == SEQ_START_TOKEN) {
......
...@@ -44,10 +44,6 @@ ...@@ -44,10 +44,6 @@
DEFINE_SPINLOCK(nf_conntrack_lock); DEFINE_SPINLOCK(nf_conntrack_lock);
EXPORT_SYMBOL_GPL(nf_conntrack_lock); EXPORT_SYMBOL_GPL(nf_conntrack_lock);
/* nf_conntrack_standalone needs this */
atomic_t nf_conntrack_count = ATOMIC_INIT(0);
EXPORT_SYMBOL_GPL(nf_conntrack_count);
unsigned int nf_conntrack_htable_size __read_mostly; unsigned int nf_conntrack_htable_size __read_mostly;
EXPORT_SYMBOL_GPL(nf_conntrack_htable_size); EXPORT_SYMBOL_GPL(nf_conntrack_htable_size);
...@@ -477,13 +473,13 @@ struct nf_conn *nf_conntrack_alloc(struct net *net, ...@@ -477,13 +473,13 @@ struct nf_conn *nf_conntrack_alloc(struct net *net,
} }
/* We don't want any race condition at early drop stage */ /* We don't want any race condition at early drop stage */
atomic_inc(&nf_conntrack_count); atomic_inc(&net->ct.count);
if (nf_conntrack_max && if (nf_conntrack_max &&
unlikely(atomic_read(&nf_conntrack_count) > nf_conntrack_max)) { unlikely(atomic_read(&net->ct.count) > nf_conntrack_max)) {
unsigned int hash = hash_conntrack(orig); unsigned int hash = hash_conntrack(orig);
if (!early_drop(hash)) { if (!early_drop(hash)) {
atomic_dec(&nf_conntrack_count); atomic_dec(&net->ct.count);
if (net_ratelimit()) if (net_ratelimit())
printk(KERN_WARNING printk(KERN_WARNING
"nf_conntrack: table full, dropping" "nf_conntrack: table full, dropping"
...@@ -495,7 +491,7 @@ struct nf_conn *nf_conntrack_alloc(struct net *net, ...@@ -495,7 +491,7 @@ struct nf_conn *nf_conntrack_alloc(struct net *net,
ct = kmem_cache_zalloc(nf_conntrack_cachep, gfp); ct = kmem_cache_zalloc(nf_conntrack_cachep, gfp);
if (ct == NULL) { if (ct == NULL) {
pr_debug("nf_conntrack_alloc: Can't alloc conntrack.\n"); pr_debug("nf_conntrack_alloc: Can't alloc conntrack.\n");
atomic_dec(&nf_conntrack_count); atomic_dec(&net->ct.count);
return ERR_PTR(-ENOMEM); return ERR_PTR(-ENOMEM);
} }
...@@ -516,10 +512,11 @@ EXPORT_SYMBOL_GPL(nf_conntrack_alloc); ...@@ -516,10 +512,11 @@ EXPORT_SYMBOL_GPL(nf_conntrack_alloc);
static void nf_conntrack_free_rcu(struct rcu_head *head) static void nf_conntrack_free_rcu(struct rcu_head *head)
{ {
struct nf_conn *ct = container_of(head, struct nf_conn, rcu); struct nf_conn *ct = container_of(head, struct nf_conn, rcu);
struct net *net = nf_ct_net(ct);
nf_ct_ext_free(ct); nf_ct_ext_free(ct);
kmem_cache_free(nf_conntrack_cachep, ct); kmem_cache_free(nf_conntrack_cachep, ct);
atomic_dec(&nf_conntrack_count); atomic_dec(&net->ct.count);
} }
void nf_conntrack_free(struct nf_conn *ct) void nf_conntrack_free(struct nf_conn *ct)
...@@ -1024,7 +1021,7 @@ void nf_conntrack_cleanup(struct net *net) ...@@ -1024,7 +1021,7 @@ void nf_conntrack_cleanup(struct net *net)
nf_ct_event_cache_flush(); nf_ct_event_cache_flush();
i_see_dead_people: i_see_dead_people:
nf_conntrack_flush(); nf_conntrack_flush();
if (atomic_read(&nf_conntrack_count) != 0) { if (atomic_read(&net->ct.count) != 0) {
schedule(); schedule();
goto i_see_dead_people; goto i_see_dead_people;
} }
...@@ -1148,6 +1145,7 @@ int nf_conntrack_init(struct net *net) ...@@ -1148,6 +1145,7 @@ int nf_conntrack_init(struct net *net)
* entries. */ * entries. */
max_factor = 4; max_factor = 4;
} }
atomic_set(&net->ct.count, 0);
nf_conntrack_hash = nf_ct_alloc_hashtable(&nf_conntrack_htable_size, nf_conntrack_hash = nf_ct_alloc_hashtable(&nf_conntrack_htable_size,
&nf_conntrack_vmalloc); &nf_conntrack_vmalloc);
if (!nf_conntrack_hash) { if (!nf_conntrack_hash) {
......
...@@ -226,7 +226,7 @@ static void ct_cpu_seq_stop(struct seq_file *seq, void *v) ...@@ -226,7 +226,7 @@ static void ct_cpu_seq_stop(struct seq_file *seq, void *v)
static int ct_cpu_seq_show(struct seq_file *seq, void *v) static int ct_cpu_seq_show(struct seq_file *seq, void *v)
{ {
unsigned int nr_conntracks = atomic_read(&nf_conntrack_count); unsigned int nr_conntracks = atomic_read(&init_net.ct.count);
const struct ip_conntrack_stat *st = v; const struct ip_conntrack_stat *st = v;
if (v == SEQ_START_TOKEN) { if (v == SEQ_START_TOKEN) {
...@@ -338,7 +338,7 @@ static ctl_table nf_ct_sysctl_table[] = { ...@@ -338,7 +338,7 @@ static ctl_table nf_ct_sysctl_table[] = {
{ {
.ctl_name = NET_NF_CONNTRACK_COUNT, .ctl_name = NET_NF_CONNTRACK_COUNT,
.procname = "nf_conntrack_count", .procname = "nf_conntrack_count",
.data = &nf_conntrack_count, .data = &init_net.ct.count,
.maxlen = sizeof(int), .maxlen = sizeof(int),
.mode = 0444, .mode = 0444,
.proc_handler = &proc_dointvec, .proc_handler = &proc_dointvec,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment