Message ID | 20200803073305.702079-2-roid@mellanox.com |
---|---|
State | Awaiting Upstream |
Delegated to: | David Miller |
Headers | show |
Series | netfilter: conntrack: Fix CT offload timeout on heavily loaded systems | expand |
On Mon, Aug 03, 2020 at 10:33:04AM +0300, Roi Dayan wrote: > To be used by callers from other modules. > > Signed-off-by: Roi Dayan <roid@mellanox.com> > Reviewed-by: Oz Shlomo <ozsh@mellanox.com> > --- > include/net/netfilter/nf_conntrack.h | 12 ++++++++++++ > net/netfilter/nf_conntrack_core.c | 12 ------------ > 2 files changed, 12 insertions(+), 12 deletions(-) > > diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h > index 90690e37a56f..8481819ff632 100644 > --- a/include/net/netfilter/nf_conntrack.h > +++ b/include/net/netfilter/nf_conntrack.h > @@ -279,6 +279,18 @@ static inline bool nf_ct_should_gc(const struct nf_conn *ct) > !nf_ct_is_dying(ct); > } > > +#define DAY (86400 * HZ) > + > +/* Set an arbitrary timeout large enough not to ever expire, this save > + * us a check for the IPS_OFFLOAD_BIT from the packet path via > + * nf_ct_is_expired(). > + */ > +static inline void nf_ct_offload_timeout(struct nf_conn *ct) > +{ > + if (nf_ct_expires(ct) < DAY / 2) > + ct->timeout = nfct_time_stamp + DAY; > +} > + > struct kernel_param; > For the record: I have renamed DAY to NF_CT_DAY to avoid a possible symbol name clash. No need to resend, I applied this small change before applying.
On 2020-08-03 2:03 PM, Pablo Neira Ayuso wrote: > On Mon, Aug 03, 2020 at 10:33:04AM +0300, Roi Dayan wrote: >> To be used by callers from other modules. >> >> Signed-off-by: Roi Dayan <roid@mellanox.com> >> Reviewed-by: Oz Shlomo <ozsh@mellanox.com> >> --- >> include/net/netfilter/nf_conntrack.h | 12 ++++++++++++ >> net/netfilter/nf_conntrack_core.c | 12 ------------ >> 2 files changed, 12 insertions(+), 12 deletions(-) >> >> diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h >> index 90690e37a56f..8481819ff632 100644 >> --- a/include/net/netfilter/nf_conntrack.h >> +++ b/include/net/netfilter/nf_conntrack.h >> @@ -279,6 +279,18 @@ static inline bool nf_ct_should_gc(const struct nf_conn *ct) >> !nf_ct_is_dying(ct); >> } >> >> +#define DAY (86400 * HZ) >> + >> +/* Set an arbitrary timeout large enough not to ever expire, this save >> + * us a check for the IPS_OFFLOAD_BIT from the packet path via >> + * nf_ct_is_expired(). >> + */ >> +static inline void nf_ct_offload_timeout(struct nf_conn *ct) >> +{ >> + if (nf_ct_expires(ct) < DAY / 2) >> + ct->timeout = nfct_time_stamp + DAY; >> +} >> + >> struct kernel_param; >> > > For the record: I have renamed DAY to NF_CT_DAY to avoid a possible > symbol name clash. No need to resend, I applied this small change > before applying. > thanks
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index 90690e37a56f..8481819ff632 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h @@ -279,6 +279,18 @@ static inline bool nf_ct_should_gc(const struct nf_conn *ct) !nf_ct_is_dying(ct); } +#define DAY (86400 * HZ) + +/* Set an arbitrary timeout large enough not to ever expire, this save + * us a check for the IPS_OFFLOAD_BIT from the packet path via + * nf_ct_is_expired(). + */ +static inline void nf_ct_offload_timeout(struct nf_conn *ct) +{ + if (nf_ct_expires(ct) < DAY / 2) + ct->timeout = nfct_time_stamp + DAY; +} + struct kernel_param; int nf_conntrack_set_hashsize(const char *val, const struct kernel_param *kp); diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 79cd9dde457b..947c6d9437c3 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -1344,18 +1344,6 @@ static bool gc_worker_can_early_drop(const struct nf_conn *ct) return false; } -#define DAY (86400 * HZ) - -/* Set an arbitrary timeout large enough not to ever expire, this save - * us a check for the IPS_OFFLOAD_BIT from the packet path via - * nf_ct_is_expired(). - */ -static void nf_ct_offload_timeout(struct nf_conn *ct) -{ - if (nf_ct_expires(ct) < DAY / 2) - ct->timeout = nfct_time_stamp + DAY; -} - static void gc_worker(struct work_struct *work) { unsigned int min_interval = max(HZ / GC_MAX_BUCKETS_DIV, 1u);