[PATCH] aggressive early_drop and reserved conntrack entries

Jozsef Kadlecsik kadlec at blackhole.kfki.hu
Sat Dec 11 17:56:28 CET 2004

Hi Martin,

On Sat, 11 Dec 2004, Martin Josefsson wrote:

> > Attached (;-) is the new patch, which implements the list of unassured
> > connections. (Reserving conntracks is dropped completely as unnecessary.)
> > I tested it slighgtly and seems to work fine. What do you think about it?
> I've been thinking about this as well, but mostly I've been thinking
> about how to get it to scale when we go for more finegrained locking.
> The locking is going to be nasty.

It's already a little bit messy. I strongly believe, we must revise
reference counting in order to make locking more straightforward (and to
be able to introduce say per bucket locking at all). The
conntrack_arefcount patch tries to step ahead in that direction.

> Why not loop and kill multiple entries each time? Saves some locking and
> cache. But in order to do that in a good way wee need a counter of how
> many entries we have in the unassured list. But we don't want to kill
> too many each time, then almost no real connections will get through.

An atomic counter could help: this is just a proof of concept code :-)

> @@ -1107,6 +1117,10 @@
>  			add_timer(&ct->timeout);
>  		}
>  		ct_add_counters(ct, ctinfo, skb);
> +		if (set_assured) {
> +			set_bit(IPS_ASSURED_BIT, &ct->status);
> +			list_del(&ct->unassured);
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Huh? No check to see if we already are assured or not?
> Not needed for icmp, tcp or sctp but udp and the generic handler does.

Oops, absolutely correct, I tested the code with TCP only. Fortunately
it's easy to fix :-)

Best regards,
E-mail  : kadlec at blackhole.kfki.hu, kadlec at sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

More information about the netfilter-devel mailing list