[PATCH] aggressive early_drop and reserved conntrack entries

Jozsef Kadlecsik kadlec at blackhole.kfki.hu
Mon Dec 13 22:52:44 CET 2004

On Sun, 12 Dec 2004, Henrik Nordstrom wrote:

> On Sat, 11 Dec 2004, Jozsef Kadlecsik wrote:
> > It's already a little bit messy. I strongly believe, we must revise
> > reference counting in order to make locking more straightforward (and to
> > be able to introduce say per bucket locking at all). The
> > conntrack_arefcount patch tries to step ahead in that direction.
> The patch adds yet another entity needing locking: The list of unassured
> connections. This list requires two write updates per new connection
> (append, delete).

I just wanted to note that fine grained locking needs some preparation.

> With it being a linked list fine grained locking becomes a bit hard, and
> to have FIFO semantics there is not many other choices. But fortunately
> the operations needing this list locked is very short in time so it should
> be fine with a global lock on the unassured list, in addition to the
> (finegrained) conntrack locking, provided the unassured lock is aquired
> last (atomic list insert, delete operations).

With a little tweaking we could create a fast path for the new conntrack
entries:  in __ip_conntrack_confirm do not add them to the unassured_list
till we have, say, more than 5% percent of the conntrack entries free.
Of course when assuring/deleting a conntrack, we should still lock, check
and delete, unlock, but that is not the critical path.

> Note: RCU does not help us here.

Yes, no way to use RCU.

Best regards,
E-mail  : kadlec at blackhole.kfki.hu, kadlec at sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

More information about the netfilter-devel mailing list