Pablo Neira Ayuso wrote:
This patch reworks the event caching infrastructure to use the
conntrack extension infrastructure. As a result, you can enable and
disable event delivery via /proc/sys/net/netfilter/nf_conntrack_events
in runtime opposed to compilation time. The main drawback is that
we consume more memory per conntrack if event delivery is enabled.
static inline void
nf_conntrack_event_cache(enum ip_conntrack_events event, struct nf_conn *ct)
{
- struct net *net = nf_ct_net(ct);
- struct nf_conntrack_ecache *ecache;
-
- local_bh_disable();
- ecache = per_cpu_ptr(net->ct.ecache, raw_smp_processor_id());
- if (ct != ecache->ct)
- __nf_ct_event_cache_init(ct);
- ecache->events |= event;
- local_bh_enable();
+ spin_lock_bh(&nf_conntrack_lock);
+ __nf_conntrack_event_cache(event, ct);
+ spin_unlock_bh(&nf_conntrack_lock);
This defeats all the work we've been doing to make conntrack lockless.
This needs to be done differenty.
Generally, I'd say a better approach is to get rid of the notifier
chain (unnecessary overhead for the single user we have), replace it
by a function pointer for event delivery and use that as an indication
that events should be tracked.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
