Patrick McHardy wrote:
> Pablo Neira Ayuso wrote:
>> This patch reworks the event caching infrastructure to use the
>> conntrack extension infrastructure. As a result, you can enable and
>> disable event delivery via /proc/sys/net/netfilter/nf_conntrack_events
>> in runtime opposed to compilation time. The main drawback is that
>> we consume more memory per conntrack if event delivery is enabled.
>
>> static inline void
>> nf_conntrack_event_cache(enum ip_conntrack_events event, struct
>> nf_conn *ct)
>> {
>> - struct net *net = nf_ct_net(ct);
>> - struct nf_conntrack_ecache *ecache;
>> -
>> - local_bh_disable();
>> - ecache = per_cpu_ptr(net->ct.ecache, raw_smp_processor_id());
>> - if (ct != ecache->ct)
>> - __nf_ct_event_cache_init(ct);
>> - ecache->events |= event;
>> - local_bh_enable();
>> + spin_lock_bh(&nf_conntrack_lock);
>> + __nf_conntrack_event_cache(event, ct);
>> + spin_unlock_bh(&nf_conntrack_lock);
>
> This defeats all the work we've been doing to make conntrack lockless.
> This needs to be done differenty.
>
> Generally, I'd say a better approach is to get rid of the notifier
> chain (unnecessary overhead for the single user we have), replace it
> by a function pointer for event delivery and use that as an indication
> that events should be tracked.
I have a fuzzy morning. I get the idea of replacing the notifier chain
by a function pointer but I don't get the idea of the indication.
--
"Los honestos son inadaptados sociales" -- Les Luthiers
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
