Le mardi 17 août 2010 à 15:16 +0800, Changli Gao a écrit :
> Since we don't change the tuple in the original direction, we can save it
> in ct->tuplehash[IP_CT_DIR_REPLY].hnode.pprev for __nf_conntrack_confirm()
> use.
>
> __hash_conntrack() is split into two steps: ____hash_conntrack() is used
> to get the raw hash, and __hash_bucket() is used to get the bucket id.
>
> In SYN-flood case, early_drop() doesn't need to recompute the hash again.
>
> Signed-off-by: Changli Gao <xiaosuo@xxxxxxxxx>
> ---
> net/netfilter/nf_conntrack_core.c | 117 ++++++++++++++++++++++++++------------
> 1 file changed, 82 insertions(+), 35 deletions(-)
> diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
> index df3eedb..947f0a9 100644
> --- a/net/netfilter/nf_conntrack_core.c
> +++ b/net/netfilter/nf_conntrack_core.c
> @@ -65,14 +65,23 @@ EXPORT_SYMBOL_GPL(nf_conntrack_max);
> DEFINE_PER_CPU(struct nf_conn, nf_conntrack_untracked);
> EXPORT_PER_CPU_SYMBOL(nf_conntrack_untracked);
>
> -static int nf_conntrack_hash_rnd_initted;
> -static unsigned int nf_conntrack_hash_rnd;
> -
> -static u_int32_t __hash_conntrack(const struct nf_conntrack_tuple *tuple,
> - u16 zone, unsigned int size, unsigned int rnd)
> +static u32 ____hash_conntrack(const struct nf_conntrack_tuple *tuple, u16 zone)
> {
> unsigned int n;
> u_int32_t h;
> + static int rnd_initted;
> + static unsigned int rnd;
> + static DEFINE_SPINLOCK(rnd_lock);
> +
> + if (unlikely(!rnd_initted)) {
> + spin_lock_bh(&rnd_lock);
> + if (!rnd_initted) {
> + get_random_bytes(&rnd, sizeof(rnd));
> + wmb();
> + rnd_initted = 1;
> + }
> + spin_unlock_bh(&rnd_lock);
> + }
>
Three variables ?
static atomic_t rnd __read_mostly;
if (unlikely(!atomic_read(&rnd))) {
unsigned int val;
get_random_bytes(&val, sizeof(val));
if (!val)
val = 1;
atomic_cmpxchg(&rnd, 0, val);
}
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
