Giuseppe Scrivano <gscrivan@xxxxxxxxxx> wrote: > SELinux, if enabled, registers for each new network namespace 6 > netfilter hooks. Avoid to use synchronize_net for each new hook, but do > it once after all the hooks are added. The net benefit on an SMP > machine with two cores is that creating a new network namespace takes > -40% of the original time. but this needs more work. > Signed-off-by: Giuseppe Scrivano <gscrivan@xxxxxxxxxx> > --- > net/netfilter/core.c | 15 ++++++++++++--- > 1 file changed, 12 insertions(+), 3 deletions(-) > > diff --git a/net/netfilter/core.c b/net/netfilter/core.c > index 52cd2901a097..beeb0b36f429 100644 > --- a/net/netfilter/core.c > +++ b/net/netfilter/core.c > @@ -252,7 +252,7 @@ static struct nf_hook_entries __rcu **nf_hook_entry_head(struct net *net, const > return NULL; > } > > -int nf_register_net_hook(struct net *net, const struct nf_hook_ops *reg) > +static int __nf_register_net_hook(struct net *net, const struct nf_hook_ops *reg) Change this to return struct nf_hook_entries * > { > struct nf_hook_entries *p, *new_hooks; > struct nf_hook_entries __rcu **pp; > @@ -291,11 +291,19 @@ int nf_register_net_hook(struct net *net, const struct nf_hook_ops *reg) > #ifdef HAVE_JUMP_LABEL > static_key_slow_inc(&nf_hooks_needed[reg->pf][reg->hooknum]); > #endif > - synchronize_net(); > BUG_ON(p == new_hooks); > kvfree(p); remove kvfree() > return 0; return p; > +int nf_register_net_hook(struct net *net, const struct nf_hook_ops *reg) > +{ > + int ret = __nf_register_net_hook(net, reg); > + if (ret < 0) > + return ret; > + synchronize_net(); then free p here. > + return 0; > +} > EXPORT_SYMBOL(nf_register_net_hook); > > /* > @@ -379,10 +387,11 @@ int nf_register_net_hooks(struct net *net, const struct nf_hook_ops *reg, > int err = 0; > > for (i = 0; i < n; i++) { > - err = nf_register_net_hook(net, ®[i]); > + err = __nf_register_net_hook(net, ®[i]); here, store the old 'p' values and then free them after synchronize_net(). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html