On Fri, Dec 28, 2018 at 01:24:41AM +0100, Florian Westphal wrote: > This series is a collection of all the various conncount patches that have > been floating around recently. > > The overall goal is to simplify nf_conncount instead of just addressing > bugs. This series removes quite a few lines of code and conditionals. > > Most importantly, 'conn' list traversal now requires the node list_lock. > > Second, the garbage collection cannot race with the packet path anymore, > collection of conn objects acquires the list_lock, and tree pruning > only occurs after the tree lock has been acquired. > > While looking at this, I found a few more, albeit minor, bugs, > these are fixed here as well. > > I've mangled Pablos patches a little so they apply on top > of the other ones, but otherwise no major changes happened. > > I've tested this with parallel synfloods against a VM (with no patches, > KASAN splats happen almost instantly). > > Please see individual patches for more details. > > I'd like to thank everyone that has contributed patches and ideas for this. > More comments, reviews and tests are much appreciated. > > Florian Westphal (5): > netfilter: nf_conncount: don't skip eviction when age is negative > netfilter: nf_conncount: split gc in two phases > netfilter: nf_conncount: restart search when nodes have been erased > netfilter: nf_conncount: merge lookup and add functions > netfilter: nf_conncount: fix argument order to find_next_bit > > Pablo Neira Ayuso (2): > netfilter: nf_conncount: move all list iterations under spinlock > netfilter: nf_conncount: speculative garbage collection on empty lists > > Shawn Bohrer (1): > nf_conncount: replace CONNCOUNT_LOCK_SLOTS with CONNCOUNT_SLOTS > > include/net/netfilter/nf_conntrack_count.h | 19 - > net/netfilter/nf_conncount.c | 290 ++++++++++++----------------- > net/netfilter/nft_connlimit.c | 14 - > 3 files changed, 134 insertions(+), 189 deletions(-) Reviewd-by: Shawn Bohrer <sbohrer@xxxxxxxxxxxxxx>
