PING
Changliang Wu <changliang.wu@xxxxxxxxxx> 于2024年6月20日周四 19:35写道:
>
> From cb8aa9a, we can use kernel side filtering for dump, but
> this capability is not available for flush.
>
> This Patch allows advanced filter with CTA_FILTER for flush
>
> Performace
> 1048576 ct flows in total, delete 50,000 flows by origin src ip
> 3.06s -> dump all, compare and delete
> 584ms -> directly flush with filter
>
> Signed-off-by: Changliang Wu <changliang.wu@xxxxxxxxxx>
> ---
> net/netfilter/nf_conntrack_netlink.c | 9 +++------
> 1 file changed, 3 insertions(+), 6 deletions(-)
>
> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> index 3b846cbdc..93afe57d9 100644
> --- a/net/netfilter/nf_conntrack_netlink.c
> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -1579,9 +1579,6 @@ static int ctnetlink_flush_conntrack(struct net *net,
> };
>
> if (ctnetlink_needs_filter(family, cda)) {
> - if (cda[CTA_FILTER])
> - return -EOPNOTSUPP;
> -
> filter = ctnetlink_alloc_filter(cda, family);
> if (IS_ERR(filter))
> return PTR_ERR(filter);
> @@ -1610,14 +1607,14 @@ static int ctnetlink_del_conntrack(struct sk_buff *skb,
> if (err < 0)
> return err;
>
> - if (cda[CTA_TUPLE_ORIG])
> + if (cda[CTA_TUPLE_ORIG] && !cda[CTA_FILTER])
> err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
> family, &zone);
> - else if (cda[CTA_TUPLE_REPLY])
> + else if (cda[CTA_TUPLE_REPLY] && !cda[CTA_FILTER])
> err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
> family, &zone);
> else {
> - u_int8_t u3 = info->nfmsg->version ? family : AF_UNSPEC;
> + u8 u3 = info->nfmsg->version || cda[CTA_FILTER] ? family : AF_UNSPEC;
>
> return ctnetlink_flush_conntrack(info->net, cda,
> NETLINK_CB(skb).portid,
> --
> 2.43.0
>
