From: Konstantin Khorenko <khore...@virtuozzo.com> Rebasing and splitting netfilters sybsystem (port 66-diff-ve-net-netfilter-combined). Part 1.
https://jira.sw.ru/browse/PSBM-18322 * diff-ve-nf-make-nf_ct_expect_max-sysctl-virtual Author: Pavel Emelyanov Subject: [PATCH rh6] ve: Make nf_ct_expect_max "virtualized" Date: Wed, 06 Jul 2011 17:36:45 +0400 Make the respective sysctl be per-ct only. Real limit is still taken from ve0 (init_net). Need to look at how this will work in the mainline. https://jira.sw.ru/browse/PCLIN-29578 Signed-off-by: Kirill Tkhai <ktk...@parallels.com> (cherry picked from vz7 commit 2cabd3c5f1a7 ("ve/netfilter: Implement pernet expect_max / virtualize "net.netfilter.nf_conntrack_expect_max" sysctl")) VZ 8 rebase part https://jira.sw.ru/browse/PSBM-127783 Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalit...@virtuozzo.com> Ported vz8 commit 845371488332 ("ve/netfilter: Implement pernet expect_max / virtualize "net.netfilter.nf_conntrack_expect_max" sysctl"). Enabled usage of per-net expect_max for real. (in vz7/vz8, per-net value was settable but init_net value was always used) Signed-off-by: Nikita Yushchenko <nikita.yushche...@virtuozzo.com> --- include/net/netfilter/nf_conntrack.h | 1 + include/net/netfilter/nf_conntrack_expect.h | 1 - net/netfilter/nf_conntrack_expect.c | 9 ++++++--- net/netfilter/nf_conntrack_standalone.c | 3 +-- 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index cc663c68ddc4..42dd967fdfbb 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h @@ -47,6 +47,7 @@ struct nf_conntrack_net { /* only used when new connection is allocated: */ atomic_t count; unsigned int expect_count; + unsigned int expect_max; u8 sysctl_auto_assign_helper; bool auto_assign_helper_warned; diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h index 0855b60fba17..1e7b0b82b4d0 100644 --- a/include/net/netfilter/nf_conntrack_expect.h +++ b/include/net/netfilter/nf_conntrack_expect.h @@ -12,7 +12,6 @@ #include <net/netfilter/nf_conntrack_zones.h> extern unsigned int nf_ct_expect_hsize; -extern unsigned int nf_ct_expect_max; extern struct hlist_head *nf_ct_expect_hash; struct nf_conntrack_expect { diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c index 5523aa53492b..529f93817a57 100644 --- a/net/netfilter/nf_conntrack_expect.c +++ b/net/netfilter/nf_conntrack_expect.c @@ -40,11 +40,11 @@ EXPORT_SYMBOL_GPL(nf_ct_expect_hsize); struct hlist_head *nf_ct_expect_hash __read_mostly; EXPORT_SYMBOL_GPL(nf_ct_expect_hash); -unsigned int nf_ct_expect_max __read_mostly; - static struct kmem_cache *nf_ct_expect_cachep __read_mostly; static unsigned int nf_ct_expect_hashrnd __read_mostly; +static unsigned int nf_ct_expect_max __ro_after_init; + /* nf_conntrack_expect helper functions */ void nf_ct_unlink_expect_report(struct nf_conntrack_expect *exp, u32 portid, int report) @@ -469,7 +469,7 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect, } cnet = nf_ct_pernet(net); - if (cnet->expect_count >= nf_ct_expect_max) { + if (cnet->expect_count >= cnet->expect_max) { net_veboth_ratelimited(KERN_WARNING "VE%s " "nf_conntrack: expectation table full\n", net->owner_ve->ve_name); @@ -699,6 +699,9 @@ module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0400); int nf_conntrack_expect_pernet_init(struct net *net) { + struct nf_conntrack_net *cnet = nf_ct_pernet(net); + + cnet->expect_max = nf_ct_expect_max; return exp_proc_init(net); } diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 615ecfa32a4a..9340a3c993f0 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -657,7 +657,6 @@ static struct ctl_table nf_ct_sysctl_table[] = { }, [NF_SYSCTL_CT_EXPECT_MAX] = { .procname = "nf_conntrack_expect_max", - .data = &nf_ct_expect_max, .maxlen = sizeof(int), .mode = 0644, .proc_handler = proc_dointvec, @@ -1083,6 +1082,7 @@ static int nf_conntrack_standalone_init_sysctl(struct net *net) table[NF_SYSCTL_CT_LOG_INVALID].data = &net->ct.sysctl_log_invalid; table[NF_SYSCTL_CT_ACCT].data = &net->ct.sysctl_acct; table[NF_SYSCTL_CT_HELPER].data = &cnet->sysctl_auto_assign_helper; + table[NF_SYSCTL_CT_EXPECT_MAX].data = &cnet->expect_max; #ifdef CONFIG_NF_CONNTRACK_EVENTS table[NF_SYSCTL_CT_EVENTS].data = &net->ct.sysctl_events; #endif @@ -1106,7 +1106,6 @@ static int nf_conntrack_standalone_init_sysctl(struct net *net) /* Don't allow non-init_net ns to alter global sysctls */ if (!net_eq(&init_net, net)) { table[NF_SYSCTL_CT_MAX].mode = 0444; - table[NF_SYSCTL_CT_EXPECT_MAX].mode = 0444; table[NF_SYSCTL_CT_BUCKETS].mode = 0444; } -- 2.30.2 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
