tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next
Florian Westphal says:
====================
netfilter patches for net-next
Remove GPL license copypastry in uapi files, those have SPDX tags.
From Christophe Jaillet.
Remove unused variable in rpfilter, from Guillaume Nault.
Rework gc resched delay computation in conntrack, from Antoine Tenart.
* 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next:
netfilter: rpfilter: Remove unused variable 'ret'.
headers: Remove some left-over license text in include/uapi/linux/netfilter/
netfilter: conntrack: revisit the gc initial rescheduling bias
netfilter: conntrack: fix the gc rescheduling delay
====================
Link: https://lore.kernel.org/r/20220921095000.29569-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+17
-37
-4
include/uapi/linux/netfilter/ipset/ip_set.h
-4
include/uapi/linux/netfilter/ipset/ip_set.h
···
3
3
* Patrick Schaaf <bof@bof.de>
4
4
* Martin Josefsson <gandalf@wlug.westbo.se>
5
5
* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@netfilter.org>
6
-
*
7
-
* This program is free software; you can redistribute it and/or modify
8
-
* it under the terms of the GNU General Public License version 2 as
9
-
* published by the Free Software Foundation.
10
6
*/
11
7
#ifndef _UAPI_IP_SET_H
12
8
#define _UAPI_IP_SET_H
-4
include/uapi/linux/netfilter/xt_AUDIT.h
-4
include/uapi/linux/netfilter/xt_AUDIT.h
···
4
4
*
5
5
* (C) 2010-2011 Thomas Graf <tgraf@redhat.com>
6
6
* (C) 2010-2011 Red Hat, Inc.
7
-
*
8
-
* This program is free software; you can redistribute it and/or modify
9
-
* it under the terms of the GNU General Public License version 2 as
10
-
* published by the Free Software Foundation.
11
7
*/
12
8
13
9
#ifndef _XT_AUDIT_TARGET_H
+4
-9
include/uapi/linux/netfilter/xt_connmark.h
+4
-9
include/uapi/linux/netfilter/xt_connmark.h
···
1
1
/* SPDX-License-Identifier: GPL-2.0+ WITH Linux-syscall-note */
2
+
/* Copyright (C) 2002,2004 MARA Systems AB <https://www.marasystems.com>
3
+
* by Henrik Nordstrom <hno@marasystems.com>
4
+
*/
5
+
2
6
#ifndef _XT_CONNMARK_H
3
7
#define _XT_CONNMARK_H
4
8
5
9
#include <linux/types.h>
6
-
7
-
/* Copyright (C) 2002,2004 MARA Systems AB <https://www.marasystems.com>
8
-
* by Henrik Nordstrom <hno@marasystems.com>
9
-
*
10
-
* This program is free software; you can redistribute it and/or modify
11
-
* it under the terms of the GNU General Public License as published by
12
-
* the Free Software Foundation; either version 2 of the License, or
13
-
* (at your option) any later version.
14
-
*/
15
10
16
11
enum {
17
12
XT_CONNMARK_SET = 0,
-14
include/uapi/linux/netfilter/xt_osf.h
-14
include/uapi/linux/netfilter/xt_osf.h
···
1
1
/* SPDX-License-Identifier: GPL-2.0+ WITH Linux-syscall-note */
2
2
/*
3
3
* Copyright (c) 2003+ Evgeniy Polyakov <johnpol@2ka.mxt.ru>
4
-
*
5
-
*
6
-
* This program is free software; you can redistribute it and/or modify
7
-
* it under the terms of the GNU General Public License as published by
8
-
* the Free Software Foundation; either version 2 of the License, or
9
-
* (at your option) any later version.
10
-
*
11
-
* This program is distributed in the hope that it will be useful,
12
-
* but WITHOUT ANY WARRANTY; without even the implied warranty of
13
-
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14
-
* GNU General Public License for more details.
15
-
*
16
-
* You should have received a copy of the GNU General Public License
17
-
* along with this program; if not, see <http://www.gnu.org/licenses/>.
18
4
*/
19
5
20
6
#ifndef _XT_OSF_H
-1
net/ipv4/netfilter/ipt_rpfilter.c
-1
net/ipv4/netfilter/ipt_rpfilter.c
+13
-5
net/netfilter/nf_conntrack_core.c
+13
-5
net/netfilter/nf_conntrack_core.c
···
67
67
struct delayed_work dwork;
68
68
u32 next_bucket;
69
69
u32 avg_timeout;
70
+
u32 count;
70
71
u32 start_time;
71
72
bool exiting;
72
73
bool early_drop;
···
86
85
/* clamp timeouts to this value (TCP unacked) */
87
86
#define GC_SCAN_INTERVAL_CLAMP (300ul * HZ)
88
87
89
-
/* large initial bias so that we don't scan often just because we have
90
-
* three entries with a 1s timeout.
88
+
/* Initial bias pretending we have 100 entries at the upper bound so we don't
89
+
* wakeup often just because we have three entries with a 1s timeout while still
90
+
* allowing non-idle machines to wakeup more often when needed.
91
91
*/
92
-
#define GC_SCAN_INTERVAL_INIT INT_MAX
92
+
#define GC_SCAN_INITIAL_COUNT 100
93
+
#define GC_SCAN_INTERVAL_INIT GC_SCAN_INTERVAL_MAX
93
94
94
95
#define GC_SCAN_MAX_DURATION msecs_to_jiffies(10)
95
96
#define GC_SCAN_EXPIRED_MAX (64000u / HZ)
···
1469
1466
unsigned int expired_count = 0;
1470
1467
unsigned long next_run;
1471
1468
s32 delta_time;
1469
+
long count;
1472
1470
1473
1471
gc_work = container_of(work, struct conntrack_gc_work, dwork.work);
1474
1472
···
1479
1475
1480
1476
if (i == 0) {
1481
1477
gc_work->avg_timeout = GC_SCAN_INTERVAL_INIT;
1478
+
gc_work->count = GC_SCAN_INITIAL_COUNT;
1482
1479
gc_work->start_time = start_time;
1483
1480
}
1484
1481
1485
1482
next_run = gc_work->avg_timeout;
1483
+
count = gc_work->count;
1486
1484
1487
1485
end_time = start_time + GC_SCAN_MAX_DURATION;
1488
1486
···
1504
1498
1505
1499
hlist_nulls_for_each_entry_rcu(h, n, &ct_hash[i], hnnode) {
1506
1500
struct nf_conntrack_net *cnet;
1507
-
unsigned long expires;
1508
1501
struct net *net;
1502
+
long expires;
1509
1503
1510
1504
tmp = nf_ct_tuplehash_to_ctrack(h);
1511
1505
···
1519
1513
1520
1514
gc_work->next_bucket = i;
1521
1515
gc_work->avg_timeout = next_run;
1516
+
gc_work->count = count;
1522
1517
1523
1518
delta_time = nfct_time_stamp - gc_work->start_time;
1524
1519
···
1535
1528
}
1536
1529
1537
1530
expires = clamp(nf_ct_expires(tmp), GC_SCAN_INTERVAL_MIN, GC_SCAN_INTERVAL_CLAMP);
1531
+
expires = (expires - (long)next_run) / ++count;
1538
1532
next_run += expires;
1539
-
next_run /= 2u;
1540
1533
1541
1534
if (nf_conntrack_max95 == 0 || gc_worker_skip_ct(tmp))
1542
1535
continue;
···
1577
1570
delta_time = nfct_time_stamp - end_time;
1578
1571
if (delta_time > 0 && i < hashsz) {
1579
1572
gc_work->avg_timeout = next_run;
1573
+
gc_work->count = count;
1580
1574
gc_work->next_bucket = i;
1581
1575
next_run = 0;
1582
1576
goto early_exit;