43c0a12665
Removed target for patch which does not exist:
bcm27xx/patches-5.10/950-0249-kbuild-Disable-gcc-plugins.patch
All patches automatically rebased.
Build system: x86_64
Build-tested: bcm2711/RPi4B, ipq806x/R7800*
Run-tested: bcm2711/RPi4B, ipq806x/R7800*
* Had to revert 7f1edbd412
in order to build
(binutils 2.37, https://bugs.openwrt.org/index.php?do=details&task_id=4149)
Signed-off-by: John Audia <graysky@archlinux.us>
135 lines
4.2 KiB
Diff
135 lines
4.2 KiB
Diff
From: Oz Shlomo <ozsh@nvidia.com>
|
|
Date: Thu, 3 Jun 2021 15:12:35 +0300
|
|
Subject: [PATCH] netfilter: flowtable: Set offload timeouts according to proto
|
|
values
|
|
|
|
Currently the aging period for tcp/udp connections is hard coded to
|
|
30 seconds. Aged tcp/udp connections configure a hard coded 120/30
|
|
seconds pickup timeout for conntrack.
|
|
This configuration may be too aggressive or permissive for some users.
|
|
|
|
Dynamically configure the nf flow table GC timeout intervals according
|
|
to the user defined values.
|
|
|
|
Signed-off-by: Oz Shlomo <ozsh@nvidia.com>
|
|
Reviewed-by: Paul Blakey <paulb@nvidia.com>
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
---
|
|
|
|
--- a/include/net/netfilter/nf_flow_table.h
|
|
+++ b/include/net/netfilter/nf_flow_table.h
|
|
@@ -174,6 +174,8 @@ struct flow_offload {
|
|
#define NF_FLOW_TIMEOUT (30 * HZ)
|
|
#define nf_flowtable_time_stamp (u32)jiffies
|
|
|
|
+unsigned long flow_offload_get_timeout(struct flow_offload *flow);
|
|
+
|
|
static inline __s32 nf_flow_timeout_delta(unsigned int timeout)
|
|
{
|
|
return (__s32)(timeout - nf_flowtable_time_stamp);
|
|
--- a/net/netfilter/nf_flow_table_core.c
|
|
+++ b/net/netfilter/nf_flow_table_core.c
|
|
@@ -175,12 +175,10 @@ static void flow_offload_fixup_tcp(struc
|
|
tcp->seen[1].td_maxwin = 0;
|
|
}
|
|
|
|
-#define NF_FLOWTABLE_TCP_PICKUP_TIMEOUT (120 * HZ)
|
|
-#define NF_FLOWTABLE_UDP_PICKUP_TIMEOUT (30 * HZ)
|
|
-
|
|
static void flow_offload_fixup_ct_timeout(struct nf_conn *ct)
|
|
{
|
|
const struct nf_conntrack_l4proto *l4proto;
|
|
+ struct net *net = nf_ct_net(ct);
|
|
int l4num = nf_ct_protonum(ct);
|
|
unsigned int timeout;
|
|
|
|
@@ -188,12 +186,17 @@ static void flow_offload_fixup_ct_timeou
|
|
if (!l4proto)
|
|
return;
|
|
|
|
- if (l4num == IPPROTO_TCP)
|
|
- timeout = NF_FLOWTABLE_TCP_PICKUP_TIMEOUT;
|
|
- else if (l4num == IPPROTO_UDP)
|
|
- timeout = NF_FLOWTABLE_UDP_PICKUP_TIMEOUT;
|
|
- else
|
|
+ if (l4num == IPPROTO_TCP) {
|
|
+ struct nf_tcp_net *tn = nf_tcp_pernet(net);
|
|
+
|
|
+ timeout = tn->offload_pickup;
|
|
+ } else if (l4num == IPPROTO_UDP) {
|
|
+ struct nf_udp_net *tn = nf_udp_pernet(net);
|
|
+
|
|
+ timeout = tn->offload_pickup;
|
|
+ } else {
|
|
return;
|
|
+ }
|
|
|
|
if (nf_flow_timeout_delta(READ_ONCE(ct->timeout)) > (__s32)timeout)
|
|
WRITE_ONCE(ct->timeout, nfct_time_stamp + timeout);
|
|
@@ -265,11 +268,35 @@ static const struct rhashtable_params nf
|
|
.automatic_shrinking = true,
|
|
};
|
|
|
|
+unsigned long flow_offload_get_timeout(struct flow_offload *flow)
|
|
+{
|
|
+ const struct nf_conntrack_l4proto *l4proto;
|
|
+ unsigned long timeout = NF_FLOW_TIMEOUT;
|
|
+ struct net *net = nf_ct_net(flow->ct);
|
|
+ int l4num = nf_ct_protonum(flow->ct);
|
|
+
|
|
+ l4proto = nf_ct_l4proto_find(l4num);
|
|
+ if (!l4proto)
|
|
+ return timeout;
|
|
+
|
|
+ if (l4num == IPPROTO_TCP) {
|
|
+ struct nf_tcp_net *tn = nf_tcp_pernet(net);
|
|
+
|
|
+ timeout = tn->offload_timeout;
|
|
+ } else if (l4num == IPPROTO_UDP) {
|
|
+ struct nf_udp_net *tn = nf_udp_pernet(net);
|
|
+
|
|
+ timeout = tn->offload_timeout;
|
|
+ }
|
|
+
|
|
+ return timeout;
|
|
+}
|
|
+
|
|
int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow)
|
|
{
|
|
int err;
|
|
|
|
- flow->timeout = nf_flowtable_time_stamp + NF_FLOW_TIMEOUT;
|
|
+ flow->timeout = nf_flowtable_time_stamp + flow_offload_get_timeout(flow);
|
|
|
|
err = rhashtable_insert_fast(&flow_table->rhashtable,
|
|
&flow->tuplehash[0].node,
|
|
@@ -301,7 +328,7 @@ EXPORT_SYMBOL_GPL(flow_offload_add);
|
|
void flow_offload_refresh(struct nf_flowtable *flow_table,
|
|
struct flow_offload *flow)
|
|
{
|
|
- flow->timeout = nf_flowtable_time_stamp + NF_FLOW_TIMEOUT;
|
|
+ flow->timeout = nf_flowtable_time_stamp + flow_offload_get_timeout(flow);
|
|
|
|
if (likely(!nf_flowtable_hw_offload(flow_table)))
|
|
return;
|
|
--- a/net/netfilter/nf_flow_table_offload.c
|
|
+++ b/net/netfilter/nf_flow_table_offload.c
|
|
@@ -885,7 +885,7 @@ static void flow_offload_work_stats(stru
|
|
|
|
lastused = max_t(u64, stats[0].lastused, stats[1].lastused);
|
|
offload->flow->timeout = max_t(u64, offload->flow->timeout,
|
|
- lastused + NF_FLOW_TIMEOUT);
|
|
+ lastused + flow_offload_get_timeout(offload->flow));
|
|
|
|
if (offload->flowtable->flags & NF_FLOWTABLE_COUNTER) {
|
|
if (stats[0].pkts)
|
|
@@ -989,7 +989,7 @@ void nf_flow_offload_stats(struct nf_flo
|
|
__s32 delta;
|
|
|
|
delta = nf_flow_timeout_delta(flow->timeout);
|
|
- if ((delta >= (9 * NF_FLOW_TIMEOUT) / 10))
|
|
+ if ((delta >= (9 * flow_offload_get_timeout(flow)) / 10))
|
|
return;
|
|
|
|
offload = nf_flow_offload_work_alloc(flowtable, flow, FLOW_CLS_STATS);
|