netfilter: xt_CT: optimize XT_CT_NOTRACK

The percpu untracked ct are not currently used for XT_CT_NOTRACK. xt_ct_tg_check()/xt_ct_target() provides a single ct. Thats not optimal as the ct->ct_general.use cache line will bounce among cpus. Use the intended [1] thing : xt_ct_target() should select the percpu object. [1] Refs : commit 5bfddbd46a95c97 ("netfilter: nf_conntrack: IPS_UNTRACKED bit") commit b3c5163fe0193a7 ("netfilter: nf_conntrack: per_cpu untracking") Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: xt_CT: optimize XT_CT_NOTRACK
The percpu untracked ct are not currently used for XT_CT_NOTRACK. xt_ct_tg_check()/xt_ct_target() provides a single ct. Thats not optimal as the ct->ct_general.use cache line will bounce among cpus. Use the intended [1] thing : xt_ct_target() should select the percpu object. [1] Refs : commit 5bfddbd46a95c97 ("netfilter: nf_conntrack: IPS_UNTRACKED bit") commit b3c5163fe0193a7 ("netfilter: nf_conntrack: per_cpu untracking") Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Eric Dumazet · Pablo Neira Ayuso
1 parent 8892475386
Showing 1 changed file with 6 additions and 4 deletions Side-by-side Diff
net/netfilter/xt_CT.c
@@ -26,6 +26,9 @@
 	if (skb->nfct != NULL)
 		return XT_CONTINUE;
  
+	/* special case the untracked ct : we want the percpu object */
+	if (!ct)
+		ct = nf_ct_untracked_get();
 	atomic_inc(&ct->ct_general.use);
 	skb->nfct = &ct->ct_general;
 	skb->nfctinfo = IP_CT_NEW;
@@ -186,8 +189,7 @@
 	int ret = -EOPNOTSUPP;
  
 	if (info->flags & XT_CT_NOTRACK) {
-		ct = nf_ct_untracked_get();
-		atomic_inc(&ct->ct_general.use);
+		ct = NULL;
 		goto out;
 	}
  
@@ -311,7 +313,7 @@
 	struct nf_conn *ct = info->ct;
 	struct nf_conn_help *help;
  
-	if (!nf_ct_is_untracked(ct)) {
+	if (ct && !nf_ct_is_untracked(ct)) {
 		help = nfct_help(ct);
 		if (help)
 			module_put(help->helper->me);
  
@@ -319,8 +321,8 @@
 		nf_ct_l3proto_module_put(par->family);
  
 		xt_ct_destroy_timeout(ct);
+		nf_ct_put(info->ct);
 	}
-	nf_ct_put(info->ct);
 }
  
 static void xt_ct_tg_destroy_v0(const struct xt_tgdtor_param *par)
...	...	@@ -26,6 +26,9 @@
26	26	if (skb->nfct != NULL)
27	27	return XT_CONTINUE;
28	28
	29	+ /* special case the untracked ct : we want the percpu object */
	30	+ if (!ct)
	31	+ ct = nf_ct_untracked_get();
29	32	atomic_inc(&ct->ct_general.use);
30	33	skb->nfct = &ct->ct_general;
31	34	skb->nfctinfo = IP_CT_NEW;
...	...	@@ -186,8 +189,7 @@
186	189	int ret = -EOPNOTSUPP;
187	190
188	191	if (info->flags & XT_CT_NOTRACK) {
189		- ct = nf_ct_untracked_get();
190		- atomic_inc(&ct->ct_general.use);
	192	+ ct = NULL;
191	193	goto out;
192	194	}
193	195
...	...	@@ -311,7 +313,7 @@
311	313	struct nf_conn *ct = info->ct;
312	314	struct nf_conn_help *help;
313	315
314		- if (!nf_ct_is_untracked(ct)) {
	316	+ if (ct && !nf_ct_is_untracked(ct)) {
315	317	help = nfct_help(ct);
316	318	if (help)
317	319	module_put(help->helper->me);
318	320
...	...	@@ -319,8 +321,8 @@
319	321	nf_ct_l3proto_module_put(par->family);
320	322
321	323	xt_ct_destroy_timeout(ct);
	324	+ nf_ct_put(info->ct);
322	325	}
323		- nf_ct_put(info->ct);
324	326	}
325	327
326	328	static void xt_ct_tg_destroy_v0(const struct xt_tgdtor_param *par)