Commit 14e1a977767e95ca48504975efff2bdf1b198ca0
Committed by
Pablo Neira Ayuso
Pablo Neira Ayuso
1 parent
3bcc5fdf1b
netfilter: connlimit: use kmem_cache for conn objects
We might allocate thousands of these (one object per connection). Use distinct kmem cache to permit simplte tracking on how many objects are currently used by the connlimit match via the sysfs. Reviewed-by: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Showing 1 changed file with 19 additions and 5 deletions Side-by-side Diff
net/netfilter/xt_connlimit.c
| ... | ... | @@ -44,6 +44,7 @@ |
| 44 | 44 | }; |
| 45 | 45 | |
| 46 | 46 | static u_int32_t connlimit_rnd __read_mostly; |
| 47 | +static struct kmem_cache *connlimit_conn_cachep __read_mostly; | |
| 47 | 48 | |
| 48 | 49 | static inline unsigned int connlimit_iphash(__be32 addr) |
| 49 | 50 | { |
| ... | ... | @@ -113,7 +114,7 @@ |
| 113 | 114 | &conn->tuple); |
| 114 | 115 | if (found == NULL) { |
| 115 | 116 | hlist_del(&conn->node); |
| 116 | - kfree(conn); | |
| 117 | + kmem_cache_free(connlimit_conn_cachep, conn); | |
| 117 | 118 | continue; |
| 118 | 119 | } |
| 119 | 120 | |
| ... | ... | @@ -133,7 +134,7 @@ |
| 133 | 134 | */ |
| 134 | 135 | nf_ct_put(found_ct); |
| 135 | 136 | hlist_del(&conn->node); |
| 136 | - kfree(conn); | |
| 137 | + kmem_cache_free(connlimit_conn_cachep, conn); | |
| 137 | 138 | continue; |
| 138 | 139 | } |
| 139 | 140 | |
| ... | ... | @@ -152,7 +153,9 @@ |
| 152 | 153 | const struct nf_conntrack_tuple *tuple, |
| 153 | 154 | const union nf_inet_addr *addr) |
| 154 | 155 | { |
| 155 | - struct xt_connlimit_conn *conn = kmalloc(sizeof(*conn), GFP_ATOMIC); | |
| 156 | + struct xt_connlimit_conn *conn; | |
| 157 | + | |
| 158 | + conn = kmem_cache_alloc(connlimit_conn_cachep, GFP_ATOMIC); | |
| 156 | 159 | if (conn == NULL) |
| 157 | 160 | return false; |
| 158 | 161 | conn->tuple = *tuple; |
| ... | ... | @@ -285,7 +288,7 @@ |
| 285 | 288 | for (i = 0; i < ARRAY_SIZE(info->data->iphash); ++i) { |
| 286 | 289 | hlist_for_each_entry_safe(conn, n, &hash[i], node) { |
| 287 | 290 | hlist_del(&conn->node); |
| 288 | - kfree(conn); | |
| 291 | + kmem_cache_free(connlimit_conn_cachep, conn); | |
| 289 | 292 | } |
| 290 | 293 | } |
| 291 | 294 | |
| 292 | 295 | |
| ... | ... | @@ -305,12 +308,23 @@ |
| 305 | 308 | |
| 306 | 309 | static int __init connlimit_mt_init(void) |
| 307 | 310 | { |
| 308 | - return xt_register_match(&connlimit_mt_reg); | |
| 311 | + int ret; | |
| 312 | + connlimit_conn_cachep = kmem_cache_create("xt_connlimit_conn", | |
| 313 | + sizeof(struct xt_connlimit_conn), | |
| 314 | + 0, 0, NULL); | |
| 315 | + if (!connlimit_conn_cachep) | |
| 316 | + return -ENOMEM; | |
| 317 | + | |
| 318 | + ret = xt_register_match(&connlimit_mt_reg); | |
| 319 | + if (ret != 0) | |
| 320 | + kmem_cache_destroy(connlimit_conn_cachep); | |
| 321 | + return ret; | |
| 309 | 322 | } |
| 310 | 323 | |
| 311 | 324 | static void __exit connlimit_mt_exit(void) |
| 312 | 325 | { |
| 313 | 326 | xt_unregister_match(&connlimit_mt_reg); |
| 327 | + kmem_cache_destroy(connlimit_conn_cachep); | |
| 314 | 328 | } |
| 315 | 329 | |
| 316 | 330 | module_init(connlimit_mt_init); |