* [PATCH nf-next 1/2] netfilter: nft_counter: split out counters from nft_counter
@ 2015-06-18 18:21 Pablo Neira Ayuso
2015-06-18 18:21 ` [PATCH nf-next 2/2] netfilter: nft_counter: add per-cpu support Pablo Neira Ayuso
0 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2015-06-18 18:21 UTC (permalink / raw)
To: netfilter-devel; +Cc: kaber, fw, eric.dumazet
This patch comes in preparation to the percpu support, so struct nft_counter
only contains the byte and packet counter fields that can be reused.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_counter.c | 32 +++++++++++++++++++-------------
1 file changed, 19 insertions(+), 13 deletions(-)
diff --git a/net/netfilter/nft_counter.c b/net/netfilter/nft_counter.c
index 1759123..ad78fda 100644
--- a/net/netfilter/nft_counter.c
+++ b/net/netfilter/nft_counter.c
@@ -18,34 +18,38 @@
#include <net/netfilter/nf_tables.h>
struct nft_counter {
- seqlock_t lock;
- u64 bytes;
- u64 packets;
+ u64 bytes;
+ u64 packets;
+};
+
+struct nft_counter_priv {
+ seqlock_t lock;
+ struct nft_counter counter;
};
static void nft_counter_eval(const struct nft_expr *expr,
struct nft_regs *regs,
const struct nft_pktinfo *pkt)
{
- struct nft_counter *priv = nft_expr_priv(expr);
+ struct nft_counter_priv *priv = nft_expr_priv(expr);
write_seqlock_bh(&priv->lock);
- priv->bytes += pkt->skb->len;
- priv->packets++;
+ priv->counter.bytes += pkt->skb->len;
+ priv->counter.packets++;
write_sequnlock_bh(&priv->lock);
}
static int nft_counter_dump(struct sk_buff *skb, const struct nft_expr *expr)
{
- struct nft_counter *priv = nft_expr_priv(expr);
+ struct nft_counter_priv *priv = nft_expr_priv(expr);
unsigned int seq;
u64 bytes;
u64 packets;
do {
seq = read_seqbegin(&priv->lock);
- bytes = priv->bytes;
- packets = priv->packets;
+ bytes = priv->counter.bytes;
+ packets = priv->counter.packets;
} while (read_seqretry(&priv->lock, seq));
if (nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(bytes)))
@@ -67,12 +71,14 @@ static int nft_counter_init(const struct nft_ctx *ctx,
const struct nft_expr *expr,
const struct nlattr * const tb[])
{
- struct nft_counter *priv = nft_expr_priv(expr);
+ struct nft_counter_priv *priv = nft_expr_priv(expr);
if (tb[NFTA_COUNTER_PACKETS])
- priv->packets = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
+ priv->counter.packets =
+ be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
if (tb[NFTA_COUNTER_BYTES])
- priv->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
+ priv->counter.bytes =
+ be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
seqlock_init(&priv->lock);
return 0;
@@ -81,7 +87,7 @@ static int nft_counter_init(const struct nft_ctx *ctx,
static struct nft_expr_type nft_counter_type;
static const struct nft_expr_ops nft_counter_ops = {
.type = &nft_counter_type,
- .size = NFT_EXPR_SIZE(sizeof(struct nft_counter)),
+ .size = NFT_EXPR_SIZE(sizeof(struct nft_counter_priv)),
.eval = nft_counter_eval,
.init = nft_counter_init,
.dump = nft_counter_dump,
--
1.7.10.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH nf-next 2/2] netfilter: nft_counter: add per-cpu support
2015-06-18 18:21 [PATCH nf-next 1/2] netfilter: nft_counter: split out counters from nft_counter Pablo Neira Ayuso
@ 2015-06-18 18:21 ` Pablo Neira Ayuso
2015-06-18 22:25 ` Patrick McHardy
0 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2015-06-18 18:21 UTC (permalink / raw)
To: netfilter-devel; +Cc: kaber, fw, eric.dumazet
This patch adds rule per-cpu counters. This introduces a new NFTA_COUNTER_TYPE
netlink attribute to indicate the type of counters to be used. The default is
the compact seqlock representation for compatibility.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/uapi/linux/netfilter/nf_tables.h | 14 ++++
net/netfilter/nft_counter.c | 129 +++++++++++++++++++++++++++++-
2 files changed, 139 insertions(+), 4 deletions(-)
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index a99e6a9..da3b505 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -771,15 +771,29 @@ enum nft_limit_attributes {
#define NFTA_LIMIT_MAX (__NFTA_LIMIT_MAX - 1)
/**
+ * enum nft_counter_types - nf_tables counter types
+ *
+ * @NFT_COUNTER_DEFAULT: default seqlock counter
+ * @NFT_COUNTER_PERCPU: percpu counter
+ */
+enum nft_counter_types {
+ NFT_COUNTER_DEFAULT = 0,
+ NFT_COUNTER_PERCPU,
+ NFT_COUNTER_MAX
+};
+
+/**
* enum nft_counter_attributes - nf_tables counter expression netlink attributes
*
* @NFTA_COUNTER_BYTES: number of bytes (NLA_U64)
* @NFTA_COUNTER_PACKETS: number of packets (NLA_U64)
+ * @NFTA_COUNTER_TYPE: counter type (NLA_U32: nft_counter_types)
*/
enum nft_counter_attributes {
NFTA_COUNTER_UNSPEC,
NFTA_COUNTER_BYTES,
NFTA_COUNTER_PACKETS,
+ NFTA_COUNTER_TYPE,
__NFTA_COUNTER_MAX
};
#define NFTA_COUNTER_MAX (__NFTA_COUNTER_MAX - 1)
diff --git a/net/netfilter/nft_counter.c b/net/netfilter/nft_counter.c
index ad78fda..6fcb0e9d 100644
--- a/net/netfilter/nft_counter.c
+++ b/net/netfilter/nft_counter.c
@@ -52,9 +52,9 @@ static int nft_counter_dump(struct sk_buff *skb, const struct nft_expr *expr)
packets = priv->counter.packets;
} while (read_seqretry(&priv->lock, seq));
- if (nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(bytes)))
- goto nla_put_failure;
- if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(packets)))
+ if (nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(bytes)) ||
+ nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(packets)) ||
+ nla_put_be32(skb, NFTA_COUNTER_TYPE, htonl(NFT_COUNTER_DEFAULT)))
goto nla_put_failure;
return 0;
@@ -65,6 +65,7 @@ nla_put_failure:
static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
[NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
[NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
+ [NFTA_COUNTER_TYPE] = { .type = NLA_U32 },
};
static int nft_counter_init(const struct nft_ctx *ctx,
@@ -93,9 +94,129 @@ static const struct nft_expr_ops nft_counter_ops = {
.dump = nft_counter_dump,
};
+struct nft_counter_percpu_priv {
+ struct nft_counter_percpu __percpu *counter;
+};
+
+struct nft_counter_percpu {
+ struct nft_counter counter;
+ struct u64_stats_sync syncp;
+};
+
+static int nft_counter_percpu_init(const struct nft_ctx *ctx,
+ const struct nft_expr *expr,
+ const struct nlattr * const tb[])
+{
+ struct nft_counter_percpu_priv *priv = nft_expr_priv(expr);
+ struct nft_counter_percpu __percpu *cpu_stats;
+ struct nft_counter_percpu *this_cpu;
+
+ cpu_stats = netdev_alloc_pcpu_stats(struct nft_counter_percpu);
+ if (cpu_stats == NULL)
+ return ENOMEM;
+
+ preempt_disable();
+ this_cpu = this_cpu_ptr(cpu_stats);
+ if (tb[NFTA_COUNTER_PACKETS]) {
+ this_cpu->counter.packets =
+ be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
+ }
+ if (tb[NFTA_COUNTER_BYTES]) {
+ this_cpu->counter.bytes =
+ be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
+ }
+ preempt_enable();
+
+ priv->counter = cpu_stats;
+
+ return 0;
+}
+
+static void nft_counter_percpu_destroy(const struct nft_ctx *ctx,
+ const struct nft_expr *expr)
+{
+ struct nft_counter_percpu_priv *priv = nft_expr_priv(expr);
+
+ free_percpu(priv->counter);
+}
+
+static void nft_counter_percpu_eval(const struct nft_expr *expr,
+ struct nft_regs *regs,
+ const struct nft_pktinfo *pkt)
+{
+ struct nft_counter_percpu_priv *priv = nft_expr_priv(expr);
+ struct nft_counter_percpu *this_cpu;
+
+ this_cpu = this_cpu_ptr(priv->counter);
+ this_cpu->counter.bytes += pkt->skb->len;
+ this_cpu->counter.packets++;
+}
+
+static int nft_counter_percpu_dump(struct sk_buff *skb,
+ const struct nft_expr *expr)
+{
+ struct nft_counter_percpu_priv *priv = nft_expr_priv(expr);
+ struct nft_counter_percpu *cpu_stats;
+ struct nft_counter total;
+ u64 bytes, packets;
+ unsigned int seq;
+ int cpu;
+
+ memset(&total, 0, sizeof(total));
+ for_each_possible_cpu(cpu) {
+ cpu_stats = per_cpu_ptr(priv->counter, cpu);
+ do {
+ bytes = cpu_stats->counter.bytes;
+ packets = cpu_stats->counter.packets;
+ } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
+
+ total.packets += packets;
+ total.bytes += bytes;
+ }
+
+ if (nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes)) ||
+ nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.packets)) ||
+ nla_put_be32(skb, NFTA_COUNTER_TYPE, htonl(NFT_COUNTER_PERCPU)))
+ goto nla_put_failure;
+
+ return 0;
+
+nla_put_failure:
+ return -1;
+}
+
+static const struct nft_expr_ops nft_counter_percpu_ops = {
+ .type = &nft_counter_type,
+ .size = NFT_EXPR_SIZE(sizeof(struct nft_counter_percpu_priv)),
+ .eval = nft_counter_percpu_eval,
+ .init = nft_counter_percpu_init,
+ .destroy = nft_counter_percpu_destroy,
+ .dump = nft_counter_percpu_dump,
+};
+
+static const struct nft_expr_ops *
+nft_counter_select_ops(const struct nft_ctx *ctx,
+ const struct nlattr * const tb[])
+{
+ u32 type;
+
+ if (tb[NFTA_COUNTER_TYPE]) {
+ type = ntohl(nla_get_be32(tb[NFTA_COUNTER_TYPE]));
+ switch (type) {
+ case NFT_COUNTER_DEFAULT:
+ return &nft_counter_ops;
+ case NFT_COUNTER_PERCPU:
+ return &nft_counter_percpu_ops;
+ default:
+ return ERR_PTR(-EINVAL);
+ }
+ }
+ return &nft_counter_ops;
+}
+
static struct nft_expr_type nft_counter_type __read_mostly = {
.name = "counter",
- .ops = &nft_counter_ops,
+ .select_ops = &nft_counter_select_ops,
.policy = nft_counter_policy,
.maxattr = NFTA_COUNTER_MAX,
.flags = NFT_EXPR_STATEFUL,
--
1.7.10.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH nf-next 2/2] netfilter: nft_counter: add per-cpu support
2015-06-18 18:21 ` [PATCH nf-next 2/2] netfilter: nft_counter: add per-cpu support Pablo Neira Ayuso
@ 2015-06-18 22:25 ` Patrick McHardy
2015-06-19 9:25 ` Pablo Neira Ayuso
0 siblings, 1 reply; 5+ messages in thread
From: Patrick McHardy @ 2015-06-18 22:25 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, fw, eric.dumazet
On 18.06, Pablo Neira Ayuso wrote:
> This patch adds rule per-cpu counters. This introduces a new NFTA_COUNTER_TYPE
> netlink attribute to indicate the type of counters to be used. The default is
> the compact seqlock representation for compatibility.
I don't think that userspace should care about the implementation details.
I'd just switch to percpu unconditionally.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH nf-next 2/2] netfilter: nft_counter: add per-cpu support
2015-06-19 9:25 ` Pablo Neira Ayuso
@ 2015-06-19 9:22 ` Patrick McHardy
0 siblings, 0 replies; 5+ messages in thread
From: Patrick McHardy @ 2015-06-19 9:22 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, fw, eric.dumazet
On 19.06, Pablo Neira Ayuso wrote:
> On Fri, Jun 19, 2015 at 12:25:30AM +0200, Patrick McHardy wrote:
> > On 18.06, Pablo Neira Ayuso wrote:
> > > This patch adds rule per-cpu counters. This introduces a new NFTA_COUNTER_TYPE
> > > netlink attribute to indicate the type of counters to be used. The default is
> > > the compact seqlock representation for compatibility.
> >
> > I don't think that userspace should care about the implementation details.
> > I'd just switch to percpu unconditionally.
>
> Will send a v2.
>
> I can't find a use-case for the compact memory representation of the
> seqlock counter, but if that ever happens we can go back to this type
> attribute so the user can select.
I agree. Thanks!
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH nf-next 2/2] netfilter: nft_counter: add per-cpu support
2015-06-18 22:25 ` Patrick McHardy
@ 2015-06-19 9:25 ` Pablo Neira Ayuso
2015-06-19 9:22 ` Patrick McHardy
0 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2015-06-19 9:25 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel, fw, eric.dumazet
On Fri, Jun 19, 2015 at 12:25:30AM +0200, Patrick McHardy wrote:
> On 18.06, Pablo Neira Ayuso wrote:
> > This patch adds rule per-cpu counters. This introduces a new NFTA_COUNTER_TYPE
> > netlink attribute to indicate the type of counters to be used. The default is
> > the compact seqlock representation for compatibility.
>
> I don't think that userspace should care about the implementation details.
> I'd just switch to percpu unconditionally.
Will send a v2.
I can't find a use-case for the compact memory representation of the
seqlock counter, but if that ever happens we can go back to this type
attribute so the user can select.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-06-19 9:22 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-06-18 18:21 [PATCH nf-next 1/2] netfilter: nft_counter: split out counters from nft_counter Pablo Neira Ayuso
2015-06-18 18:21 ` [PATCH nf-next 2/2] netfilter: nft_counter: add per-cpu support Pablo Neira Ayuso
2015-06-18 22:25 ` Patrick McHardy
2015-06-19 9:25 ` Pablo Neira Ayuso
2015-06-19 9:22 ` Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.