* [PATCH nf,v2] netfilter: flowtable: add nf_flowtable_time_stamp
@ 2020-01-05 19:10 Pablo Neira Ayuso
2020-01-06 3:40 ` wenxu
0 siblings, 1 reply; 2+ messages in thread
From: Pablo Neira Ayuso @ 2020-01-05 19:10 UTC (permalink / raw)
To: netfilter-devel
This patch adds nf_flowtable_time_stamp and updates the existing code to
use it.
This patch is also implicitly fixing up hardware statistic fetching via
nf_flow_offload_stats() where casting to u32 is missing. Use
nf_flow_timeout_delta() to fix this.
Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v2: use nf_flow_timeout_delta()
include/net/netfilter/nf_flow_table.h | 6 ++++++
net/netfilter/nf_flow_table_core.c | 7 +------
net/netfilter/nf_flow_table_ip.c | 4 ++--
net/netfilter/nf_flow_table_offload.c | 4 ++--
4 files changed, 11 insertions(+), 10 deletions(-)
diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
index f0897b3c97fb..03cc74bb2598 100644
--- a/include/net/netfilter/nf_flow_table.h
+++ b/include/net/netfilter/nf_flow_table.h
@@ -106,6 +106,12 @@ struct flow_offload {
};
#define NF_FLOW_TIMEOUT (30 * HZ)
+#define nf_flowtable_time_stamp (u32)jiffies
+
+static inline __s32 nf_flow_timeout_delta(unsigned int timeout)
+{
+ return (__s32)(timeout - (u32)jiffies);
+}
struct nf_flow_route {
struct {
diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index 9889d52eda82..e33a73cb1f42 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -134,11 +134,6 @@ static void flow_offload_fixup_tcp(struct ip_ct_tcp *tcp)
#define NF_FLOWTABLE_TCP_PICKUP_TIMEOUT (120 * HZ)
#define NF_FLOWTABLE_UDP_PICKUP_TIMEOUT (30 * HZ)
-static inline __s32 nf_flow_timeout_delta(unsigned int timeout)
-{
- return (__s32)(timeout - (u32)jiffies);
-}
-
static void flow_offload_fixup_ct_timeout(struct nf_conn *ct)
{
const struct nf_conntrack_l4proto *l4proto;
@@ -232,7 +227,7 @@ int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow)
{
int err;
- flow->timeout = (u32)jiffies + NF_FLOW_TIMEOUT;
+ flow->timeout = nf_flowtable_time_stamp + NF_FLOW_TIMEOUT;
err = rhashtable_insert_fast(&flow_table->rhashtable,
&flow->tuplehash[0].node,
diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
index b9e7dd6e60ce..7ea2ddc2aa93 100644
--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
@@ -280,7 +280,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
if (nf_flow_nat_ip(flow, skb, thoff, dir) < 0)
return NF_DROP;
- flow->timeout = (u32)jiffies + NF_FLOW_TIMEOUT;
+ flow->timeout = nf_flowtable_time_stamp + NF_FLOW_TIMEOUT;
iph = ip_hdr(skb);
ip_decrease_ttl(iph);
skb->tstamp = 0;
@@ -509,7 +509,7 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
if (nf_flow_nat_ipv6(flow, skb, dir) < 0)
return NF_DROP;
- flow->timeout = (u32)jiffies + NF_FLOW_TIMEOUT;
+ flow->timeout = nf_flowtable_time_stamp + NF_FLOW_TIMEOUT;
ip6h = ipv6_hdr(skb);
ip6h->hop_limit--;
skb->tstamp = 0;
diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
index 6c162c954c4f..d06969af1085 100644
--- a/net/netfilter/nf_flow_table_offload.c
+++ b/net/netfilter/nf_flow_table_offload.c
@@ -781,9 +781,9 @@ void nf_flow_offload_stats(struct nf_flowtable *flowtable,
struct flow_offload *flow)
{
struct flow_offload_work *offload;
- s64 delta;
+ __s32 delta;
- delta = flow->timeout - jiffies;
+ delta = nf_flow_timeout_delta(flow->timeout);
if ((delta >= (9 * NF_FLOW_TIMEOUT) / 10) ||
flow->flags & FLOW_OFFLOAD_HW_DYING)
return;
--
2.11.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH nf,v2] netfilter: flowtable: add nf_flowtable_time_stamp
2020-01-05 19:10 [PATCH nf,v2] netfilter: flowtable: add nf_flowtable_time_stamp Pablo Neira Ayuso
@ 2020-01-06 3:40 ` wenxu
0 siblings, 0 replies; 2+ messages in thread
From: wenxu @ 2020-01-06 3:40 UTC (permalink / raw)
To: Pablo Neira Ayuso, netfilter-devel
On 1/6/2020 3:10 AM, Pablo Neira Ayuso wrote:
> This patch adds nf_flowtable_time_stamp and updates the existing code to
> use it.
>
> This patch is also implicitly fixing up hardware statistic fetching via
> nf_flow_offload_stats() where casting to u32 is missing. Use
> nf_flow_timeout_delta() to fix this.
>
> Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> v2: use nf_flow_timeout_delta()
>
> include/net/netfilter/nf_flow_table.h | 6 ++++++
> net/netfilter/nf_flow_table_core.c | 7 +------
> net/netfilter/nf_flow_table_ip.c | 4 ++--
> net/netfilter/nf_flow_table_offload.c | 4 ++--
> 4 files changed, 11 insertions(+), 10 deletions(-)
>
> diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
> index f0897b3c97fb..03cc74bb2598 100644
> --- a/include/net/netfilter/nf_flow_table.h
> +++ b/include/net/netfilter/nf_flow_table.h
> @@ -106,6 +106,12 @@ struct flow_offload {
> };
>
> #define NF_FLOW_TIMEOUT (30 * HZ)
> +#define nf_flowtable_time_stamp (u32)jiffies
> +
> +static inline __s32 nf_flow_timeout_delta(unsigned int timeout)
> +{
> + return (__s32)(timeout - (u32)jiffies);
Maybe this also can replace (u32)jiffies to nf_flowtable_time_stamp.
> +}
>
> struct nf_flow_route {
> struct {
> diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
> index 9889d52eda82..e33a73cb1f42 100644
> --- a/net/netfilter/nf_flow_table_core.c
> +++ b/net/netfilter/nf_flow_table_core.c
> @@ -134,11 +134,6 @@ static void flow_offload_fixup_tcp(struct ip_ct_tcp *tcp)
> #define NF_FLOWTABLE_TCP_PICKUP_TIMEOUT (120 * HZ)
> #define NF_FLOWTABLE_UDP_PICKUP_TIMEOUT (30 * HZ)
>
> -static inline __s32 nf_flow_timeout_delta(unsigned int timeout)
> -{
> - return (__s32)(timeout - (u32)jiffies);
> -}
> -
> static void flow_offload_fixup_ct_timeout(struct nf_conn *ct)
> {
> const struct nf_conntrack_l4proto *l4proto;
> @@ -232,7 +227,7 @@ int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow)
> {
> int err;
>
> - flow->timeout = (u32)jiffies + NF_FLOW_TIMEOUT;
> + flow->timeout = nf_flowtable_time_stamp + NF_FLOW_TIMEOUT;
>
> err = rhashtable_insert_fast(&flow_table->rhashtable,
> &flow->tuplehash[0].node,
> diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
> index b9e7dd6e60ce..7ea2ddc2aa93 100644
> --- a/net/netfilter/nf_flow_table_ip.c
> +++ b/net/netfilter/nf_flow_table_ip.c
> @@ -280,7 +280,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
> if (nf_flow_nat_ip(flow, skb, thoff, dir) < 0)
> return NF_DROP;
>
> - flow->timeout = (u32)jiffies + NF_FLOW_TIMEOUT;
> + flow->timeout = nf_flowtable_time_stamp + NF_FLOW_TIMEOUT;
> iph = ip_hdr(skb);
> ip_decrease_ttl(iph);
> skb->tstamp = 0;
> @@ -509,7 +509,7 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
> if (nf_flow_nat_ipv6(flow, skb, dir) < 0)
> return NF_DROP;
>
> - flow->timeout = (u32)jiffies + NF_FLOW_TIMEOUT;
> + flow->timeout = nf_flowtable_time_stamp + NF_FLOW_TIMEOUT;
> ip6h = ipv6_hdr(skb);
> ip6h->hop_limit--;
> skb->tstamp = 0;
> diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
> index 6c162c954c4f..d06969af1085 100644
> --- a/net/netfilter/nf_flow_table_offload.c
> +++ b/net/netfilter/nf_flow_table_offload.c
> @@ -781,9 +781,9 @@ void nf_flow_offload_stats(struct nf_flowtable *flowtable,
> struct flow_offload *flow)
> {
> struct flow_offload_work *offload;
> - s64 delta;
> + __s32 delta;
>
> - delta = flow->timeout - jiffies;
> + delta = nf_flow_timeout_delta(flow->timeout);
> if ((delta >= (9 * NF_FLOW_TIMEOUT) / 10) ||
> flow->flags & FLOW_OFFLOAD_HW_DYING)
> return;
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-01-06 3:40 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-05 19:10 [PATCH nf,v2] netfilter: flowtable: add nf_flowtable_time_stamp Pablo Neira Ayuso
2020-01-06 3:40 ` wenxu
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.