* [PATCH v5] netfilter: nf_flow_table: count offloaded flows
@ 2023-03-17 16:33 Sven Auhagen
2023-04-03 8:29 ` Florian Westphal
0 siblings, 1 reply; 5+ messages in thread
From: Sven Auhagen @ 2023-03-17 16:33 UTC (permalink / raw)
To: netfilter-devel; +Cc: pablo, abdelrahmanhesham94, ja
Add a counter per namespace so we know the total offloaded
flows.
Change from v4:
* use per cpu counters instead of an atomic variable
Change from v3:
* seq_file_net has to be seq_file_single_net
Change from v2:
* Add remove proc entry on nf_flow_table_fini_proc
* Syntax fixes
Change from v1:
* Cleanup proc entries in case of an error
Signed-off-by: Abdelrahman Morsy <abdelrahman.morsy@voleatech.de>
Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
diff --git a/include/net/netns/flow_table.h b/include/net/netns/flow_table.h
index 1c5fc657e267..1496a6af6ac4 100644
--- a/include/net/netns/flow_table.h
+++ b/include/net/netns/flow_table.h
@@ -6,6 +6,8 @@ struct nf_flow_table_stat {
unsigned int count_wq_add;
unsigned int count_wq_del;
unsigned int count_wq_stats;
+ unsigned int count_flowoffload_add;
+ unsigned int count_flowoffload_del;
};
struct netns_ft {
diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index 81c26a96c30b..d6bc8f0ff51d 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -282,6 +282,7 @@ unsigned long flow_offload_get_timeout(struct flow_offload *flow)
int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow)
{
+ struct net *net;
int err;
flow->timeout = nf_flowtable_time_stamp + flow_offload_get_timeout(flow);
@@ -304,6 +305,9 @@ int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow)
nf_ct_offload_timeout(flow->ct);
+ net = read_pnet(&flow_table->net);
+ NF_FLOW_TABLE_STAT_INC_ATOMIC(net, count_flowoffload_add);
+
if (nf_flowtable_hw_offload(flow_table)) {
__set_bit(NF_FLOW_HW, &flow->flags);
nf_flow_offload_add(flow_table, flow);
@@ -339,6 +343,8 @@ static inline bool nf_flow_has_expired(const struct flow_offload *flow)
static void flow_offload_del(struct nf_flowtable *flow_table,
struct flow_offload *flow)
{
+ struct net *net = read_pnet(&flow_table->net);
+
rhashtable_remove_fast(&flow_table->rhashtable,
&flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].node,
nf_flow_offload_rhash_params);
@@ -346,6 +352,8 @@ static void flow_offload_del(struct nf_flowtable *flow_table,
&flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].node,
nf_flow_offload_rhash_params);
flow_offload_free(flow);
+
+ NF_FLOW_TABLE_STAT_INC_ATOMIC(net, count_flowoffload_del);
}
void flow_offload_teardown(struct flow_offload *flow)
diff --git a/net/netfilter/nf_flow_table_procfs.c b/net/netfilter/nf_flow_table_procfs.c
index 159b033a43e6..c4d15bd1a0f0 100644
--- a/net/netfilter/nf_flow_table_procfs.c
+++ b/net/netfilter/nf_flow_table_procfs.c
@@ -64,17 +64,49 @@ static const struct seq_operations nf_flow_table_cpu_seq_ops = {
.show = nf_flow_table_cpu_seq_show,
};
+static int nf_flow_table_counter_show(struct seq_file *seq, void *v)
+{
+ struct net *net = seq_file_single_net(seq);
+ struct nf_flow_table_stat *st;
+ unsigned int counter_add = 0;
+ unsigned int counter_del = 0;
+ int cpu;
+
+ for (cpu = 0; cpu < nr_cpu_ids; cpu++) {
+ if (!cpu_possible(cpu))
+ continue;
+
+ st = per_cpu_ptr(net->ft.stat, cpu);
+ counter_add += st->count_flowoffload_add;
+ counter_del += st->count_flowoffload_del;
+ }
+
+ seq_printf(seq, "%d\n",
+ (counter_add - counter_del)
+ );
+ return 0;
+}
+
int nf_flow_table_init_proc(struct net *net)
{
- struct proc_dir_entry *pde;
+ if (!proc_create_net("nf_flowtable", 0444, net->proc_net_stat,
+ &nf_flow_table_cpu_seq_ops, sizeof(struct seq_net_private)))
+ goto err;
- pde = proc_create_net("nf_flowtable", 0444, net->proc_net_stat,
- &nf_flow_table_cpu_seq_ops,
- sizeof(struct seq_net_private));
- return pde ? 0 : -ENOMEM;
+ if (!proc_create_net_single("nf_flowtable_counter", 0444,
+ net->proc_net, nf_flow_table_counter_show, NULL))
+ goto err_net;
+
+ return 0;
+
+err_net:
+ remove_proc_entry("nf_flowtable", net->proc_net_stat);
+err:
+ return -ENOMEM;
}
void nf_flow_table_fini_proc(struct net *net)
{
remove_proc_entry("nf_flowtable", net->proc_net_stat);
+ remove_proc_entry("nf_flowtable_counter", net->proc_net);
}
--
2.33.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v5] netfilter: nf_flow_table: count offloaded flows
2023-03-17 16:33 [PATCH v5] netfilter: nf_flow_table: count offloaded flows Sven Auhagen
@ 2023-04-03 8:29 ` Florian Westphal
2023-04-03 8:33 ` Pablo Neira Ayuso
0 siblings, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2023-04-03 8:29 UTC (permalink / raw)
To: Sven Auhagen; +Cc: netfilter-devel, pablo, abdelrahmanhesham94, ja
Sven Auhagen <Sven.Auhagen@voleatech.de> wrote:
> Change from v4:
> * use per cpu counters instead of an atomic variable
> diff --git a/include/net/netns/flow_table.h b/include/net/netns/flow_table.h
> index 1c5fc657e267..1496a6af6ac4 100644
> --- a/include/net/netns/flow_table.h
> +++ b/include/net/netns/flow_table.h
> @@ -6,6 +6,8 @@ struct nf_flow_table_stat {
> unsigned int count_wq_add;
> unsigned int count_wq_del;
> unsigned int count_wq_stats;
> + unsigned int count_flowoffload_add;
> + unsigned int count_flowoffload_del;
Do we really need new global stats for this?
Would it be possible to instead expose the existing ht->nelems during
flowtable netlink dumps?
This way we do not need any new counters.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v5] netfilter: nf_flow_table: count offloaded flows
2023-04-03 8:29 ` Florian Westphal
@ 2023-04-03 8:33 ` Pablo Neira Ayuso
2023-04-03 8:50 ` Pablo Neira Ayuso
0 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2023-04-03 8:33 UTC (permalink / raw)
To: Florian Westphal; +Cc: Sven Auhagen, netfilter-devel, abdelrahmanhesham94, ja
On Mon, Apr 03, 2023 at 10:29:47AM +0200, Florian Westphal wrote:
> Sven Auhagen <Sven.Auhagen@voleatech.de> wrote:
> > Change from v4:
> > * use per cpu counters instead of an atomic variable
>
> > diff --git a/include/net/netns/flow_table.h b/include/net/netns/flow_table.h
> > index 1c5fc657e267..1496a6af6ac4 100644
> > --- a/include/net/netns/flow_table.h
> > +++ b/include/net/netns/flow_table.h
> > @@ -6,6 +6,8 @@ struct nf_flow_table_stat {
> > unsigned int count_wq_add;
> > unsigned int count_wq_del;
> > unsigned int count_wq_stats;
> > + unsigned int count_flowoffload_add;
> > + unsigned int count_flowoffload_del;
>
> Do we really need new global stats for this?
>
> Would it be possible to instead expose the existing ht->nelems during
> flowtable netlink dumps?
>
> This way we do not need any new counters.
I would prefer a netlink interface for this too.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v5] netfilter: nf_flow_table: count offloaded flows
2023-04-03 8:33 ` Pablo Neira Ayuso
@ 2023-04-03 8:50 ` Pablo Neira Ayuso
2023-04-03 8:53 ` Sven Auhagen
0 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2023-04-03 8:50 UTC (permalink / raw)
To: Florian Westphal; +Cc: Sven Auhagen, netfilter-devel, abdelrahmanhesham94, ja
On Mon, Apr 03, 2023 at 10:33:11AM +0200, Pablo Neira Ayuso wrote:
> On Mon, Apr 03, 2023 at 10:29:47AM +0200, Florian Westphal wrote:
> > Sven Auhagen <Sven.Auhagen@voleatech.de> wrote:
> > > Change from v4:
> > > * use per cpu counters instead of an atomic variable
> >
> > > diff --git a/include/net/netns/flow_table.h b/include/net/netns/flow_table.h
> > > index 1c5fc657e267..1496a6af6ac4 100644
> > > --- a/include/net/netns/flow_table.h
> > > +++ b/include/net/netns/flow_table.h
> > > @@ -6,6 +6,8 @@ struct nf_flow_table_stat {
> > > unsigned int count_wq_add;
> > > unsigned int count_wq_del;
> > > unsigned int count_wq_stats;
> > > + unsigned int count_flowoffload_add;
> > > + unsigned int count_flowoffload_del;
> >
> > Do we really need new global stats for this?
> >
> > Would it be possible to instead expose the existing ht->nelems during
> > flowtable netlink dumps?
> >
> > This way we do not need any new counters.
>
> I would prefer a netlink interface for this too.
I can post a sketch code to make it easier for v6.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v5] netfilter: nf_flow_table: count offloaded flows
2023-04-03 8:50 ` Pablo Neira Ayuso
@ 2023-04-03 8:53 ` Sven Auhagen
0 siblings, 0 replies; 5+ messages in thread
From: Sven Auhagen @ 2023-04-03 8:53 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: Florian Westphal, netfilter-devel, abdelrahmanhesham94, ja
On Mon, Apr 03, 2023 at 10:50:47AM +0200, Pablo Neira Ayuso wrote:
> On Mon, Apr 03, 2023 at 10:33:11AM +0200, Pablo Neira Ayuso wrote:
> > On Mon, Apr 03, 2023 at 10:29:47AM +0200, Florian Westphal wrote:
> > > Sven Auhagen <Sven.Auhagen@voleatech.de> wrote:
> > > > Change from v4:
> > > > * use per cpu counters instead of an atomic variable
> > >
> > > > diff --git a/include/net/netns/flow_table.h b/include/net/netns/flow_table.h
> > > > index 1c5fc657e267..1496a6af6ac4 100644
> > > > --- a/include/net/netns/flow_table.h
> > > > +++ b/include/net/netns/flow_table.h
> > > > @@ -6,6 +6,8 @@ struct nf_flow_table_stat {
> > > > unsigned int count_wq_add;
> > > > unsigned int count_wq_del;
> > > > unsigned int count_wq_stats;
> > > > + unsigned int count_flowoffload_add;
> > > > + unsigned int count_flowoffload_del;
> > >
> > > Do we really need new global stats for this?
> > >
> > > Would it be possible to instead expose the existing ht->nelems during
> > > flowtable netlink dumps?
> > >
> > > This way we do not need any new counters.
> >
> > I would prefer a netlink interface for this too.
>
> I can post a sketch code to make it easier for v6.
That would be much appreciated.
If you have a recent example how to add a new attribute to the
netlink interface, that would work too.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-04-03 8:53 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-17 16:33 [PATCH v5] netfilter: nf_flow_table: count offloaded flows Sven Auhagen
2023-04-03 8:29 ` Florian Westphal
2023-04-03 8:33 ` Pablo Neira Ayuso
2023-04-03 8:50 ` Pablo Neira Ayuso
2023-04-03 8:53 ` Sven Auhagen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).