diff options
| author | Krzysztof Piotr Oledzki <ole@ans.pl> | 2008-07-21 13:01:34 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2008-07-21 13:10:58 -0400 |
| commit | 584015727a3b88b46602b20077b46cd04f8b4ab3 (patch) | |
| tree | a9b4ec18e2181e03ee24b59b30f7408bcbcf140c /include | |
| parent | 07a7c1070ed382ad4562e3a0d453fd2001d92f7b (diff) | |
netfilter: accounting rework: ct_extend + 64bit counters (v4)
Initially netfilter has had 64bit counters for conntrack-based accounting, but
it was changed in 2.6.14 to save memory. Unfortunately in-kernel 64bit counters are
still required, for example for "connbytes" extension. However, 64bit counters
waste a lot of memory and it was not possible to enable/disable it runtime.
This patch:
- reimplements accounting with respect to the extension infrastructure,
- makes one global version of seq_print_acct() instead of two seq_print_counters(),
- makes it possible to enable it at boot time (for CONFIG_SYSCTL/CONFIG_SYSFS=n),
- makes it possible to enable/disable it at runtime by sysctl or sysfs,
- extends counters from 32bit to 64bit,
- renames ip_conntrack_counter -> nf_conn_counter,
- enables accounting code unconditionally (no longer depends on CONFIG_NF_CT_ACCT),
- set initial accounting enable state based on CONFIG_NF_CT_ACCT
- removes buggy IPCT_COUNTER_FILLING event handling.
If accounting is enabled newly created connections get additional acct extend.
Old connections are not changed as it is not possible to add a ct_extend area
to confirmed conntrack. Accounting is performed for all connections with
acct extend regardless of a current state of "net.netfilter.nf_conntrack_acct".
Signed-off-by: Krzysztof Piotr Oledzki <ole@ans.pl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
| -rw-r--r-- | include/linux/netfilter/nf_conntrack_common.h | 8 | ||||
| -rw-r--r-- | include/linux/netfilter/nfnetlink_conntrack.h | 8 | ||||
| -rw-r--r-- | include/net/netfilter/nf_conntrack.h | 6 | ||||
| -rw-r--r-- | include/net/netfilter/nf_conntrack_acct.h | 51 | ||||
| -rw-r--r-- | include/net/netfilter/nf_conntrack_extend.h | 2 |
5 files changed, 58 insertions, 17 deletions
diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h index bad1eb760f61..885cbe282260 100644 --- a/include/linux/netfilter/nf_conntrack_common.h +++ b/include/linux/netfilter/nf_conntrack_common.h | |||
| @@ -122,7 +122,7 @@ enum ip_conntrack_events | |||
| 122 | IPCT_NATINFO_BIT = 10, | 122 | IPCT_NATINFO_BIT = 10, |
| 123 | IPCT_NATINFO = (1 << IPCT_NATINFO_BIT), | 123 | IPCT_NATINFO = (1 << IPCT_NATINFO_BIT), |
| 124 | 124 | ||
| 125 | /* Counter highest bit has been set */ | 125 | /* Counter highest bit has been set, unused */ |
| 126 | IPCT_COUNTER_FILLING_BIT = 11, | 126 | IPCT_COUNTER_FILLING_BIT = 11, |
| 127 | IPCT_COUNTER_FILLING = (1 << IPCT_COUNTER_FILLING_BIT), | 127 | IPCT_COUNTER_FILLING = (1 << IPCT_COUNTER_FILLING_BIT), |
| 128 | 128 | ||
| @@ -145,12 +145,6 @@ enum ip_conntrack_expect_events { | |||
| 145 | }; | 145 | }; |
| 146 | 146 | ||
| 147 | #ifdef __KERNEL__ | 147 | #ifdef __KERNEL__ |
| 148 | struct ip_conntrack_counter | ||
| 149 | { | ||
| 150 | u_int32_t packets; | ||
| 151 | u_int32_t bytes; | ||
| 152 | }; | ||
| 153 | |||
| 154 | struct ip_conntrack_stat | 148 | struct ip_conntrack_stat |
| 155 | { | 149 | { |
| 156 | unsigned int searched; | 150 | unsigned int searched; |
diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h index 759bc043dc65..c19595c89304 100644 --- a/include/linux/netfilter/nfnetlink_conntrack.h +++ b/include/linux/netfilter/nfnetlink_conntrack.h | |||
| @@ -115,10 +115,10 @@ enum ctattr_protoinfo_sctp { | |||
| 115 | 115 | ||
| 116 | enum ctattr_counters { | 116 | enum ctattr_counters { |
| 117 | CTA_COUNTERS_UNSPEC, | 117 | CTA_COUNTERS_UNSPEC, |
| 118 | CTA_COUNTERS_PACKETS, /* old 64bit counters */ | 118 | CTA_COUNTERS_PACKETS, /* 64bit counters */ |
| 119 | CTA_COUNTERS_BYTES, /* old 64bit counters */ | 119 | CTA_COUNTERS_BYTES, /* 64bit counters */ |
| 120 | CTA_COUNTERS32_PACKETS, | 120 | CTA_COUNTERS32_PACKETS, /* old 32bit counters, unused */ |
| 121 | CTA_COUNTERS32_BYTES, | 121 | CTA_COUNTERS32_BYTES, /* old 32bit counters, unused */ |
| 122 | __CTA_COUNTERS_MAX | 122 | __CTA_COUNTERS_MAX |
| 123 | }; | 123 | }; |
| 124 | #define CTA_COUNTERS_MAX (__CTA_COUNTERS_MAX - 1) | 124 | #define CTA_COUNTERS_MAX (__CTA_COUNTERS_MAX - 1) |
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index 8f5b75734dd0..0741ad592da0 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h | |||
| @@ -88,7 +88,6 @@ struct nf_conn_help { | |||
| 88 | u8 expecting[NF_CT_MAX_EXPECT_CLASSES]; | 88 | u8 expecting[NF_CT_MAX_EXPECT_CLASSES]; |
| 89 | }; | 89 | }; |
| 90 | 90 | ||
| 91 | |||
| 92 | #include <net/netfilter/ipv4/nf_conntrack_ipv4.h> | 91 | #include <net/netfilter/ipv4/nf_conntrack_ipv4.h> |
| 93 | #include <net/netfilter/ipv6/nf_conntrack_ipv6.h> | 92 | #include <net/netfilter/ipv6/nf_conntrack_ipv6.h> |
| 94 | 93 | ||
| @@ -111,11 +110,6 @@ struct nf_conn | |||
| 111 | /* Timer function; drops refcnt when it goes off. */ | 110 | /* Timer function; drops refcnt when it goes off. */ |
| 112 | struct timer_list timeout; | 111 | struct timer_list timeout; |
| 113 | 112 | ||
| 114 | #ifdef CONFIG_NF_CT_ACCT | ||
| 115 | /* Accounting Information (same cache line as other written members) */ | ||
| 116 | struct ip_conntrack_counter counters[IP_CT_DIR_MAX]; | ||
| 117 | #endif | ||
| 118 | |||
| 119 | #if defined(CONFIG_NF_CONNTRACK_MARK) | 113 | #if defined(CONFIG_NF_CONNTRACK_MARK) |
| 120 | u_int32_t mark; | 114 | u_int32_t mark; |
| 121 | #endif | 115 | #endif |
diff --git a/include/net/netfilter/nf_conntrack_acct.h b/include/net/netfilter/nf_conntrack_acct.h new file mode 100644 index 000000000000..5d5ae55d54c4 --- /dev/null +++ b/include/net/netfilter/nf_conntrack_acct.h | |||
| @@ -0,0 +1,51 @@ | |||
| 1 | /* | ||
| 2 | * (C) 2008 Krzysztof Piotr Oledzki <ole@ans.pl> | ||
| 3 | * | ||
| 4 | * This program is free software; you can redistribute it and/or modify | ||
| 5 | * it under the terms of the GNU General Public License version 2 as | ||
| 6 | * published by the Free Software Foundation. | ||
| 7 | */ | ||
| 8 | |||
| 9 | #ifndef _NF_CONNTRACK_ACCT_H | ||
| 10 | #define _NF_CONNTRACK_ACCT_H | ||
| 11 | #include <linux/netfilter/nf_conntrack_common.h> | ||
| 12 | #include <linux/netfilter/nf_conntrack_tuple_common.h> | ||
| 13 | #include <net/netfilter/nf_conntrack.h> | ||
| 14 | #include <net/netfilter/nf_conntrack_extend.h> | ||
| 15 | |||
| 16 | struct nf_conn_counter { | ||
| 17 | u_int64_t packets; | ||
| 18 | u_int64_t bytes; | ||
| 19 | }; | ||
| 20 | |||
| 21 | extern int nf_ct_acct; | ||
| 22 | |||
| 23 | static inline | ||
| 24 | struct nf_conn_counter *nf_conn_acct_find(const struct nf_conn *ct) | ||
| 25 | { | ||
| 26 | return nf_ct_ext_find(ct, NF_CT_EXT_ACCT); | ||
| 27 | } | ||
| 28 | |||
| 29 | static inline | ||
| 30 | struct nf_conn_counter *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp) | ||
| 31 | { | ||
| 32 | struct nf_conn_counter *acct; | ||
| 33 | |||
| 34 | if (!nf_ct_acct) | ||
| 35 | return NULL; | ||
| 36 | |||
| 37 | acct = nf_ct_ext_add(ct, NF_CT_EXT_ACCT, gfp); | ||
| 38 | if (!acct) | ||
| 39 | pr_debug("failed to add accounting extension area"); | ||
| 40 | |||
| 41 | |||
| 42 | return acct; | ||
| 43 | }; | ||
| 44 | |||
| 45 | extern unsigned int | ||
| 46 | seq_print_acct(struct seq_file *s, const struct nf_conn *ct, int dir); | ||
| 47 | |||
| 48 | extern int nf_conntrack_acct_init(void); | ||
| 49 | extern void nf_conntrack_acct_fini(void); | ||
| 50 | |||
| 51 | #endif /* _NF_CONNTRACK_ACCT_H */ | ||
diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h index f80c0ed6d870..da8ee52613a5 100644 --- a/include/net/netfilter/nf_conntrack_extend.h +++ b/include/net/netfilter/nf_conntrack_extend.h | |||
| @@ -7,11 +7,13 @@ enum nf_ct_ext_id | |||
| 7 | { | 7 | { |
| 8 | NF_CT_EXT_HELPER, | 8 | NF_CT_EXT_HELPER, |
| 9 | NF_CT_EXT_NAT, | 9 | NF_CT_EXT_NAT, |
| 10 | NF_CT_EXT_ACCT, | ||
| 10 | NF_CT_EXT_NUM, | 11 | NF_CT_EXT_NUM, |
| 11 | }; | 12 | }; |
| 12 | 13 | ||
| 13 | #define NF_CT_EXT_HELPER_TYPE struct nf_conn_help | 14 | #define NF_CT_EXT_HELPER_TYPE struct nf_conn_help |
| 14 | #define NF_CT_EXT_NAT_TYPE struct nf_conn_nat | 15 | #define NF_CT_EXT_NAT_TYPE struct nf_conn_nat |
| 16 | #define NF_CT_EXT_ACCT_TYPE struct nf_conn_counter | ||
| 15 | 17 | ||
| 16 | /* Extensions: optional stuff which isn't permanently in struct. */ | 18 | /* Extensions: optional stuff which isn't permanently in struct. */ |
| 17 | struct nf_ct_ext { | 19 | struct nf_ct_ext { |